Here's another way to skip NAT for the VPN traffic. As an additional benefit, it allows you to define firewall rules specific to the VPN tunnel.
If you want to use a single set of rules for all VPN subnets, option subnet also accepts a list:
option subnet '172.16.0.0/12 10.192.0.0/11 192.168.152.0/24'
For your IPsec config, I recommend to:
- avoid IKEv1 aggressive mode
- use IKEv2 if possible
- use at least DH group 14 (modp2048) or elliptic curve DH
- instead of
auto=startandcloseaction=restart, useauto=route
I'm not sure if auto=add is needed at all for a section which is only referenced with also=.