Making OpenVPN Route Both Ways With TUN

You may recall this article from last February where I described how to set up an OpenVPN server in Ubuntu.

One thing that's bothered me ever since that day is that the client could contact everything on the server's network but not vice-versa. I searched for answers for quite some time and finally gave up.

I just stumbled on the answer, and it's a really easy solution to the problem. I'm already using custom client configs, and there's only one client that I wanted dual routing with - our accounting office in Virginia.

Here's a few assumptions. Let's say the primary network with the OpenVPN server uses 192.168.1.0/24. The OpenVPN client network that's going to keep a constant link is using 192.168.2.0/24.

In the server's "server.conf" file you need the following two lines:

route 192.168.2.0 255.255.255.0
client-to-client

In the client config file (also on the server) add the following:

push "route 192.168.1.0 255.255.255.0"
iroute 192.168.2.0 255.255.255.0

Don't forget you need to configure one or both firewalls to allow the traffic.

What this does on the server is say - when we see a client with network 192.168.2.0/24 connect, allow us to contact it, but only if the client allows it.

The iroute entry in the client config file then says allow our internal network to be contacted by the other end.

And there you have it - full ping directly to 192.168.1.0/24 from 192.168.2.0/24 and vice-versa!