Accessing server side LAN devices over OpenVPN

I have been trying to setup OpenVPN for the longest time now. I've tried it on my spare Macbook Air but the server isn't easy to setup (if it's even possible). So I decided to go the easier route and get it running on the Pi3.

I tried setting it up from scratch but it's better to just use the pivpn utility. Got it setup and working within no time.

After setting up the keys and the DH key which is pretty straight forward, the ovpn configs were generated for clients. I used the same one for my android and used OpenVPN connect to get it to work.

Now the first issue was that all my traffic was being redirected through the tunnel, so to stop that from happening, I had to remove redirect-gateway def1 from the config. Apparently it was being pushed from the server.

However once I did that, I was left with access to just he VLAN address of the OpenVPN server which didn't help.

So let me first share how the network is setup.

  • Home LAN is on the subnet (I know, it shouldn't be that generic, I'll change it someday)
  • OpenVPN server assigns address from the pool taking for itself.
  • WAN IP of the gateway that is connected to the server is 72.220.171.XXX
  • My client LAN has the pool with
  • And my client WAN IP is 77.184.88.XXX

Let's look at the server config

dev tun  
proto udp  
port 1194

ca /etc/openvpn/easy-rsa/pki/ca.crt  
cert /etc/openvpn/easy-rsa/pki/issued/server.crt  
key /etc/openvpn/easy-rsa/pki/private/server.key  
dh /etc/openvpn/easy-rsa/pki/dh2048.pem  
topology subnet


# server and remote endpoints

# Add route to Client routing table for the OpenVPN Server
push "route"

# Add route to Client routing table for the OPenVPN Subnet
push "route"

# your local subnet
#push "route "
push "route"

# Set your primary domain name server address for clients
push "dhcp-option DNS"  
push "dhcp-option DNS"

# Override the Client default gateway by using and
# rather than This has the benefit of
# overriding but not wiping out the original default gateway.
#push "redirect-gateway def1"

keepalive 10 120  
tls-version-min 1.2  
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0

cipher AES-256-CBC  
auth SHA256

user nobody  
group nogroup

crl-verify /etc/openvpn/crl.pem  
status /var/log/openvpn-status.log 20

status-version 3  
log /var/log/openvpn.log

verb 1  
# Generated for use by

So commenting out redirect-gateway def1 stopped all the traffic through the VPN and adding pushing the route manually from the server to the client enabled the access to server side LAN
push "route

Just took an entire week to figure that out. Here's the relevant documentation.