How to route traffic from private network to openvpn subnet (and back)

Solution 1:

I ended up having to add a NAT rule to the internal server. I'm not sure its necessary, but it is what worked:

*nat
:PREROUTING ACCEPT [21:1248]
:INPUT ACCEPT [21:1248]
:OUTPUT ACCEPT [21:1529]
:POSTROUTING ACCEPT [21:1529]
# enable NAT for VPN clients so they can hit the private network
-A POSTROUTING -s 172.20.1.0/24 -o eth0 -j MASQUERADE
COMMIT

Solution 2:

I encountered the same problem and came to the conclusion that Linode is not well suited for this kind of VPN configuration.

First of all: what you tried to do (setup a route) from 192.168.137.63 (eth0:1 on nix03) to 172.20.1.1 (tun0 on internal) is indeed correct and works in non-Linode setups. I described the same setup in Linode forums and I got a reply from an ex Linode employee telling me that Linode forbids that kind of setups.

Moreover, even if NATting VPN traffic to the internal network as you did is indeed another correct approach, keep in mind that 192.168.128.0/24 subnet is not private to you, but to all the Linode customers with VMs in the same datacenter as you. Try nmap to check what I'm saying:

nmap -sP 192.168.128.0/17

So, in the Linode case, if you really want:

Public access to private services (SSH, etc.) would then be restricted to only those who have VPN access.

you need to carefully setup your firewall to allow only exact IP addresses accesses, as the subnet is private only in the Linode datacenter customers meaning of words.