On 26/01/16 17:19, John R Pierce wrote: > On 1/26/2016 9:14 AM, Gordon Messmer wrote: >> On 01/26/2016 05:37 AM, lejeczek wrote: >>> vpn clients with established tunnels can get to VPN >>> server's NICs/IPs but cannot get through to the net >>> behind the server. >>> Well... they can, but only if on a host (eg. >>> 192.168.2.33) on VPN server's net I do: >>> >>> route add -host 192.168.2.10 gw 192.168.2.100 # >>> 192.168.2.10 is VPN client >> >> If the VPN isn't hosted on the device with the default >> gateway, then that route should be added to the gateway >> device. Proxy arp is an option if you use addresses in >> the same broadcast domain, but adding a route in the >> gateway device should work for all configurations. > > > not in this case, because a random host like 192.168.2.33 > thinks the remote VPN client 192.168.2.10 is on the same > LAN, so it wouldn't even forward the packet to the gateway > unless the gateway responds to the ARP for 192.168.2.10 > yes, I see I might not have said it clear in my last message - like John says - move your VPN local IP to a different subnet and it works, otherwise route on 'per-host basis' to each VPN client - wrong & undesired.