Забыли сказать, что это ни фига не Ubuntu
А также показать конфиги участников OVPN и ВСЕ правила netfilter (iptables-save было бы информативней)
совершенно верно! Это Два роутера с прошивкой от Падавана..
Server:
/home/root # cat /etc/openvpn/server/server.conf
proto udp
port 11940
dev tun1
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir ccd
route 192.168.1.0 255.255.255.0 10.8.0.2
push "route 192.168.3.0 255.255.255.0"
auth SHA1
cipher BF-CBC
comp-lzo adaptive
push "comp-lzo adaptive"
ca /etc/storage/openvpn/server/ca.crt
dh /etc/storage/openvpn/server/dh1024.pem
cert /etc/storage/openvpn/server/server.crt
key /etc/storage/openvpn/server/server.key
persist-key
persist-tun
user nobody
group nogroup
script-security 2
tmp-dir /tmp/openvpn
writepid /var/run/openvpn_svr.pid
client-connect ovpns.script
client-disconnect ovpns.script
### User params:
max-clients 10
client-to-client
keepalive 10 120
nice 3
verb 0
mute 10
route 10.8.0.0 255.255.255.0
/home/root # iptables-save
# Generated by iptables-save v1.4.16.3 on Fri Jan 13 14:40:21 2017
*nat
:PREROUTING ACCEPT [2972:238729]
:INPUT ACCEPT [2354:134413]
:OUTPUT ACCEPT [15:1851]
:POSTROUTING ACCEPT [57:3647]
:upnp - [0:0]
:upnp-post - [0:0]
:vserver - [0:0]
-A PREROUTING -d 10.0.0.3/32 -j vserver
-A POSTROUTING -s 192.168.3.0/24 -o eth2.2 -j SNAT --to-source 10.0.0.3
-A POSTROUTING -s 10.8.0.0/24 -o eth2.2 -j SNAT --to-source 10.0.0.3
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.3.0/24 -o br0 -j SNAT --to-source 192.168.3.1
COMMIT
# Completed on Fri Jan 13 14:40:21 2017
# Generated by iptables-save v1.4.16.3 on Fri Jan 13 14:40:21 2017
*filter
:INPUT ACCEPT [2967:185708]
:FORWARD ACCEPT [131:6648]
:OUTPUT ACCEPT [12035:3540498]
:bfplimit - [0:0]
:logdrop - [0:0]
:upnp - [0:0]
:vpnlist - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logdrop -m state --state INVALID,NEW -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A vpnlist -i tun1 -j ACCEPT
COMMIT
# Completed on Fri Jan 13 14:40:21 2017
/home/root #
Client:
/home/root # iptables-save
# Generated by iptables-save v1.4.16.3 on Wed Jan 18 19:57:36 2017
*nat
:PREROUTING ACCEPT [3124:193904]
:INPUT ACCEPT [2627:152752]
:OUTPUT ACCEPT [17:1945]
:POSTROUTING ACCEPT [186:9722]
:upnp - [0:0]
:upnp-post - [0:0]
:vserver - [0:0]
-A PREROUTING -d 10.0.0.1/32 -j vserver
-A POSTROUTING -s 192.168.1.0/24 -o eth2.2 -j SNAT --to-source 10.0.0.1
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
COMMIT
# Completed on Wed Jan 18 19:57:36 2017
# Generated by iptables-save v1.4.16.3 on Wed Jan 18 19:57:36 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9116:1425976]
:bfplimit - [0:0]
:upnp - [0:0]
:vpnlist - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
COMMIT
# Completed on Wed Jan 18 19:57:36 2017
/home/root # cat /etc/openvpn/client/
client.conf ovpnc.script
/home/root # cat /etc/openvpn/client/client.conf
client
proto udp
remote 10.0.0.3 11940
resolv-retry infinite
nobind
dev tun0
ca /etc/storage/openvpn/client/ca.crt
cert /etc/storage/openvpn/client/client.crt
key /etc/storage/openvpn/client/client.key
auth SHA1
cipher BF-CBC
comp-lzo adaptive
persist-key
script-security 2
writepid /var/run/openvpn_cli.pid
up ovpnc.script
down ovpnc.script
### User params:
ns-cert-type server
nice 0
verb 5
mute 10
/home/root #