Access entire lan of openvpn client from another openvpn client

I have following setup:

What do I need to do to make 192.168.0.3 connectable from machine 10.8.0.3? I tried openvpn guide but I guess I'm missing something.

vpn server config /etc/openvpn/server.conf

dev tun
server 10.8.0.0 255.255.255.0

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
crl-verify /etc/openvpn/crl.pem
dh /etc/openvpn/dh2048.pem

client-to-client
daemon

ifconfig-pool-persist ipp.txt
keepalive 10 120
client-config-dir /etc/openvpn/ccd
route 192.168.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
topology subnet
explicit-exit-notify 1

/etc/openvpn/ccd/client2

ifconfig-push 10.8.0.2 255.255.255.0
iroute 192.168.0.0 255.255.255.0

C:\Users\Станислав\openvpn\config\client.ovpn

client
dev tun
remote 80.79.254.239
ca ca.crt
cert client2.crt
key client2.key
redirect-gateway def1
topology subnet

Ip and tun forwarding is on.

Is it possible given that I don't have access to LAN router.

ip route

default via 80.79.254.1 dev eth0 proto static
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
80.79.254.0/24 dev eth0 proto kernel scope link src 80.79.254.239
192.168.0.0/24 via 10.8.0.2 dev tun0

ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:6d:10:92 brd ff:ff:ff:ff:ff:ff
    inet 80.79.254.239/24 brd 80.79.254.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a00:f940:2:4:2::2e16/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe6d:1092/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 52:54:00:54:6a:0d brd ff:ff:ff:ff:ff:ff
11834: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8c64:bf8:e518:2362/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

service openvpn status

Sep 29 11:15:11 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 MULTI: Learn: 10.8.0.2 -> client2/38.139.85.41:1194
Sep 29 11:15:11 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 MULTI: primary virtual IP for client2/38.139.85.41:1194: 10.8.0.2
Sep 29 11:15:11 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 MULTI: internal route 192.168.0.0/24 -> client2/38.139.85.41:1194
Sep 29 11:15:11 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 MULTI: Learn: 192.168.0.0/24 -> client2/38.139.85.41:1194
Sep 29 11:15:11 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 REMOVE PUSH ROUTE: 'route 192.168.0.0 255.255.255.0'
Sep 29 11:15:12 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 PUSH: Received control message: 'PUSH_REQUEST'
Sep 29 11:15:12 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 SENT CONTROL [client2]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifcon>Sep 29 11:15:12 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 Data Channel: using negotiated cipher 'AES-256-GCM'
Sep 29 11:15:12 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 29 11:15:12 xx-xx-xx-xx.xx.xx openvpn[329382]: client2/38.139.85.41:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

From my understanding your flow is:

client 10.8.0.3 -> server 10.8.0.1 -> client 10.8.0.2 -> 192.168.0.3

It also looks like at least client2 (10.8.0.2) is a Windows machine.

As for routing

• 10.8.0.3 needs to have/get 192.168.0.0/24 via 10.8.0.2
• 192.168.0.3 (or the default router on that network, probably 192.168.0.1 needs to have 10.8.0.0/24 via 192.168.0.2
• firewall/ip forward is also needed, enabling routing in Windows might or might not be possible depending on version.

If you are not able to change or add routes on any of the 192.168.0.1,3 machines then one could resort to NAT (done on 192.168.0.2) but on Windows that can get messy.

Yet another alternative is to use bridging instead, that would mean that all of the machines are on 192.168.0.0/24 no routing needed.