Cannot ping OpenVPN server from different subnet

Question

I have a cloud OpenVPN server and my goal would be to be able to access my home network from OpenVPN clients connected to this server. Currently, I have an OpenWRT router that is a OpenVPN client connected to the server.

First I tried getting my homes devices (subnet 192.168.1.0/24) to be able to communicate with the OpenVPN server (ip 10.8.0.1). The correct routes are enabled on the router, and I am able to ping the server from the router itself. However, a device from my home network is not able to ping the server. Here is an overview of my setup right now :

Laptop (192.168.1.209) -> Router (192.168.1.1 and 10.8.0.8) -> OpenVPN server (10.8.0.1)

Here is the result of the command tcpdump while tring to ping the server, first from the router, after from my laptop :

Router

# tcpdump ip proto \\icmp -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
20:49:29.967959 IP 10.8.0.8 > 10.8.0.1: ICMP echo request, id 8981, seq 0, length 64
20:49:29.987691 IP 10.8.0.1 > 10.8.0.8: ICMP echo reply, id 8981, seq 0, length 64
20:49:30.970133 IP 10.8.0.8 > 10.8.0.1: ICMP echo request, id 8981, seq 1, length 64
20:49:30.989493 IP 10.8.0.1 > 10.8.0.8: ICMP echo reply, id 8981, seq 1, length 64
20:49:35.314108 IP 192.168.1.209 > 10.8.0.1: ICMP echo request, id 1, seq 130, length 40
20:49:40.061738 IP 192.168.1.209 > 10.8.0.1: ICMP echo request, id 1, seq 131, length 40
20:49:45.062659 IP 192.168.1.209 > 10.8.0.1: ICMP echo request, id 1, seq 132, length 40
20:49:50.062842 IP 192.168.1.209 > 10.8.0.1: ICMP echo request, id 1, seq 133, length 40

Server

# tcpdump ip proto \\icmp -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:49:29.973530 IP 10.8.0.8 > 10.8.0.1: ICMP echo request, id 8981, seq 0, length 64
16:49:29.973563 IP 10.8.0.1 > 10.8.0.8: ICMP echo reply, id 8981, seq 0, length 64
16:49:30.975078 IP 10.8.0.8 > 10.8.0.1: ICMP echo request, id 8981, seq 1, length 64
16:49:30.975113 IP 10.8.0.1 > 10.8.0.8: ICMP echo reply, id 8981, seq 1, length 64

At first, I thought it may be a problem with my firewall configuration on the server. However, it seems that tcpdump should capture the traffic before it passes thru the firewall. So from what I see, it seems that OpenVPN does not allow the packets to go thru, but I can't find anywhere mentioning OpenVPN dropping packets from another subnet. If the OpenVPN config would be useful to solve the problem, let me know and I will include it.

EDIT: Also, the server has the routes to send traffic for the 192.168.1.0/24 subnet via 10.8.0.8. If the server tries pinging the laptop, tcpdump has similar output to what is shown above.

Answer 1

Extra lines need to be added to the OpenVPN server config to route a subnet behind a client. From the OpenVPN sample config file :

To assign specific IP addresses to specific
clients or if a connecting client has a private
subnet behind it that should also have VPN access,
use the subdirectory "ccd" for client-specific
configuration files (see man page for more info).

EXAMPLE: Suppose the client
having the certificate common name "Thelonious"
also has a small subnet behind his connecting
machine, such as 192.168.40.128/255.255.255.248.
First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

Then create a file ccd/Thelonious with this line:
iroute 192.168.40.128 255.255.255.248

This will allow Thelonious' private subnet to
access the VPN. This example will only work
if you are routing, not bridging, i.e. you are
using "dev tun" and "server" directives.

And of course, depending on the setup, the client's side will need to have some kind of route so the computers on the routed subnet will be able to communicate with the OpenVPN server.

There is also more info about this on the OpenVPN website