I am currently running an instance of OpenVPN client on my colleague's laptop which has a number of devices on its LAN connected to the ethernet port through an unmanaged switch (192.168.1.x/24) and this laptop is connected to the internet through office wifi to reach the OpenVPN cloud server.

My question is how would I configure the network adaptors on his laptop so that I can access the devices on the LAN of my colleague's laptop from my office computer which is running another instance of OpenVPN client connected to the same OpenVPN cloud server.

  • @harrymc's answer [client-to-client], in conjunction with adding at least one dhcp-option to the client config (example) and inbound firewall rules on the remote PC (the example link is for a server config, which pushes the dhcp-option to the client, however this can also be individually added to a client's client config).
    – JW0914
    Commented Mar 25, 2022 at 13:50
  • @jin167 IP forwarding needs to be enabled (and allowed in the system firewall, if any) on the colleague's laptop. Also, either add route for the VPN subnet on its LAN hosts, or configure source NAT (a.k.a. IP masquerade) on the laptop. In the "normal" OpenVPN case, in addition to pushing route (for the LAN subnet) to the VPN client(s), iroute also need to be specified properly on the VPN server (to tell it that the traffics for subnet should be forwarded to the laptop). But since I have no experience with "OpenVPN cloud", I have no idea how you should configure the equivalent exactly.
    – Tom Yan
    Commented Mar 25, 2022 at 17:36
  • @jin167 Whether a route for the LAN subnet in concern needs to be configured on the server probably depends on whether client-to-client is used (yes for no, vice versa). Therefore if the LAN subnet conflicts with one the server is in, client-to-client is probably a nice trick to deal with it.
    – Tom Yan
    Commented Mar 25, 2022 at 17:43

1 Answer 1


By default, the OpenVPN server does not allow clients to connect to each other. To change it, you must configure the server, and not the client.

You can enable it by uncommenting this line in the server.conf file on the server:


So it should look like this:


Then restart the openvpn service:

sudo service openvpn restart
  • Accessing a client's site is from another client host is different from accessing a client host. The key to the OP is iroute. client-to-client merely eliminates the need of IP forwarding to be enabled / allowed and route for the client's site subnet to be added on the VPN server. The thing is, the story (in terms of configuration details) might be quite different when the case is OpenVPN cloud (no idea if you are even allowed to edit a conf file).
    – Tom Yan
    Commented Mar 25, 2022 at 12:44
  • More than client-to-client is required, as at least one (if not two depending on the use case) dhcp-option must also be set in the client config, else the VPN server has no clue how to route that traffic, and firewall rules would likely be required on the endpoint since endpoints usually block inbound traffic that didn't originate on the endpoint by default.
    – JW0914
    Commented Mar 25, 2022 at 13:44
  • @JW0914 Please. How is dhcp-option even relevant at all to VPN server has no clue how to route that traffic? Please at least read the OP carefully (OpenVPN client on my colleague's laptop / access the devices on the LAN of my colleague's laptop) and get to know about how OpenVPN actually works by reading some documentation (e.g. the manual or this.
    – Tom Yan
    Commented Mar 25, 2022 at 14:44
  • @JW0914 Let alone the fact that client-to-client is not even directly related to the goal, firewall rules on the VPN server does not apply to client to client traffics when client-to-client is enabled, as the traffics does not even get out of the tunnel/program on the server in that case (which is why in some case you want to have that disabled and rely on the IP forwarding of the OS' IP stack for that). (While on the other hand, firewall rules and IP forwarding setting always matter on the client that serves as the "gateway" to the "LAN" in concern.)
    – Tom Yan
    Commented Mar 25, 2022 at 14:46
  • @TomYan The VPN tunnel is aware only of the IPs assigned by the VPN, not LAN routes, so if only client-to-client is added, the OP will be able to access the other client's PC, but not other devices on the remote PC's LAN (what the OP is requesting); in order to do so, a dhcp-option DNS for the LAN subnet must be in the client config for traffic to be routed. I have the exact same setup on OpenWrt, but if you doubt it, please test with only client-to-client (it's why I linked to an answer that address this very thing in my prior comment as an example)
    – JW0914
    Commented Mar 25, 2022 at 16:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .