I have two Debian boxes sitting on two separate networks. I am trying to set up an OpenVPN link across the internet between the two and I've hit a little roadblock. I would like to set this up so that all of my home IPs are accessible from work, and vice-versa. No internet traffic needs to go over this VPN link, only the local network traffic.
I have successfully connected the two boxes as such
172.16.130.2 internal addy (10.9.8.1 vpn addy) - server vpn address (work)
172.16.120.2 internal addy (10.9.8.2 vpn addy) - client vpn address (home)
I am able to ping the client and server's VPN from the terminal on both boxes, no problems there- the vpn works well. So I can ping 10.9.8.1 from my home server.
I set up a static route on my home server for 172.16.130.0/24 with gateway 10.9.8.1, and vice versa on the work server and I am now able to ping my work server's internal ip of 10.16.130.2. That works too.
So now I try to ping my work server's router @ 172.16.130.1, or any of the client IPs on my work network 172.16.130.x and no dice. What would be the next step to get my work network visible to my home server? I'm thinking I don't need to do anything on my routers yet, but I might be wrong.
Best Answer
In order for machines on different networks to successfully talk to each other, both ends need to know how to route traffic to the other end. Normally, this is easily done on a simple enduser LAN because there's usually only two destinations: "the local network" and "everywhere else". Traffic to the local network is just sent directly to the destination, while traffic to everywhere else is sent to the default gateway ("router") and it handles it (by passing it to your upstream ISP, which has far more knowledge about where to send traffic to the many destinations that make up the Internet).
By placing a VPN into the mix, you're complicating things somewhat. By making the VPN endpoints machines within a LAN, rather than making the default gateways the endpoints, you're complicating things greatly.
What you need to do is add routes to allow traffic to go to the right places. You can either do this on every machine in both LANs, or just add it to the default gateway. The latter is far easier, but slightly less efficient (traffic will have an extra "hop", going via the gateway, which shouldn't be a major inconvenience in most cases).
Without knowing what your gateways actually are, I can't tell you how to configure them, but the routes basically need to be:
There's also all sorts of firewalling stuff you might have to do, both on the gateways and the VPN endpoints, and you might have to turn on IP forwarding on the endpoints, but it's all fairly straightforward network configuration stuff.
And next time: just put the VPN endpoints on the default gateway. It's so much easier.