Configuring OpenVPN Routing: Enabling LAN Access (192.168.1.0/24) for VPN Clients (192.168.2.0/24)


2 views

When setting up OpenVPN with split tunneling, a common challenge emerges: VPN clients can access the VPN server (192.168.1.1) but fail to reach other hosts in the server's LAN (192.168.1.0/24). Despite proper route pushing and IP forwarding, connectivity issues persist.

Your current setup contains these critical components:

server.conf:
push "route 192.168.1.0 255.255.255.0"
dev tun
proto udp

And sysctl configuration:

net.ipv4.ip_forward = 1

The most common oversight is forgetting NAT/masquerading rules. Try these iptables commands:

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -d 192.168.2.0/24 -j ACCEPT

Check if routes are properly pushed to clients:

# On client after connection:
ip route show
# Should show: 192.168.1.0/24 via [VPN_GATEWAY]

Here's a working server.conf template:

port 1194
proto udp
dev tun
server 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
# Crucial for routing:
push "redirect-gateway def1 bypass-dhcp"

Ensure client config includes:

client
dev tun
proto udp
remote your.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
  • Confirm IP forwarding is active: sysctl net.ipv4.ip_forward
  • Verify iptables rules with: iptables -t nat -L -n -v
  • Check for conflicting routes on client machines
  • Ensure no host-based firewalls are blocking traffic

For simpler LAN access, consider tap/bridged mode:

dev tap0
server-bridge 192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.254

This puts VPN clients on the same broadcast domain as your LAN.

When enabling full LAN access:

  • Implement client certificate authentication
  • Consider firewall rules limiting access to specific services
  • Monitor VPN connection logs regularly

When setting up OpenVPN with separate subnets for server LAN (192.168.1.0/24) and VPN clients (192.168.2.0/24), you need proper routing configuration beyond just IP forwarding. Here's what's missing:

# In OpenVPN server configuration (server.conf or server.ovpn)
push "route 192.168.1.0 255.255.255.0"
client-to-client
keepalive 10 120
persist-key
persist-tun

Even with ip_forward enabled, you need NAT/masquerading rules:

sudo iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

After applying changes, test with:

# On VPN client:
ping 192.168.1.2
traceroute 192.168.1.2

# On OpenVPN server:
sudo tcpdump -i tun0
sudo tcpdump -i eth0
  • Check if local firewall (ufw/iptables) blocks forwarded packets
  • Verify subnet masks match exactly (255.255.255.0 vs 255.255.0.0)
  • Ensure no duplicate IPs between VPN and server LAN
  • Confirm the web server at 192.168.1.2 isn't blocking VPN subnet

For Ubuntu 12.04, make iptables rules persistent:

sudo apt-get install iptables-persistent
sudo service iptables-persistent start
sudo iptables-save > /etc/iptables/rules.v4

If masquerading isn't desired, consider bridging the networks:

dev tap
server-bridge 192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.254