OpenVPN where only remote LAN is routed

Hello, I'm sure this is a common use case but I have no idea what it is called and how to do it. I have openvpn on a server where I am unable to modify its config file. It uses a login for each user, not a cert and I have the client config. What I want to do is on my router have it establish a connection, then route packets destined to the local subnet of that remote OpenVPN server - eg 10.2.x.x. Other than that all other traffic on my router goes through normally. In essence, I want it to appear as if when a user on my network goes to access a file share or network resource that is on the remote subnet, it just works without setting up a VPN for each user.

On the server you use the push command in the config to sent the route to the client, in this case your router. Look up push route on the open VPN website

The OpenVPN man page will also show you how to do this, but it must be modified in the server config.

  • 99% of OpenVPN options must be mirrored in the server and client configs.

Just a general FYI, your VPN is not secure for remote access if it's not using certificates. You can still use a username/password login style with certs, but without them, there's no way to secure your connection, as there's no way to verify the CA of the OpenVPN server (this leaves the connection wide open to MITM attacks.

  • Additionally, if you're using a password file, instead of an authentication plugin, DLL, or shared object, this is a wrong VPN configuration.

I think I got a key and cert confused - I meant the certificate (key?) is not the main way of authentication, there is a cert configured. What would need to be changed on the server? If I connect on my phone it works fine and ask traffic is sent over the vpn. How do I specifically set this up on openwrt where it only sends the local subnet

Update: I have setup the VPN on LEDE. If I ping the remote subnet through SSH on my router it works, now the challenge is how do I tell my main LAN about this route existing?

If you don't have forwarding setup in the firewall to allow VPN -> LAN & LAN -> VPN, that would need to be done. If you do have that, please post your firewall config, VPN Server & Client configs.

I had a firewall with accept for all 3 and masquerading on. I'll post it in a bit. Is that the wrong approach?

Please review the wikis I linked to as a reference for what needs to be done.

nvm fixed it