Generally, don't bother with the TCP interface. It is never used. Then use "tun+" in your rules and not "tun". This will cover all tun interfaces. These are generally tun0 and tun1, and not tun.

You will also need a DROP rule somewhere after your rules as there is a default ACCEPT rule for all traffic.

Why is your first rule "-o" and all the rest "-i"

Then check your traffic. I have a suspicion that all traffic will appear from a single interface, but I am not sure. This is just vague memories.

the -o instead of the -i my fault of writing
maybe my mistake is the first rule:

$ IPTABLES -t nat -I POSTROUTING -s 10.8.2.0/24 -j MASQUERADE

$ IPTABLES -t nat -I POSTROUTING -s 10.8.1.0/24 -j MASQUERADE

$ IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

probably with these rules I make the whole network visible, but if I don't apply it I can't see any device in the network.
it is the first time that it happens to me not to see the computers in the network through the vpn, and with those magic rules, I see everything

If you are using a ccd folder and using extra OpenVPN subnets, I assume you've added the extra subnets as "EXTRALANS" to /etc/clearos/network.conf? This will add the additional routes to OpenVPN.

If you have to add the MASQUERADE rules, be careful. If your LAN targets are Windows machines, their firewall generally will reject pings and perhaps other traffic from outside their own LAN, so from all the 10.8.x.y subnets. You can then just use the webconfig to NAT the traffic which will activate the same rules. These rules will not affect how much of the LAN you can see, just the Windows machines (generally) that you can see. If you don't use or want these rules, you can adjust the Windows firewall.

You will probably need the FORWARD rules somewhere, but I don't know if the MASQUERADE will defeat the FORWARD rules. It depends on when they get applied. You'll just have to try it.

Nick Howitt wrote:

If you are using a ccd folder and using extra OpenVPN subnets, I assume you've added the extra subnets as "EXTRALANS" to /etc/clearos/network.conf? This will add the additional routes to OpenVPN.

yes, It extralan additions to the network.conf file

Nick Howitt wrote:
If you have to add the MASQUERADE rules, be careful. If your LAN targets are Windows machines, their firewall generally will reject pings and perhaps other traffic from outside their own LAN, so from all the 10.8.x.y subnets. You can then just use the webconfig to NAT the traffic which will activate the same rules. These rules will not affect how much of the LAN you can see, just the Windows machines (generally) that you can see. If you don't use or want these rules, you can adjust the Windows firewall.
You will probably need the FORWARD rules somewhere, but I don't know if the MASQUERADE will defeat the FORWARD rules. It depends on when they get applied. You'll just have to try it.

I'm lost,
They are windows and nas Qnap machines with smb protocol, I will probably have to change the masquerade rule, because I believe, like you said, it defeats all.

As always thanks Nick

Pierfrancesco Toninato wrote:
... I will probably have to change the masquerade rule, because I believe, like you said, it defeats all.

Not necessarily. Try sniffing packets on the LAN interface with tcpdump. One big issue is that you do not have a DROP in the FORWARD chain. Try that first. I think it must be the top rule in the Custom Firewall so it appears after the ACCEPT rules in the listing of "iptables -nvL FORWARD"