So far I am starting to think this may be firewall related, but hoping to receive some input from others. My goal is to be able to reach internal services while connected to my OpenVPN from any external source address. Default iptables policy = DROP.

OpenVPN has been setup and clients can successfully connect with their respective keys. While connected clients show as having the VPN's WAN IP address, clients cannot reach any internal services on the server's local LAN.

Tried to force VPN packets to be routed over the public eth0 interface to no avail. For the output of iptables -S see http://codepad.org/1uxj65rS

More detailed info…

## BEGIN POLICY ##

-P INPUT DROP

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

/etc/ufw/rules.before

#

Rules that should be run before the ufw command line added rules.

NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

Allow traffic from OpenVPN client to eth0

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

COMMIT

# UFW

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing)

New profiles: skip

To Action From

– ------ ----

22 ALLOW IN Anywhere

Anywhere ALLOW IN xx.xxx.xx.xxx = CLIENT1 WAN address *

25 ALLOW IN Anywhere

8080 ALLOW IN Anywhere

22 ALLOW IN Anywhere (v6)

25 ALLOW IN Anywhere (v6)

8080 ALLOW IN Anywhere (v6)

• CLIENT 1 CANNOT REACH INTERNAL SERVICES FROM EXTERNAL WAN IP ADDRESSES (OWN WAN = OK)

## END POLICY ##

# ROUTING TABLE [BEFORE VPN]

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default gw-xxxx.linode 0.0.0.0 UG 203 0 0 eth0

xx.xxx.xxx.0 * 255.255.255.0 U 203 0 0 eth0

server-domain.net gw-xxxx.linode 255.255.255.255 UGH 0 0 0 eth0

Force VPN packets to be routed over the public eth0 interface

source: https://forum.linode.com/viewtopic.php?t=8737

ip rule add from xx.xx.xxx.xx table 128 # = SERVER IP

ip route add table 128 to xx.xxx.xxx.0/24 dev eth0 # = SERVER SUBNET

ip route add table 128 default via xx.xx.xxx.1 # = SERVER GATEWAY

# ROUTING TABLE [AFTER VPN]

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default gw-xxxx.linode 0.0.0.0 UG 203 0 0 eth0

10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0

10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0

66.175.221.0 * 255.255.255.0 U 203 0 0 eth0

server-domain.net gw-xxxx.linode 255.255.255.255 UGH 0 0 0 eth0

ip addr show

41: tun0: <pointopoint,multicast,noarp,up,lowerup>mtu 1500 qdisc pfifofast state UNKNOWN group default qlen 100

link/none

inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

validlft forever preferredlft forever

# FORWARDING ENABLED

$ sysctl -p

net.ipv4.ip_forward = 1

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1

# NOTES

Client1 192.168.1.129 :: Successful pings to OpenVPN 10.8.0.1 + 10.8.0.10 [tun0]

/etc/openvpn/server.conf - http://codepad.org/EwwFKFPw

/etc/openvpn/client.conf - http://codepad.org/hXMq5HJ9

At this point – I am really uncertain what the issue could be, but suspect it is either 1. Firewall or 2. Network Routing related.

I would greatly appreciate anyone who can advise. Thanks for reading.