How to Access OpenVPN Client Subnet

Question

I'm setting up a site-to-site OpenVPN,

For now:

Users on the client side can access the subnets on the server side.

accessing the VPN client machine [Its IP on the client subnet] works fine. But i can't access other machines on the same client subnet.

I have used this option in the server configuration: As these are private subnet i will add them as they are:

route 172.20.56.0 255.255.255.0
client-config-dir ccd

And created file the same as client name with the following contents:

iroute 172.20.56.0 255.255.255.0

The Client machine has this local IP 172.20.56.1 which i can access from the server side.

The issue is that i'm non able to access any other machine on the client side.

Any Suggestions....

Answer 1

Actually the problem seems to be an openvpn bug of sorts. It seems that using topology net30 (the default, though that topology is now considered deprecated) somehow breaks openvpn's routing. First step is to add topology subnet to your server config file. The other thing you need to do is to add the vpn server's IP as the route's gateway, as there's ANOTHER OpenVPN bug that will barf at the route as it is. So

route 172.20.56.0 255.255.255.0

should look like

route 172.20.56.0 255.255.255.0 10.10.8.1

where 10.10.8.1 is the server's IP on the tun0 interface.

If done correctly, you don't need to use any kind of natting at all.

Answer 2

The route statement in your server config and iroute statement should permit your packets to get to the remote site. But the remote site also needs routes knowing about the networks to route back over the VPN. You either need to add some route statements in the client config or add some push "route ..." statements in your ccd file.

In any case like troubleshooting any routing problem, you need traceroute and tcpdump/wireshark.