Adding route on OpenVPN server side to connect VPN Clients to the internal LAN

Question

I am using a Windows Server 2019.

I have an OpenVPN Server listening a NIC with IP 192.16.2.10 (Subnet 255.255.255.0). Connected to the Fritz!Box Router. The router is configured to forward UDP port 1194 to the appropriate NIC.

The internal LAN has a different NIC with IP 192.168.16.205 (Subnet 255.255.255.0).

I can connect from extern to the OpenVPN Server and I get a successful connection.

But the Ping from the external VPN Client to another server in the local net (for example the DNS server 192.168.16.201) fail.

I sam stuck on the documentation https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet telling me that I have to do nothing, because I use dev tap

Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.

Including multiple machines on the server side when using a bridged VPN (dev tap) One of the benefits of using ethernet bridging is that you get this for free without needing any additional configuration.

All firewalls (Windows firewalls) are turned off. All hints only point on the Firewall settings...

• I can't ping any server in my local net 192.168.16.x
• I can't reach any server in my local net 192.168.16.x with RDP.
• DNS doesn't work either. (DNS server at 192.168.16.201)

Any ideas?

Here my server.ovpn file:

#################################################
# OpenVPN 
#################################################
local 192.168.2.10
port 1194
proto udp
dev tap
topology subnet

#----------------------------------------------
#Zertifikate
#----------------------------------------------
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\VPNServer-01.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\VPNServer-01.key"

#----------------------------------------------
#Server-Setup
#----------------------------------------------
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\ipp.txt"
client-to-client

#----------------------------------------------
#Client-Settings (inkl Special Dir) Files - OPTIONAL
#----------------------------------------------
#client-config-dir "C:\\Program Files\\OpenVPN\\ccd" 
push "route 192.168.16.0 255.255.255.0"
push "dhcp-option DNS 192.168.16.201"
push "dhcp-option DOMAIN vpn.xyz.loc"

#----------------------------------------------
#Defaults
#----------------------------------------------
keepalive 10 120
persist-key
persist-tun
allow-compression yes
cipher AES-256-GCM
data-ciphers-fallback AES-256-CBC

#----------------------------------------------
# Logging
# ----------------------------------------------
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
# log-append "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3

PS: I use dev tap according to the following link, the second answer seams to match for my situation:

https://serverfault.com/questions/21157/should-i-use-tap-or-tun-for-openvpn

Answer 1

dev tap is a layer-2 vpn, which means you're extending the server's local 192.168.16.0 subnet across the tunnel (no ip routing)

Do not use server [ip-pool]. You need server-bridge instead for TAP, as mentioned in the documentation. You also should not need push "route" unless you want to send client traffic for subnets other than .16 through the vpn

# bridge vpn to an adapter on server
# example of allowing client IPs .100 to .200
server-bridge 192.168.16.202 255.255.255.0 192.168.16.100 192.168.16.200

There are more steps involved with setting up bridging in the how-to, but it depends on your server configuration and preference