Eu tenho uma configuração bem parecida com isso, exceto que os clientes da LAN estão atrás de um roteador de retransmissão DHCP. O roteador mais externo encaminha o tráfego para o servidor OpenVPN na porta 1194 e eu posso conectar clientes com êxito, roteando o tráfego para o servidor VPN, através de seu próprio NAT. Meu intervalo de ip virtual de VPN é 172.31.0.0/24
+-------------------------+
(public IP)| |
{INTERNET}=============={ Router |
| |
| LAN switch |
+------------+------------+
| (192.168.5.1)
|
| +-----------------------+
| | |
| | OpenVPN | eth0: 192.168.5.96/24
+--------------{eth0 server | tun0: 172.31.0.0/24
| | |
| | {tun0} |
| +-----------------------+
|
+--------+-----------+
| Router B |
| Other LAN clients |
| |
| 192.168.1.0/24 |
| (internal net) |
+--------------------+
Conectando-se como um cliente VPN fora da rede, posso, portanto, obter tráfego na Internet, bem como para todos os outros clientes conectados ao primeiro roteador que hospeda seu próprio DHCP. (192.168.5.0/24). Mas quando tento acessar a LAN interna dos segundo roteadores, recebo a seguinte resposta aos pings:
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
From 172.31.0.1 icmp_seq=1 Destination Host Unreachable
O servidor OpenVPN é hospedado em uma caixa com acesso restrito para que eu possa recuperar apenas os arquivos .conf através da web ui, dos quais ele exibe apenas uma quantidade limitada de informações. A conexão do cliente me fornece as seguintes informações:
Thu Dec 29 13:36:30 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 29 13:36:30 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Dec 29 13:36:30 2016 Attempting to establish TCP connection with [AF_INET]<public ip>:1194 [nonblock]
Thu Dec 29 13:36:31 2016 TCP connection established with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link local: [undef]
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link remote: [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TLS: Initial packet from [AF_INET]<public ip>:1194, sid=1081d793 4873f1e6
Thu Dec 29 13:36:31 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=1, CN=*, OU=RV320, O=*., L=*, C=*, ST=*
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=0, C=*, OU=*, CN=*
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 29 13:36:32 2016 [com] Peer Connection Initiated with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:35 2016 SENT CONTROL [com]: 'PUSH_REQUEST' (status=1)
Thu Dec 29 13:36:35 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.3,dhcp-option DNS 192.168.1.10,dhcp-option DOMAIN <company>.LOCAL,route 172.31.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.31.0.6 172.31.0.5'
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: route options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 29 13:36:35 2016 ROUTE_GATEWAY <client ip>/255.255.255.240 IFACE=eth1 HWADDR=*
Thu Dec 29 13:36:35 2016 TUN/TAP device tun0 opened
Thu Dec 29 13:36:35 2016 TUN/TAP TX queue length set to 100
Thu Dec 29 13:36:35 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec 29 13:36:35 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 29 13:36:35 2016 /sbin/ip addr add dev tun0 local 172.31.0.6 peer 172.31.0.5
Thu Dec 29 13:36:35 2016 /etc/openvpn/update-resolv-conf.sh tun0 1500 1559 172.31.0.6 172.31.0.5 init
dhcp-option DNS 192.168.1.3
dhcp-option DNS 192.168.1.10
dhcp-option DOMAIN <company>.LOCAL
Illegal option -x
Thu Dec 29 13:36:35 2016 /sbin/ip route add <public ip>/32 via <client ip>
Thu Dec 29 13:36:35 2016 /sbin/ip route add 0.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 128.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 172.31.0.0/24 via 172.31.0.5
Thu Dec 29 13:36:35 2016 Initialization Sequence Completed
Meus clientes (caixas linux) têm o ip.forwarding ativado e suas tabelas de roteamento são assim, conectadas externamente:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 <client ip> 0.0.0.0 UG 0 0 0 eth1
<public ip> <client ip> 255.255.255.255 UGH 0 0 0 eth1
128.0.0.0 172.31.0.5 128.0.0.0 UG 0 0 0 tun0
<client ip> 0.0.0.0 255.255.255.240 U 1 0 0 eth1
172.31.0.0 172.31.0.5 255.255.255.0 UG 0 0 0 tun0
172.31.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Eu também tentei configurar uma rota estática como sugerido aqui link mas sem sorte.