Routing setup for OpenVPN server on Amazon EC2

Solution 1:

You need to enable forwarding on the OpenVPN server in the kernel (/proc/sys/net/ipv4/ip_forward) and you have to globally or selectively allow forwarding in the firewall (iptables), e.g.:

# there is probably already a rule allowing all established connections
# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
# the next rules for every OpenVPN interface (or once for the respective address block)
iptables -A FORWARD -i tun0 -d 10.0.0.0/8  -j ACCEPT
iptables -A FORWARD -i tun0 -d 172.16.0.23 -j ACCEPT
# if the local network shall be accessible
# iptables -A FORWARD -i tun0 -d 172.16.20.0/24 -j ACCEPT

You need not set routes on the server if just simple clients connect. If 172.16.20.1 connects as a gateway for the local network then you need a route for 172.16.20.0/24 but that is probably (and best) set in the OpenVPN config for 172.16.20.1.

Edit 1

If you cannot configure the routing on certain systems and their routing would not send the traffic back the right way then you need NAT (more precise: SNAT):

iptables -t nat -A POSTROUTING -d $PROBLEM_HOST_IP \! -s $LOCAL_IP \
  -j SNAT --to-source $LOCAL_IP

with the variables set accordingly. Assuming you can set the correct routing for targets in 172.16.20.0/24 only then you can do this easier this way:

iptables -t nat -I POSTROUTING 1 -s $LOCAL_IP -j ACCEPT
iptables -t nat -I POSTROUTING 2 -d 172.16.20.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 3 -j SNAT --to-source $LOCAL_IP