Have OpenVPN server on OpenWrt 21.02 on TP-LINK 1043ND V3, 4 clients, 2x Android, 2x Armbian on Orange Pi PC+. Everything works ok, between clients and main LAN. Each client has its own certificate/key pair.
But how to enable routing between clients? They have unique addresses, but no even ping between them. Between main LAN, router and clients it works. Tun interfaces on clients have /30 netmask. WAN IPs spaced 4 addresses (.6, .10, .14 etc)
how to identify, if it is routing or firewall problem?
OpenVPN routes client to client internally in the server process. The kernel won’t see client to client packets, so the firewall is not involved. OpenVPN’s client-to-client config option must be set. The default is to block client to client.
On client Armbian, if I use ping with -I tun0 I can get answer.
But let me describe whole network, as it is quite complicated.
1). My LAN is 192.168.1.0/24, main gateway is an OpenWrt router with mwan3 and then traffic goes through WiFi and my phone (hotspot) or through ethernet and 4G router.
1a). On my LAN there is router for IoT (WiFi, separate network 192.168.10.0/24 gw 192.168.1.65)
1b). another one for VPN, (192.168.60.0/24 gw 182.168.1.50).
clients on Armbian, now have access to net via “remote” LAN also 192.168.1.0/24, so I don't expect working connection from my LAN to them. But from my VPN router I have access.
Added some settings and it looks working:
1). On VPN router added "client-to-client" (client_to_client '1' in /etc/config/openvpn),
2). On client Armbian / phone added that VPN connection is a route to 192.168.(1/10/60).0/24 networks. But not default route.
Now can SSH from phone, and Armbian to Armbian.
Only thing that was looking strange was result of ping on Armbian (.60.10 is one, 60.14 is another one, 60.6 is phone):
I got answers with "redirect, next hop 192.168.60.2. Now ping / SSH works.
You can have the OpenVPN server push routes for remote lans out to the client(s). They will be added to the client’s routing table automatically when the client connects.