OpenVPN Support Forum

I'm trying to run

client 192.168.1.0/24-->modem(NAT)-->internet-->firewall(NAT)10.1.2.0/24-->10.1.2.15=openvpn_server-->10.1.2.0/24overvpn

I can connect fine from client to server over tun0 but can't ping any of the other IP's on that subnet

client
/etc/openvpn/tun0.conf vi /etc/sysctl.conf
net.ipv4.ip_forward=1

server
/etc/openvpn/tun0.conf
vi /etc/sysctl.conf
net.ipv4.ip_forward=1

cat /proc/sys/net/ipv4/ip_forward
1

I've read http://www.secure-computing.net/wiki/in ... PN/Routing probably 5 times, what stupid thing am I missing?

As far as I understood, to "see" a whole lan you either need a bridged configuration (tap not tun) or
configure the routing between lan and vpn-clients (both directions).

In the second case you would need to configure the vpn server as a gateway for the route to
vpn-client(s) on ALL lan computers.

If the second one is what I need (since all the servers in the dmz use the firewall gateway 10.1.2.1 and are on the same /24 subnet), is it possible to set up my openvpn box as another gateway? I've also attempted to use iptables masquerade for traffic coming through tun0 to masquerade as eth0 on the openvpn server, but that doesn't seem to work. I've also thought about adding other routes, but since they're all on the same subnet, it doesn't seem to make sense.

If it turns out I really need a bridge instead (because this'll be for road warriors) then I have to figure out how to keep the remote clients on the same subnet as the LAN, which I can't do since they'll be logging on different networks which can't be modified as they travel.

You need to setup reverse routing for the remainder of the LAN on the server side. They're not going to be able to reply if they don't know how to route for the VPN subnet.

See these:
* OpenVPN Routing
* OpenVPN Bridging