How to enable VPN clients to access LAN computers that are not running VPN software

I installed an OpenVPN service on our server. The default setup worked right out of the box. However, I wanted to use a VPN client to perform offsite backups of the computers in our LAN (using the backuppc software). First I installed OpenVPN clients on all of the LAN computers to be backed up, but OpenVPN on MacOS X seems to be a bit unreliable. Therefore I wanted to setup the VPN server to forward requests to our LAN network. The following changes were necessary:

  • In the server configuration file the LAN network has to be advertised to the clients:
    push "route 192.168.0.0 255.255.255.0"push "route 192.168.0.0 255.255.255.0"
  • The VPN server firewall needs to be configured to allow the traffic. Unfortunately we are using the SuSE Firewall and it apparently does not know anything about the tun interface. The quick fix is to turn off the SuSE Firewall and to enable IP forwarding and the tun interface iptable rules by hand:
    server:/etc/openvpn # echo 1 > /proc/sys/net/ipv4/ip_forward
    server:/etc/openvpn # iptables -A INPUT -i tun+ -j ACCEPT
    server:/etc/openvpn # iptables -A FORWARD -i tun+ -j ACCEPT
    One can manually edit the /etc/sysconfig/SuSEfirewall2 file to make it work. I tried with the following changes (but I don't know whether they are all necessary):
    FW_DEV_INT="tun0"
    FW_ROUTE="yes"
    FW_FORWARD="10.8.0.0/24,192.168.0.0/24 192.168.0.0/24,10.8.0.0/2
  • Every LAN machine also needs to know where to send the requests to the VPN network (10.8.0.0/255.255.255.0). In SuSE Linux you can use Yast's Routing setup and route all traffic to that network using the VPN server (192.168.0.2) as a gateway. This appears to be problem on Mac OS X computers as there is no easy way to permanently add a manual entry to the routing table. Thus you need to add it every time using the command line:
    route add 10.8.0.0/24 192.168.0.2