opvnvpn: addressing nodes in LAN-behinds

I went through the responses and I think I'm savvy to where you're at with all this.

Lets do some simple checks to narrow down the issue:

From one of the OpenVPN clients that is unable to ping a 192.168.0.x host: netstatn -rn Also give us ifconfig -a for *nix or ipconfig /all ping <openvpn server external 10.21.x address> ping <openvpn 10.15.x address

From the openvpn server: netstatn -rn ping <a 192.168.0.x host> ping <a 10.15.x host> ping <a 10.21.x host>

Also, your current openvpn server config and client config probably at /etc/openvpn/server.conf and on the client machine /etc/openvpn/<hostname>.conf or c:\program files\openvpn\config\<hostname.conf> or .ovpn


I have a similar setup. On my OpenVPN server I have the equiv of this iptables rule (changed hostmask/interface to what your values should be):

# Generated by iptables-save v1.4.4 
*nat
:PREROUTING ACCEPT [5:332]
:POSTROUTING ACCEPT [5:740]
:OUTPUT ACCEPT [5:740]
-A POSTROUTING -s 10.15.119.0/2 -o eth1 -j MASQUERADE
COMMIT

Looks like your problem is most definately because you're missing iptable_nat.

# lsmod | grep nat
iptable_nat             5011  1 
nf_nat                 19101  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      12548  3 iptable_nat,nf_nat
nf_conntrack           72270  4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables              17942  2 iptable_nat,iptable_filter
x_tables               21613  3 ipt_MASQUERADE,iptable_nat,ip_tables

modprobe iptable_nat or try with the -a parameter.


You will need to push a route through to the clients. This is done using the "push" option in the server config file.

By default the OpenVPN server will only push a route to itself.

In general, when setting up a VPN server, it is a good idea to have the VPN working on a separate subnet, so that you make your routing easier, and also to make your firewall setup easier. Example:

The server running the OpenVPN server has an internal IP address of 10.15.119.1. Its public IP address is 123.1.2.3. And your entire internal network is on 10.15.119.0/24. You would then set up the OpenVPN server to run on 10.15.120.0/24, which will give you up to 63 possible client connections (each connection requires a small subnet of 4 IP addresses). The first client that connects will get IP address 10.15.120.5. If you now push the route to 10.15.119.0/24 , the client will add a route to its routing table so that all traffic for this subnet goes into the tunnel. The OpenVPN server will then fro3ward this traffic into its private ethernet connection.

Read the man page of OpenVPN (or the documentation on the internet) for the exact details of how to push a route.