I have a setup pretty similar to this except the LAN clients are behind a DHCP relaying router. The outermost router forwards traffic to the OpenVPN server on port 1194 and I can connect clients succesfully, routing traffic going into the VPN server, out through it's own NAT. My VPN virtual ip range is 172.31.0.0/24
+-------------------------+
(public IP)| |
{INTERNET}=============={ Router |
| |
| LAN switch |
+------------+------------+
| (192.168.5.1)
|
| +-----------------------+
| | |
| | OpenVPN | eth0: 192.168.5.96/24
+--------------{eth0 server | tun0: 172.31.0.0/24
| | |
| | {tun0} |
| +-----------------------+
|
+--------+-----------+
| Router B |
| Other LAN clients |
| |
| 192.168.1.0/24 |
| (internal net) |
+--------------------+
Connecting as a VPN client outside the network, I am therefore able to get traffic on the internet, as well as to all the other clients connected to the first router hosting its own DHCP. (192.168.5.0/24). But when I try to access the second routers inner LAN I get the following response to pings:
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
From 172.31.0.1 icmp_seq=1 Destination Host Unreachable
The OpenVPN server is hosted on a box with restricted access so I can only retrieve the .conf files through the web ui, of which it only displays a limited amount of information. Connecting from the client gives me the following information:
Thu Dec 29 13:36:30 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 29 13:36:30 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Dec 29 13:36:30 2016 Attempting to establish TCP connection with [AF_INET]<public ip>:1194 [nonblock]
Thu Dec 29 13:36:31 2016 TCP connection established with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link local: [undef]
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link remote: [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TLS: Initial packet from [AF_INET]<public ip>:1194, sid=1081d793 4873f1e6
Thu Dec 29 13:36:31 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=1, CN=*, OU=RV320, O=*., L=*, C=*, ST=*
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=0, C=*, OU=*, CN=*
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 29 13:36:32 2016 [com] Peer Connection Initiated with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:35 2016 SENT CONTROL [com]: 'PUSH_REQUEST' (status=1)
Thu Dec 29 13:36:35 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.3,dhcp-option DNS 192.168.1.10,dhcp-option DOMAIN <company>.LOCAL,route 172.31.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.31.0.6 172.31.0.5'
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: route options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 29 13:36:35 2016 ROUTE_GATEWAY <client ip>/255.255.255.240 IFACE=eth1 HWADDR=*
Thu Dec 29 13:36:35 2016 TUN/TAP device tun0 opened
Thu Dec 29 13:36:35 2016 TUN/TAP TX queue length set to 100
Thu Dec 29 13:36:35 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec 29 13:36:35 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 29 13:36:35 2016 /sbin/ip addr add dev tun0 local 172.31.0.6 peer 172.31.0.5
Thu Dec 29 13:36:35 2016 /etc/openvpn/update-resolv-conf.sh tun0 1500 1559 172.31.0.6 172.31.0.5 init
dhcp-option DNS 192.168.1.3
dhcp-option DNS 192.168.1.10
dhcp-option DOMAIN <company>.LOCAL
Illegal option -x
Thu Dec 29 13:36:35 2016 /sbin/ip route add <public ip>/32 via <client ip>
Thu Dec 29 13:36:35 2016 /sbin/ip route add 0.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 128.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 172.31.0.0/24 via 172.31.0.5
Thu Dec 29 13:36:35 2016 Initialization Sequence Completed
My clients (linux boxes) has ip.forwarding enabled and their routing tables looks like this, connected from the outside:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 <client ip> 0.0.0.0 UG 0 0 0 eth1
<public ip> <client ip> 255.255.255.255 UGH 0 0 0 eth1
128.0.0.0 172.31.0.5 128.0.0.0 UG 0 0 0 tun0
<client ip> 0.0.0.0 255.255.255.240 U 1 0 0 eth1
172.31.0.0 172.31.0.5 255.255.255.0 UG 0 0 0 tun0
172.31.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
I've also tried setting up a static route as suggested here https://community.openvpn.net/openvpn/wiki/BridgingAndRouting but without any luck.