I have OpenVPN network with one server and two clients. When I setup my default route on C1 to go through S (which does have ip forwarding and NATing enabled), everything works as expected. The problem is, that if I point C1 default route to C2, (Which is also properly configured to NAT traffic from VPN to internet) the traffic gets snatched by S anyway and forwarded by it. When i tcpdump on C2, there is no sign of anything arriving there. Is it possible to setup client as gateway for other clients in OpenVPN or is it property of the system that packets get routed by server event if the route on client is pointed onto other client?
Edit:
The square brackets represent my virtual network (it does not physically exist). C1/C2/S can ping each other within the network no problem. I want to route traffic from C1 through C2 to the internet. I can route from C1 (and probably from C2) through S to the internet but routing through C2 does not work as the packets get forwarded by S instead. This seems to be problem with the OpenVPN server not wanting to send packets where they should go.
[C1-S(NAT)] -- The Internet The Internet -- [(NAT)C2/ ]
Best Answer
Answering this completely is difficult without knowing the network topology you're trying to describe. Though I think I can say that in general it is possible to do what you're asking.
Consider the scenario below:
Here, if there's a (properly configured) OpenVPN tunnel created between R1 and R2, then C1 can talk to C2 and vice-versa.
This scenario is more difficult to get correct:
Where C2 and C3 are the OpenVPN endpoints and C1 should use the VPN to get to C4. The first hurdle is to get the OpenVPN tunnel established between C2 and C3, probably using port forwawding from R1 & R2 of UDP 1190 to C2 & C3 respectively.
The next is to get C1 to use C2 as the way to get packets to C4. That involves configuring the routing table on C1 and C4. C1 sets the route to C4's network going VIA C2, and C4 sets the route to C1's network going VIA C3. Both of those routes should take precedence over the default. So perhaps on C1: {route add 192.168.3.0 gw 192.168.2.2} and on C4: {route add 192.168.1.0 gw 192.168.3.2}. This is assuming that C2 and C3's addresses are 192.168.2.2 and 192.168.3.2 respectively, and that C1 and C4 are on the same network as C2 and C3 respectively.
Hopefully this is enough to answer your question and demonstrate that it's a lot easier to configure the VPN on the default gateway than it is to configure the VPN on a client, but there are use cases for both.
Edit: With this topology, and description of the problem, I believe there are routing issues on C1 and C2... C1's default route should point to the VPN address of C2 as the router. That will force C1 to use the VPN to get packets to C2, then C2 decides what to do with them.
In the case that C2 uses its own connection to the Internet, as you've shown, C2's default route should be to its own Internet connection.
If instead C2 doesn't really have its own path to the Internet and instead it goes through S, then S should be C2's default router.