Client can only access the server hosting OpenVPN, not the servers subnet

Question

I have a peculiar problem with a OpenVPN tunnel on my Linux-server (RoadWarrior config). I can login perfectly with Tunnelblick 3.0 on my Mac, I can access all services on the server hosting the OpenVPN daemon, however, I am unable to access any other machine on the server's subnet.

I am pushing the route to the client and netstat -rn shows that the route exists.

My client-config is as following

port 500
dev tun
remote {secret} 

tls-client
ca ca.crt
cert client.crt
key client.key

comp-lzo

pull

verb 4

and the server's configuration is following

port 500
dev tun

local 10.81.0.2

tls-server 
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

mode server

ifconfig 10.84.0.1 10.84.0.2
ifconfig-pool 10.84.0.4 10.84.0.255

route 10.84.0.0 255.255.255.0

push "route 10.84.0.1 255.255.255.255"
push "route 10.81.0.0 255.255.255.0"

comp-lzo

keepalive 10 60
inactive 600

user vpndaemon
group vpndaemon

persist-tun
persist-key

verb 4

I can't find any obvious mistake and I also verified that there are no IP clashes on the client-side.

Any hints or ideas are greatly appreciated!

Answer 1

You probably need to setup your Firewall to do MASQ for your VPN IP addresses.

-A POSTROUTING -s 10.84.0.0/255.255.255.0 -o eth0 -j MASQUERADE

in your iptables config should do the trick.

Answer 2

Ok so I'd have pasted this as a comment, but I can't so here goes:

The command that @GruffTech gave didn't work for me, but this command did

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Answer 3

And you need to enable kernel IP packet forwarding (routing between tun interfaces and eth):

uncomment or insert the following line in your /etc/sysctl.conf:

net.ipv4.ip_forward=1

and run:

sudo sysctl -p