How to configure a host as a gateway for client-side subnets


If you wish to have particular client-side subnets routed through the VPN, you must ensure that:

  • Your Access Server is properly configured so that the User Permissions page has the desired client-side subnets specified for the corresponding users.
  • The host of each VPN client that is to act as a gateway must be configured to forward traffic to/from the VPN.
  • Your network routing configuration (for any hosts on the VPN that may use the client-side subnets) is adjusted to account for the client-side subnets on the VPN.

Example Scenario

Let's say that a particular user with username "fred" connects to the office VPN (the Access Server) from his home. His main PC at home has multiple network interfaces, with one connected to the Internet (say, via a DSL router) and another interface connected to a personal "test network". All hosts on the test network have an IP address in the subnet. For instance, Fred's main PC has the address on the test network.

Fred connects to the VPN using the OpenVPN-AS client software running on his main PC. Now the goal is to make the test network accessible to other users via the VPN, including users on a back-end network in the office.

User Permissions Configuration

The Access Server administrator must adjust the settings for username "fred" on the User Permissions page to enable this application. If there is no entry for "fred" on the User Permissions page, the administrator adds one by entering "fred" in the "New Username" box. The administrator clicks the "Show" link on fred's entry in the User Permissions table, to see the drop-down box of settings specific to the user "fred". Next, the administrator makes the following changes:

  • Sets a static VPN IP address:
  • Specifies the client-side subnet to route through the user's VPN client
  • Turns on Auto-Login for the user that will act as a gateway client

Changes to be made at the Router:

- Static routing will need to be enabled
- You will need to add the VPN's subnet as a static route to the machine you are running the gateway client on

*NOTE: If trying to run a linux client in gateway mode you may need to run this command to enable routing:

sysctl -w net.ipv4.ip_forward=1