OpenVPN Routing Question

Home » CentOS » OpenVPN Routing Question
CentOS 4 Comments

Hello all,

Let’s say I have an OpenVPN (v2) server sitting on a Linux machine with the IP address of, say, We are talking real address, assigned to a NIC on the machine.

Now let us say the OpenVPN server hands out IP’s in the And let us say that I want the machines able to reach the VPN server to be able to route to the machines available via the VPN. So, for instance, should be able to ping assuming the latter is one of the VPN clients.

So here is my question: is there a VPN setting that would facilitate that?
It seems like is is trivial enough to allow the VPN clients to route out through the VPN server – but trying to facilitate the reverse I got stuck.

Thanks in advance for any help.



4 thoughts on - OpenVPN Routing Question

  • In the server config file
    push “route”

    That will tell the openvpn client to add a route to via the openvpn gateway.

    Machines on the LAN also need a route to via the gateway;
    this is easy if your OpenVPN server is also your default gateway (eg router); otherwise you may need to add routes per-machine or via DHCP, or potentially just tell the default router about the route and let it send redirects to the LAN machines.

  • Stephen,

    Thanks! What you are saying makes perfect sense. I have tried it.

    It works for every subnet except the one the OpenVPN server sits on ( in our example). Yes, the VPN server has to be the default router – or else it just does not seem to work. This additional hop just kills everything, it seems.


  • This issue is that while the client knows the route to the new subnet thanks to the push route command the servers don’t know the route back to the client. If the OpenVPN server is the gateway then this isn’t an issue because the packet will be forwarded to it and the server knows about the client IPs.

    One way around this is as Stephen pointed out to add routes to each individual server though with a large number of servers this is tedious and error prone (unless you use configuration automation like puppet, chef, etc.).

    The other way is to configure a MASQUERADING rule on the VPN server that masquerades all packets that come through the tunnel and have a source IP from the client pool. That way the server will not receive the packets with the original client IP as source but the IP of the VPN
    server. So the response will go to the VPN server and there the packets will get de-masqueraded again and forwarded to the client. This is very similar to the default gateway method except that the VPN
    server no longer has to be the actual default gateway for all traffic but only becomes the de-facto gateway for all packets from VPN clients which most of the time is exactly what you want.


  • If you want one OpenVPN client to see another OpenVPN client then
    client-to-client is the config setting you need.