Openvpn4ucs cannot access LAN resource

I have installed OpenVPN4ucsan and I have it working except for one thing, I cannot access resources on the LAN.
The VPN server is installed on a LAN server, not the GW. The VPN connection is established and the client connects to the VPN server and recieves an IP address of the transfer network. I can access all resources of the VPN server but not any LAN resources.

This is a baremetal installation and I am using default settings. UCS is 4.1 with all updates.

What I like to do is to have my client using LAN resources and to become a member of the local LAN using DHCP and local DNS.

What would be the correct settings to achieve this?


I also changed the firewall settings so I can access the other servers in the network.
In /etc/sysctl.conf remove # in front of the line #net.ipv4.ip_forward=1
To take effect immediately: echo 1 > /proc/sys/net/ipv4/ip_forward
Then in /etc/security/packetfilter.d/ add:

iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

and restart the firewall: /etc/init.d/univention-firewall restart

Works like a charm :slight_smile:

Indeed it does :slight_smile:

One catch, how can use my local DNS server. A nslookup against my local domain does not find the DNS server. Is there a way to resolve this?

To be honest, I don’t know exactly, but it works here without a problem on Windows and Mac.
I think you have two options, you can set the server to push a configuration to the client and you can configure the client by hand.

I just realized that the VPN server publishes it self as DNS server which is incorrect. Need to find where I can correct that.
Just found it
Had to edit /etc/openvpn/server.conf and changed the line:
push “dhcp-option DNS xx.xx.xx.xx” to reflect the correct DNS


Hello bhagert,

the fact that a DNS server is set is intentional and not ‘incorrect’. The focus of OpenVPN4UCS lies in the ability to provide access for single computers / mobile users to a network.

If you use ‘redirect gateway’ all traffic is redirected and therefore a DNS server is required if you still want to be able to reach f.e. internet resources. A UCR variable is checked, which machine ‘on the other side’ is responsible for DNS and set afterwards - which you have noticed already in the config file.

Your scenario looks more like if you want to bridge two networks, which would correspond to the ‘site-2-site’ option.


Ingo von Thielau

I appreciate your answer.
What I meant was that the DNS value was set to point to the VPN server. When I changed the entry to point to my DNS server instead it all worked as intended.