I would like to route several subnets across my OpenVPN tunnel while maintaining their isolation. Is this possible?
Here is what I have.
10.1.10.0/24 (should only be accessed by 10.2.10.0/24 on client side)
10.1.20.0/24 (should only be accessed by 10.2.20.0/24 on client side)
10.2.10.0/24 (should only be accessed by 10.1.10.0/24 on server side)
10.2.20.0/24 (should only be accessed by 10.1.20.0/24 on server side)
Sure. Governed by the rules on the respective OpenVPN tabs.
They dictate what connections are allowed from the other side of an OpenVPN connection.
So, on the server:
pass any source 10.2.10.0/24 dest 10.1.10.0/24
pass any source 10.2.20.0/24 dest 10.1.20.0/24
On the client:
pass any source 10.1.10.0/24 dest 10.2.10.0/24
pass any source 10.1.20.0/24 dest 10.2.20.0/24
Would this be considered policy-based routing (via firewall rules), as opposed to static routing via the routes defined in the server and client instances? I am taking these terms from the Netgate hangouts Advanced OpenVPN slides/video. I just want to ensure that I understand the terminology correctly.
Using the OpenVPN tab to control the routes would I need to define anything under the local or remote networks or just leave those blank? Should I be selecting force all client generated traffic through this tunnel? When would I use that option ?
You are asking about limiting access based on routes that already exist. That is accomplished with firewall rules passing the desired traffic.
How to route the traffic in the first place is a different question.