Exposing a LAN through an OpenVPN server running in a virtual machine

There's an OpenVPN server running in a VirtualBox virtual machine with NAT networking. The VM is running on a physical host, and that host is attached to a LAN. I would like to make the VM's host's LAN (192.168.0.0/24) available over the VPN. The VPN network is 10.8.0.0/24.

Here's what I've done:

• I've configured OpenVPN and clients can connect to it without problems;
• in the VPN server config, I'm pushing the following route to clients: push "route 192.168.0.0 255.255.255.0";
• I've enabled packet forwarding in the VM where the VPN server is running: sysctl net.ipv4.ip_forward=1 (I know this change is not persistent);
• as far as I'm aware, there are no firewalls enabled anywhere within this network.

The problem: I expected to be able to ping a machine on the LAN (its address is 192.168.0.105) from a connected VPN client, but it doesn't work.

The VPN client's interfaces and routing table, when connected to the VPN:

wlan0: inet 192.168.43.152/24
tun0: inet 10.8.0.6 peer 10.8.0.5/32

default via 192.168.43.1 dev wlan0 proto dhcp src 192.168.43.152 metric 600 
10.8.0.1 via 10.8.0.5 dev tun0 
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 
192.168.0.0/24 via 10.8.0.5 dev tun0 
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.152 metric 600 

The VPN server's interfaces (this is the VM), with the above client connected to the VPN:

enp0s3: inet 10.0.2.15/24
tun0: inet 10.8.0.1 peer 10.8.0.2/32

default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100 
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 

The output of traceroute 192.168.0.105 on the VPN client shows just 10.8.0.1 and nothing else. So it looks like the packets are at least reaching the VPN server machine. The output of traceroute 192.168.0.105 on the VPN server machine shows 10.0.2.2 (this is the VM's physical host, made available under this address by VirtualBox), and then reaches its destination correctly. On the VPN server machine, packets for 192.168.0.105 should be routed to the default gateway, which is 10.0.2.2, yet it only works when the ping is issued directly on the server machine, but not when it goes through the VPN.

You can add a static route on the VirtualBox host to let it know about the VPN client subnet. To do this, you can run the following command on the VirtualBox host:

sudo route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.0.2.15

This command tells the VirtualBox host that the subnet 10.8.0.0/24 is reachable through the VPN server's IP address (10.0.2.15). With this setup, the LAN machines should now be able to send traffic back to the VPN client through the VPN server.

Additionally, since you mentioned that the sysctl change for packet forwarding is not persistent, make sure to add the following line to the relevant configuration file (e.g., /etc/sysctl.conf) on the VPN server VM to ensure that IP forwarding is enabled after reboots:

net.ipv4.ip_forward=1

After applying these changes, try pinging the LAN machine (192.168.0.105) from the VPN client again, and it should work as expected.