In order for machines on different networks to successfully talk to each other, both ends need to know how to route traffic to the other end. Normally, this is easily done on a simple enduser LAN because there's usually only two destinations: "the local network" and "everywhere else". Traffic to the local network is just sent directly to the destination, while traffic to everywhere else is sent to the default gateway ("router") and it handles it (by passing it to your upstream ISP, which has far more knowledge about where to send traffic to the many destinations that make up the Internet).
By placing a VPN into the mix, you're complicating things somewhat. By making the VPN endpoints machines within a LAN, rather than making the default gateways the endpoints, you're complicating things greatly.
What you need to do is add routes to allow traffic to go to the right places. You can either do this on every machine in both LANs, or just add it to the default gateway. The latter is far easier, but slightly less efficient (traffic will have an extra "hop", going via the gateway, which shouldn't be a major inconvenience in most cases).
Without knowing what your gateways actually are, I can't tell you how to configure them, but the routes basically need to be:
- On gateway for 172.16.130.0/24:
- Route all traffic destined for 172.16.120.0/24 via 172.16.130.2
- On gateway for 172.16.120.0/24:
- Route all traffic destined for 172.16.130.0/24 via 172.16.120.2
There's also all sorts of firewalling stuff you might have to do, both on the gateways and the VPN endpoints, and you might have to turn on IP forwarding on the endpoints, but it's all fairly straightforward network configuration stuff.
And next time: just put the VPN endpoints on the default gateway. It's so much easier.
OP posted the answer on forums.openvpn.net
Use this server config:
port 1194
proto udp
dev tun
topology subnet
mode server
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # flexo_client,10.8.0.4
client-config-dir ccd
client-to-client
#ifconfig 10.8.0.1 255.255.255.0
route 192.168.3.0 255.255.255.0 10.8.0.4
route 192.168.4.0 255.255.255.0 10.8.0.4
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
keepalive 10 120i
comp-lzo
user nobody
chroot /etc/openvpn
group nogroup
daemon
persist-key
persist-tun
status openvpn-status.log
verb 3
With this /etc/openvpn/ccd/flexo_client
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.3.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0
and this client config:
config openvpn 'flexo_client'
option nobind '1'
option float '1'
option client '1'
option comp_lzo '1'
option dev 'tun0'
option verb '3'
option persist_tun '1'
option persist_key '1'
option remote_cert_tls 'server'
option remote 'x.x.x.x'
option proto 'udp'
option resolv_retry 'infinite'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/flexo_client.crt'
option key '/etc/openvpn/flexo_client.key'
option ns_cert_type 'server'
option topology 'subnet'
option enable '1'
More information on using OpenVPN and iroute can be found on backreference.org
Best Answer
Yes, it is possible.
Each end of the tunnel must have interfaces in respective end's private networks. That is, for example
10.8.0.1
must have an address in192.168.20.0/24
network and10.8.0.2
must have an address in172.16.1.0/24
network (I guessed the netmasks for the networks just for example, your setup might be different).Then, you need to enable proper routing on the devices.
For clients in
192.168.20.0/24
network, they need to have a route in their routing table that tells them to route packets to172.16.1.0/24
via192.168.20.x
, wherex
is the octet corresponding to the other interface of the10.8.0.1
server.Then, the server at
10.8.0.1
has to have a routing table entry which tells that packets to172.16.1.0/24
network have to be sent via10.8.0.2
, that is, the other end of the tunnel.Then you need to have corresponding rules for the other end of the tunnel, swapping network addresses.
Easiest way to implement this is to run the OpenVPN server / client on the router for that network. Then one doesn't need to add the routing rules for each client, since the routing is handled by the default gateway. In this case, one only need the routing rule at the OpenVPN server / client.
If OpenVPN server / client is a different machine than the default router, then one needs to distribute the network routes to the clients. One way to do this is via DHCP. One method is described in How can I configure my DHCP server to distribute IP routes?.