Basic routing configurations are set as given in the tutorial.
The connection between my client and the server is established
My main problem is that I can access the server on its public LAN interface without VPN connection via ssh but using ssh via the VPN interface fails by repeated password requests (the password was given correctly, I tried over and over again)
The basic difference to a standard setup is that ssh uses a different port on the public interface, say eth0 and port 25000 (just to keep it simple, actual names/port numbers differ of course)
This works without established VPN connection: ssh -p 25000 foo@fooserver.org
This does not work, when VPN is active (using the first address provided by the TUN interface) ssh foo@10.2.0.2
(adding -p 25000) will fail immediately
Do I have to map the VPN ssh port (22) to 25000 via iptables?
Here is my pretty standard server configuration file (replaced some names for security reasons)
Server conf
remote-cert-tls client
tls-version-min 1.2
auth SHA512
port xxxx
# TCP or UDP server?
proto tcp
dev tun
ca ca.crt
cert fooserver.crt
key fooserver.key # This file should be kept secret
dh dh.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.2.1.0 255.255.255.0"
push "dhcp-option DNS A.B.C.D"
keepalive 10 120
tls-crypt ta.key # This file is secret
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 0
The client is running on OpenSuSE Leap 15.2 -- I think that the missing update-resolv-conf could be the real problem...