Hi,
IP forwarding wasn't enabled, I enabled it now. ("sysctl -w net.ipv4.ip_forward=1" enabled it temporary, for testing, will make it persistent now I guess)
Any time you need traffic to flow between different interfaces, in this case between enp1s0 and tun0, you need ip_forward enabled.
I didn't set up any rules via iptables (Well, previously did, but deleted them all for troubleshooting) because I don't think it's really needed anyway, cause the server is behind a Router.
Don't want to start a discussion about "hosts are safe/unsafe behind NAT/Router"

It can be useful, especially if you plan to add more VPN users, to configure firewall rules to restrict access to resources on your network.
You would place those rules in the FORWARD chain on the tun interface using the client tunnel IP address.
If you need such setup, just ask for help...
This picture can be helpful to understand the packet flow:
1:
Code: Select all
NOTE: your local LAN uses the extremely common subnet address
To avoid routing conflicts you should avoid common subnets.
This list are addresses to avoid on the networks that you control:
Code: Select all
10.0.0
10.0.1
10.1.1
10.1.10
10.2.0
10.8.0
10.10.1
10.90.90
10.100.1
10.255.255
169.254 # APIPA #
172.16.0
172.16.16
172.16.42
172.16.68
172.19.3
172.20.10 # IPhone built-in hotspot #
192.168.0
192.168.1
192.168.2
192.168.3
192.168.4
192.168.5
192.168.6
192.168.7
192.168.8
192.168.9
192.168.10
192.168.11
192.168.13
192.168.15
192.168.16
192.168.18
192.168.20
192.168.29
192.168.30
192.168.31
192.168.33
192.168.39
192.168.40
192.168.42 # Android USB tethering #
192.168.43 # Android built-in hotspot #
192.168.50
192.168.55
192.168.61
192.168.62
192.168.65
192.168.77
192.168.80
192.168.85
192.168.88
192.168.98
192.168.99
192.168.100
192.168.101
192.168.102
192.168.111
192.168.123
192.168.126
192.168.129
192.168.137 # Windows Phone built-in hotspot #
192.168.168
192.168.178
192.168.190
192.168.199
192.168.200
192.168.220
192.168.223
192.168.229
192.168.240
192.168.245
192.168.251
192.168.252
192.168.254
200.200.200
Code: Select all
/sbin/ip route add 192.168.1.0/24 via 10.8.0.2
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
The above error is probably because the previous instance was not shutdown properly or still active normally.
This could also be due to
So first check with
before starting the server. After killing "leftover" openvpn process test to see if the error still pops up.
If it does then change the above to
2:
The server has --keepalive 10 120 in it's config, basically this means that the server will wait max. 240 seconds before assuming/becoming aware that the client has disconnected. You can for example change that to 10 60 which will shorten that to 120 seconds. It also depends on the client side setting of --keepalive. See OpenVPN manual:
https://community.openvpn.net/openvpn/w ... n24ManPage to understand the logic.
But the server should notify the client because it has --explicit-exit-notify 1 in it's config, unless you changed it since last time. You can set this client side as well.
How do you stop the server?