If you don’t do NAT on your VPN endpoint, the following happens:
- Your client, which has a private IP address on the VPN adapter, sends a ping to e.g.
kali-3 with the source address of that private network used solely between the VPN client and the VPN server.
- The server forwards that packet as-is to the local LAN.
- The packet arrives at
kali-3 which sends a reply to the packet’s source address, which is that private IP from that private VPN.
kali-3 doesn’t have any special knowledge/no route for that VPN network and sends the request to its default gateway, which is your router.
- Your router doesn’t have a special route for that VPN network either and discards the packet.
There are several possible solutions to this problem:
- On your VPN server: use a NAT firewall rule to rewrite the source address of all packets coming from the VPN to the source address of your VPN server’s local LAN interface. That way
kali-3 will think the request came from your VPN server and send its reply back to the VPN server. The VPN server will recognize that this is a reply to a packet with a rewritten source address, reverse the process and pass the reply on to your VPN client.
kali-3: add a network route to the VPN network with gateway being your VPN server. This will fix
kali-3, but none of the other servers.
- On your router: add a network route to the VPN network with gateway being your VPN server. This will fix it for all machines on your LAN.
Another possibility why it doesn’t work is that your VPN server might have IP routing/IP forwarding deactivated.