How to set up OpenVPN to let the VPN clients to access all the servers inside the server LAN?

Solution 1:

Make sure that the ip forwarding is acutally enabled

echo 1 > /proc/sys/net/ipv4/ip_forward

Also, in order for route push to work, the servers on the inside also needs to know the route to your OpenVPN client IP address. So they will need to know the route to 192.168.2.0/24

You can most likely make iptables do the routing via masquerade using

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Solution 2:

If Your LAN network really is 192.168.1.0/24, then you can get a lot of problems. Because most routers have that default network. So, when You are on guest network, Your computer can get an ip from 192.168.1.0/24 network. So, You cannot access your remote network, but guest network. I suggest choose another network for your LAN and VPN. for example 192.170.15.0/24 for LAN and 10.0.5.0/xx for vpn. xx depends on how much vpn clients are connecting to LAN.

here is my fw script for openvpn

#!/bin/sh

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

# i have multiple vpn networks
# 192.123.123.0/24 = LAN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.9.0.0/30 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.9.1.0/30 -o eth1 -d 192.123.123.39 -j MASQUERADE # to single server access only

echo 1 > /proc/sys/net/ipv4/ip_forward