I have an OpenVPN server, call it vpn-server, with a LAN 192.168.3.0/24 behind it. The client, vpn-client, also has a LAN behind it, 10.4.0.0/24. Machines on 192.168.3.0/24 can access 10.4.0.0/24 (with one exception). Machines on 10.4.0.0/24 can access 192.168.3.0/24. (Server and client are both Linux based.)
The one exception is that the VPN host itself cannot access 10.4.0.0/24. Someone in #openvpn on irc mentioned that when the openvpn server is connecting to the client network, it uses the the VPN IP, not the local IP, and I should check out my masquerade rules for iptables. My masquerade rules, and the interface config for the related interfaces are at http://pastebin.com/Q9RDy0es .
OpenVPN configuration files, for both server and client, can be found at: http://pastebin.com/gtfm82pE .
I feel like it's a firewall issue on the host side, but I can't seem to get it worked out. Do I need new/different masquerade rules? I'm pretty sure the VPN configurations are correct.
vpn-server routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.54.1.9 * 255.255.255.255 UH 0 0 0 tun1
10.8.1.2 * 255.255.255.255 UH 0 0 0 tun0
<pubIP redacted> * 255.255.255.248 U 0 0 0 eth1
10.18.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun0
172.16.20.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
192.168.3.0 * 255.255.255.0 U 0 0 0 eth0
10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun0
10.54.1.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
172.16.30.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
10.3.0.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
172.16.10.0 * 255.255.255.0 U 0 0 0 vlan4000
10.3.1.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
10.4.0.0 10.8.1.2 255.255.0.0 UG 0 0 0 tun0
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default <pubIP redacted> 0.0.0.0 UG 0 0 0 eth1
vpn-server output of iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
FW-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.3.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host- prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FW-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:7788
ACCEPT udp -- anywhere anywhere udp dpt:ha-cluster
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- sysmon.example.com anywhere tcp dpt:nrpe
ACCEPT tcp -- sysmon1.example.com anywhere tcp dpt:nrpe
ACCEPT udp -- sysmon1.example.com anywhere udp dpt:ntp
ACCEPT udp -- sysmon.examplecom anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp multiport dports iax,sip
ACCEPT udp -- anywhere anywhere udp multiport dports iax,sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host- prohibited