How to route to the VPN subnet if my router does not support static routes AND I cannot use ethernet bridging

[PatiB87]

Hey,

I set up OpenVPN with this guide:
https://www.digitalocean.com/community/ ... -debian-10

So far so good, it works.
I can also reach the home network from the client incl. stuff like VNC or SSH.
I can also ping home from the client.
I can also ping the client from the OpenVPN-Server (a Debian VM in Virtualbox).

But....: I cannot ping the client from other machines from the home network.

As far as I understand there's two solutions - each with a problem in my case:
Solution 1: Add a static route to the VPN subnet in the networks router.
Problem: The router is a "Telekom Speedport Smart" which (believe it or not! oO) does not support static routes!

Solution 2: Switch the OpenVPN Config to Ethernet-Brigding.
Problem: The mobile apps (iOS: OpenVPN Connect) do not support tap-based VPNs. :/


What can I do now? Does anyone know a different solution?

Cheers
Patrick

[PatiB87]

Any ideas? :/

Thanks a lot!

[TinCanTech]

Solution 1: Add a static route to the VPN subnet in the networks router.
Problem: The router is a "Telekom Speedport Smart" which (believe it or not! oO) does not support static routes!

Add the route to the machines directly not the router.

[PatiB87]

To EVERY machine in my LAN? Wouldn't that be a huge effort?

Can't I use the PiHole-VM (which is my only DHCP and DNS anyways) as first router stage and tell it where to find the LAN, where to find the internet (the current router) and where to find the VPN clients (VPN-VM)?

But then all traffic would be routed through this machine, right? Every packet? This could severely impede LAN performance?
Or is it just that the router points the client once to the correct target? And after that the client contacts the target directly without sending the packets through the router?

[PatiB87]

I experimented and realized a few things:
I can just enter the OpenVPN-VM as "Router" in my DHCP (or manually on a client to test things, in this case).
The OpenVPN-VM knows the routes to the VPN and knows the regular internet router for regular internet connections.

Assigning this VM as router to a client changes a few things:
According to "traceroute" it, of course, adds another step in the route to the net, which also in my case adds 0.5 ms latency.
The transfer rate to the internet stays at (in my case) 250 MBit/s, but when I actually use these 250MBit/s (Speedtest with iPerf3), two further things happen:
The network interface of the VM gets 2x250MBit/s traffic, so this could be a bottle neck (viewed with the tool "iftop").
The VM has a very substantial CPU load. In my case (the VM in this experimental status is running on one of my MacBooks, here a recent MacBook Pro with a sincere i7 CPU) around 45-50%!

So all in all this works, yet I wouldn't put this burden on my current NUC which already supports several VMs for smart home and PiHole and such since this could limit the internet bandwidth due to CPU limitations.

Thought this might be interesting for someone!

[TinCanTech]

There are many ways to skin a cat ..

Your way sounds like you are trying to strangle the cat while trying to skin it also.