I have setup an OpenVPN connection between a Windows 2012 Server and an Debian Linux machine. The windows machine is the server and the linux machine is running openvpn as client. I can ping and connect to each other within the VPN network without problem.

My problem is that I cannot access the client's network from the server machine. E.g. Ping from & .1 is working without problems. Ping from Server to 192.168.1.X is not working.


OpenVPN Server (Windows 2012 Server) IP: VPN IP:

OpenVPN Client (Debian V6 Linux) IP: VPN IP:

I tried to add a route in Windows but still no traffic is being routed to the VPN network. E.g. route add mask

What do I need to configure in Windows/Linux to get access to the internal network of the client side?

UPDATE 23/04/2015:

After adding route and iroute to the OpenVPN server configuration I can access the eth0 interface ( from the Windows Server.

Added to server.ovpn:

    client-config-dir ccd

Inside the ccd folder, created a simple text file "client" with the following content:


The access to other clients in the network is possible but only by adding a static route to each of the client (e.g. route add mask

How can I accomplish the same without the need of adding static route or changes to the clients in the local network?

  • 161
  • 1
  • 1
  • 3
  • Thank you for updating and providing a solution - it works perfectly! @asysadminboss's answer is completely useless – Duke Nukem Oct 31 '19 at 01:49

4 Answers4


Sound like you have successfully setup a remote-access vpn. http://en.wikipedia.org/wiki/Virtual_private_network

Q: What do I need to configure in Windows/Linux to get access to the internal network of the client side?

A: You need to use a site-to-site VPN tunnel.


  • 662
  • 7
  • 15
  • This will help for future questions http://www.catb.org/esr/faqs/smart-questions.html – asysadminboss Apr 22 '15 at 03:09
  • Thanks. I could get it working by adding route and iroute on the server configuration. I can now ping the ethernet interface of the client. Problem is that to get access to a device in the client network, I need to add a static route to every device I want to access... Is there a way to get access without adding static routes on all devices? – user797717 Apr 22 '15 at 10:48
  • @asysadminboss The 2nd link you provided is help for a commercial OpenVPN product and does not help with configuring a typical OpenVPN server. – Duke Nukem Oct 31 '19 at 01:50

this seems to work but you need to combine other options. From Manual:

–-iroute network [netmask]

Generate an internal route to a specific client. The netmask parameter, if omitted, defaults to directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the –route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the –iroute directive routes to the specific client.

This option must be specified either in a client instance config file using –client-config-dir or dynamically generated using a –client-connect script. The –iroute directive also has an important interaction with –push “route …”. –iroute essentially defines a subnet which is owned by a particular client (we will call this client A). If you would like other clients to be able to reach A’s subnet, you can use –push “route …” together with –client-to-client to effect this. In order for all clients to see A’s subnet, OpenVPN must push this route to all clients EXCEPT for A, since the subnet is already owned by A. OpenVPN accomplishes this by not not pushing a route to a client if it matches one of the client’s iroutes.

George Y
  • 380
  • 2
  • 11

As asysadminboss said, you are describing the difference between a remote access VPN and a site to site VPN.

If a user needs to be able to use network resources behind the firewall they need to use a remote access VPN. This type of VPN creates route statements on the remote system (client) to access internal network devices.

If you need both sides of the VPN (client and server) you need to use a site a site VPN. A site to site VPN is where each side of the tunnel operates as a server and a client. This results in both devices providing route statements for their local network to the other device.

Generally you configure site to site VPNs using a router or VPN server as the site to site VPN peer on both sides of the link. If you have a single remote user that needs to access an internal network device remotely you would use a remote access VPN. If you have two offices where each office has systems that need to talk to systems on the other side of the tunnel you would use a site to site VPN.

  • 2,900
  • 2
  • 11
  • 33

Re: the second part of OP's question (as he's already solved the first part):

You can add a static route -> in the client subnet router's static route table. The process depends on your specific router.

This works because currently devices on your client subnet don't know about so they forward such packets to the router (probably on The default routing directive of any device (e.g. (default) -> is responsible for this. Unless you add the static route above to your client subnet router, it doesn't know what to do with these packets either, so they are lost.

The packet hops will look like this: (some device on client subnet)

to (client subnet router)

to (client subnet OpenVPN)

to 10.10.x.x (server subnet OpenVPN and ultimately some device on server subnet)

Duke Nukem
  • 101
  • 1