Hi Andzej
Thanks for getting back!
I tried to paint a simplified topology diagram - following.
ip route on 192.168.1.200 (server, also OpenVPN server) is:
default via 192.168.1.1 dev ovs_bond0 src 192.168.1.200
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev docker-1c0f28c3 proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev docker-307872f8 proto kernel scope link src 172.19.0.1
192.168.1.0/24 dev ovs_bond0 proto kernel scope link src 192.168.1.200
192.168.111.0/24 via 10.8.0.1 dev tun0
ip route on RUT955 is:
default dev wwan0 proto static scope link src 10.2.158.248 metric 1
10.2.158.248 dev wwan0 proto static scope link metric 1
10.8.0.0/24 via 10.8.0.1 dev tun0
192.168.1.0/24 via 10.8.0.1 dev tun0
192.168.111.0/24 dev br-lan proto kernel scope link src 192.168.111.1
So:
You can reach 192.168.1.0/24 network from 192.168.111.0/24, but cannot reach 192.168.111.0/24 from 192.168.1.0/24?
Exactly.
It seems that NAS knows how to route 10.8.0.0/24 network. What about routing to 192.168.1.0/24?
Works. Traceroute to 192.168.1.132 with one hop.
Is RUT955 aware of the 192.168.1.0/24 network on the other end of the tunnel? Is VPN interface used as default gateway?
Yes, Traceroute from RUT955 (192.168.111.1) to 192.168.1.132 is:
traceroute to 192.168.1.132 (192.168.1.132), 30 hops max, 38 byte packets
1 10.8.0.1 (10.8.0.1) 43.656 ms 45.575 ms 38.514 ms
2 192.168.1.132 (192.168.1.132) 47.680 ms 37.805 ms 39.761 ms
Additionally, a Windows PC on the 192.168.111.0/24 network has no trouble reaching shares on 192.168.1.200 and so on.
192.168.111.1 is the default gateway for 192.168.111.0/24, but only 10.8.0.0/24 and 192.168.1.0/24 are routed via 10.8.0.1 (VPN).
Does the device on the 192.168.1.0/24 network knows that it is supposed to route 192.168.111.0/24 through NAS? i.e is the route configured or default gateway points to NAS?
This is where I am struggling. I tried to set the route as above (192.168.111.0/24 via 10.8.0.1 dev tun0) and also via 10.8.0.6, but without luck.
Additionally, even if I could tell 192.168.1.200 that 192.168.111.1 is the same as 10.8.0.6 (RUT, which it can reach), would then the RUT know that the packet from 192.168.1.200 sent to 192.168.111.70 incoming from the VPN needs to be forwarded in its subnet?
Does the gateway configured on ESP point to RUT955 (192.168.111.1)?
Yes, it does.
What are the firewall configuration? Does firewall allows VPN traffic to LAN zone (OpenVPN to LAN)? Network -> Firewall -> General.
Firewall is set to allow forwarding from OpenVPN to LAN (and WAN) - screenshot follows
P.S.:
I cannot post the diagram / screenshot as they seem to count against the 12000 character limit.
Topology is here: https://pasteboard.co/NUcPHq7a9rCG.png
![](https://pasteboard.co/NUcPHq7a9rCG.png)
Firewall settings: https://pasteboard.co/6KP7zaD5rIlf.png
![](https://pasteboard.co/6KP7zaD5rIlf.png)