[gigaguy]

I've searched around and tried numerous solutions, but none have worked.

Here is my setup
- OpenVPN server - public ip x.x.x.x - vpn ip 10.0.0.1
- 4 other vpn clients currently connected and working fine. Android, linux, and 2 pi's
- 5th vpn client is actually a remote subnet. I can connect from any client to any ip on the 3 subnets
- installed archlinux on my goflex home then openvpn.
- used the same configs as the working clients
- goflex can connect and ping/ssh to the vpn ip of each vpn client
- no other client or subnet can ping/ssh the goflex vpn ip

vpn subnet - 10.0.0.0
local subnet - 192.168.0.0/24
remote subnet - 192.168.2.0/24

Server cfg
$this->bbcode_second_pass_code('', '
mode server
proto udp4
port 1194
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
ca /vpn/ca.crt
cert /vpn/server.crt
key /vpn/server.key
dh /vpn/dh2048.pem
tls-server
client-config-dir /vpn/clients #enable per user configuration
auth SHA256
cipher AES-256-CBC
client-to-client
')

client
$this->bbcode_second_pass_code('', '
client
proto udp
verb 3
connect-retry 2 300
resolv-retry infinite
dev tun
remote servername 1194
comp-lzo
nobind
cipher AES-256-CBC
auth SHA256
float
persist-key
tls-client
log /var/log/openvpn.log
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
script-security 2
')

goflex client config
$this->bbcode_second_pass_code('', '
ifconfig-push 10.0.0.6 255.255.255.0
push "route 192.168.0.0 255.255.255.0 10.0.0.1"
')

goflex - ip addr (with vpn connected)
$this->bbcode_second_pass_code('', '
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.0.0.6 peer 255.255.255.0/32 scope global tun0
valid_lft forever preferred_lft forever
')


goflex - ip route (with vpn connected)
$this->bbcode_second_pass_code('', '
default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.171 metric 1024
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.171
192.168.0.1 dev eth0 proto dhcp scope link src 192.168.0.171 metric 1024
255.255.255.0 dev tun0 proto kernel scope link src 10.0.0.6
')

goflex - route -n (with vpn connected)
$this->bbcode_second_pass_code('', '
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 1024 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
255.255.255.0 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
')

uname -a (just in case)
$this->bbcode_second_pass_code('', '
Linux GoFlex.local.domain 4.4.97-1-ARCH #1 PREEMPT Sat Nov 11 04:51:38 UTC 2017 armv5tel GNU/Linux
')

openvpn client log - remove cert verify part
$this->bbcode_second_pass_code('', '
WARNING: file 'client.key' is group or others accessible
OpenVPN 2.4.4 armv5tel-unknown-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 28 2017
library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.10
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
[gig3] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
SENT CONTROL [gig3]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,ping 15,ping-restart 60,route 192.168.0.0 255.255.255.0 10.0.0.1,ifconfig 10.0.0.6 255.255.255.0,peer-id 4,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1625
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=00:xx:xx:xx:xx:xx
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/usr/bin/ip link set dev tun0 up mtu 1500
/usr/bin/ip addr add dev tun0 local 10.0.0.6 peer 255.255.255.0
/etc/openvpn/client/up.sh tun0 1500 1553 10.0.0.6 255.255.255.0 init
/usr/bin/ip route add 192.168.0.0/24 via 10.0.0.1
RTNETLINK answers: Network is unreachable
ERROR: Linux route add command failed: external program exited with error status: 2
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed
')

Just for reference - Working client - route -n
$this->bbcode_second_pass_code('', '
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 304 0 0 wlan0
192.168.0.0 0.0.0.0 255.255.255.0 U 304 0 0 wlan0
255.255.255.0 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
')

working client - ip addr
$this->bbcode_second_pass_code('', '
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.0.0.3 peer 255.255.255.0/32 scope global tun0
valid_lft forever preferred_lft forever
')

working client - ip route
$this->bbcode_second_pass_code('', '
default via 192.168.0.1 dev wlan1 metric 304
192.168.0.0/24 dev wlan1 proto kernel scope link src 192.168.0.64 metric 304
255.255.255.0 dev tun0 proto kernel scope link src 10.0.0.3
')