My Community Dashboard

  • The problem is really IPsec. You need EXTRALANS for OpenVPN to cover the IPsec subnet. This adds a route for OpenVPN to push traffic from the client to the remote IPsec subnet via the server. You also need an extra tunnel in IPsec for the OpenVPN subnet (10.8.0.0/24 by default) to the remote subnet.

    There is a trick you can pull to just use a single IPsec tunnel. If you move the OpenVPN subnet to adjacent to your LAN, you can route the larger subnet in a single tunnel definition. As an example, my LAN Subnet is 172.17.2.0/24. I changed my OpenVPN subnet (in /etc/openvpn/clients.conf) to 172.17.3.0/24. Then, in IPsec, for my local subnet I used 172.17.2.0/23 which routed the LAN and OpenVPN through the tunnel. Be careful of your subnetting. Had I used 172.17.1.0/24 for OpenVPN, I would have had to route 172.17.0.0/22 through the IPsec tunnel.