Why can't my OpenVPN client access machines on same LAN as OpenVPN server?

I have configured OpenVPN on my Linux server and Windows client according to the instructions here. My client can access the server, but can't get any further onto the LAN.

My Server is 10.23.29.64/24, my OpenVPN subnet is 10.23.30.0/24 and my client is 10.0.0.71/24 so there is no overlap.

My server config file is:

port 53
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.23.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.23.29.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

My client config is

client
dev tun
proto udp
remote HOSTNAME_REMOVED 53
resolv-retry infinite    
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

When connected, my client gets 10.23.30.6/30 and has 4 routes added:

   10.23.29.0    255.255.255.0       10.23.30.5      10.23.30.6       1
   10.23.30.1  255.255.255.255       10.23.30.5      10.23.30.6       1
   10.23.30.4  255.255.255.252       10.23.30.6      10.23.30.6       30
   10.23.30.6  255.255.255.255        127.0.0.1       127.0.0.1       30

My server gets 10.23.30.1/32 (PERHAPS THIS IS THE PROBLEM?)

My client can ping the server on 10.23.30.1 and 10.23.29.64, but it can't get any further than this. What else do I need to do to get this client access to the rest of my LAN?

UPDATE:

I added a static route to my router so it's routing table looked like this

{admin}=>ip rtlist
Label             Destination          Gateway  Interface     Mtc Admin  Oper
                 10.0.0.138/32       127.0.0.1  loop          0   UP     [UP]
                 10.0.0.255/32       127.0.0.1  loop          0   UP     [UP]
               10.23.29.254/32       127.0.0.1  loop          0   UP     [UP]
               10.23.29.255/32       127.0.0.1  loop          0   UP     [UP]
             87.115.131.206/32       127.0.0.1  loop          0   UP     [UP]
                  127.0.0.1/32       127.0.0.1  loop          0   UP     [UP]
            255.255.255.255/32       127.0.0.1  loop          0   UP     [UP]
            195.166.128.189/32  87.115.131.206  Internet      0   UP     UP
                212.159.6.9/32                  Internet      10  UP     UP
               212.159.6.10/32                  Internet      10  UP     UP
                   10.0.0.0/24      10.0.0.138  LocalNetwork  0   UP     [UP]
                 10.23.29.0/24    10.23.29.254  LocalNetwork  0   UP     [UP]
                 10.23.30.0/24     10.23.29.10  LocalNetwork  0   UP     [UP]
                    0.0.0.0/0                   Internet      10  UP     UP

but when I did a traceroute from 10.23.29.10 to 10.23.30.1 I got:

traceroute to 10.23.30.1 (10.23.30.1), 30 hops max, 60 byte packets
 1  dsldevice.lan (10.23.29.254)  2073.983 ms  2073.481 ms  74.545 ms
 2  * * *

and all stars until it gave up. This leads me to believe that the traceroute packets are not getting forwarded to 10.23.29.10 like the routing table says that they should be.


Solution 1:

I finally found out what the problem was. I am using OpenVPN's "routing" option which creates a new subnet for all OpenVPN connections. My client was getting assigned an IP address from this subnet, and so was my server, so they could talk to each other across this network. With IPv4 forwarding enabled on my server, I was also able to send packets out onto my LAN, and was obviously able to talk to the server via it's LAN ip address.

When the client tried to talk to other computers on my LAN, the packets from my client were reaching my LAN hosts (I didn't verify this, but I'm pretty sure they were), but the source address of these packets was the address from the OpenVPN network. The LAN hosts knew this wasn't on their LAN, and the only thing they knew to do in that case was to send them to the default gateway, which was my router. I doubt it did anything with them as sending a packet to a private IP range out onto the internet is pointless.

The solution is to add a static route to all LAN hosts, or use OpenVPN's "bridging" option instead of "routing". I have not done this yet, but am sure this is the way to go.

Solution 2:

I don't think you have to add a static route to all LAN hosts. You could just add a static route in your gateway on that LAN, pointing all openvpn-network addresses to the openvpn server "lan-ip address".

Solution 3:

Same problem with my config, but fixed now:

Because you're using OpenVPN Road warrior settings, the packets are noted routed but NATed. You should configure your outbound NAT options in order to translate any source ports from OpenVPN virtual IP addresses on LAN interface, to any destination ports with WAN NAT Address.

In pfSense, you should disable Automatic outbound NAT rule into Manual Outbound NAT rule and simply add a new rule for OpenVPN internal network.