Learning how to route through a VPN connection...

I am learning how to use VPNs and route through them. I am failing at getting bidirectional ping working on my network and it's been bugging me for a bit.

My Network

Here is a diagram of my network made in MS Paint: https://i.imgur.com/EXueBr4.png

I'll outline the devices for you:

• VyOS running on Vultr.com with a public IPv4 (/23) and OpenVPN Server running.
  • We'll call this R1.
  • Notable IPs: Public IPv4, 172.16.64.1/29
  • Static route to 0.0.0.0/0, NAT to 10.0.0.0/8 (summarised my LAN)
• EdgeOS running on a Ubiquiti Networks Edge Router Pro 8 Port, behind a modem, utilising a public IPv4. Runs OpenVPN Server and has 3 VLANs individually using a LAN port per VLAN.
  • We'll call this R2.
  • Notable IPs: Public IPv4, 10.0.102.1/24, 172.16.64.2/29
  • NAT runs between my 3 VLANs as well as to the WAN.
• CentOS 6 running within Proxmox on a Supermicro server. Firewall open.
  • We'll call this the Server.
  • Notable IPs: 10.0.102.9/24

My Issue

I am able to ping and trace from Server to R1's 172.16.64.1/29 address. I am able to ping and trace from R2 to R1's 172.16.64.1/29 address. I am able to ping and from R1 to R2's 172.16.64.2/29 address. I am unable to ping and/or trace from R1 to R2's 10.0.102.1/24 address. I am unable to ping and/or trace from R1 to Server's 10.0.102.9/24 address.

Configuration

Below are parts of the configuration for R1 which I feel are important to share:

 interfaces { ethernet eth0 { ...public address config... } openvpn vtun0 { firewall { in { name VPN } local { name VPN } out { name VPN } } mode server server { subnet 172.16.64.0/29 } tls { ca-cert-file /config/auth/ovpn/ca.crt cert-file /config/auth/ovpn/server.crt dh-file /config/auth/ovpn/dh1024.pem key-file /config/auth/ovpn/server.key } } } nat { source { rule 1 { description "VPN to Home" destination { address 10.0.0.0/8 } outbound-interface vtun0 protocol all translation { address masquerade } } } } protocols { static { route 0.0.0.0/0 { next-hop 108.61.196.1 { } } route 10.0.0.0/8 { next-hop 172.16.64.2 { } } } } 

Below are parts of the configuration for R2 which I feel are important to share:

 firewall { all-ping enable broadcast-ping disable group { address-group NetworkAdministrators { address 10.0.102.8 address 10.0.102.7 address 10.0.102.254 address 10.0.102.14 description "Network Administrators" } network-group OpenNetworks { description "Networks that can access WAN." network 10.0.101.0/24 network 10.0.102.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name Tenant { default-action accept description "Tenant network rules." rule 1 { action drop description "Block control panel." destination { address 10.0.102.1/32 port 80,443,22 } log disable protocol tcp } } name VPN { default-action accept description "Allow any VPN connection" rule 1 { action accept log disable protocol all } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { ...other lan... } ethernet eth1 { ...other lan... } ethernet eth2 { address 10.0.102.1/24 description Tenant duplex auto firewall { local { name Tenant } } speed auto } ethernet eth7 { address dhcp address dhcpv6 description WAN duplex auto firewall { local { name WAN_LOCAL } } mac 00:24:81:82:d8:d5 speed auto } openvpn vtun0 { mode client remote-host ...R1 public ip... tls { ca-cert-file /config/auth/ovpn/ca.crt cert-file /config/auth/ovpn/client.crt key-file /config/auth/ovpn/client.key } } } service { nat { rule 1 { destination { address 10.0.102.0/24 } inbound-interface vtun0 inside-address { address 10.0.102.0/24 } protocol all type destination } rule 5003 { description "Tenant to VPN" destination { address 172.16.64.0/29 } log disable outbound-interface vtun0 protocol all source { address 10.0.102.0/24 } type masquerade } rule 5004 { description "NetworkAdministrators to Management" destination { address 10.0.100.0/24 } log disable outbound-interface eth0 protocol all source { group { address-group NetworkAdministrators } } type masquerade } rule 5005 { description "Public Route" log disable outbound-interface eth7 protocol all source { group { network-group OpenNetworks } } type masquerade } } } 

Routes for Devices

Here I'll document the routes for each device:

Routes for R1

default via ...public gateway... dev eth0 proto zebra 10.0.0.0/8 via 172.16.64.2 dev vtun0 proto zebra ...public network.../23 dev eth0 proto kernel scope link src ...public ip... 127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.1 

Routes for R2

0.0.0.0/29 dev vtun0 proto kernel scope link default via ...public gateway... dev eth7 proto zebra 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.1 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.1 10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.1 ...public network.../24 dev eth7 proto kernel scope link src ...public ip... 172.16.64.0/29 dev vtun0 proto kernel scope link src 172.16.64.2 

Routes for Server

10.0.102.0/24 dev eth2 proto kernel scope link src 10.0.102.9 10.0.101.0/24 dev eth1 proto kernel scope link src 10.0.101.9 10.0.100.0/24 dev eth0 proto kernel scope link src 10.0.100.9 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 default via 10.0.102.1 dev eth2 

Tests

Here I'll put a collection of traceroutes from each device.

Traceroutes from Server

# traceroute 10.0.100.1 traceroute to 10.0.100.1 (10.0.100.1), 30 hops max, 60 byte packets 1 ...router hostname... (10.0.100.1) 0.197 ms 0.315 ms 0.293 ms # traceroute 172.16.64.2 traceroute to 172.16.64.2 (172.16.64.2), 30 hops max, 60 byte packets 1 172.16.64.2 (172.16.64.2) 0.248 ms 0.317 ms 0.305 ms # traceroute 172.16.64.1 traceroute to 172.16.64.1 (172.16.64.1), 30 hops max, 60 byte packets 1 ...router hostname... (10.0.102.1) 0.284 ms 0.342 ms 0.317 ms 2 172.16.64.1 (172.16.64.1) 18.894 ms 24.621 ms 24.596 ms 

This displays that Server is able to trace to my Vultr server and ping the OpenVPN router IP.

Traceroutes from R2

# traceroute 172.16.64.1 traceroute to 172.16.64.1 (172.16.64.1), 30 hops max, 38 byte packets 1 172.16.64.1 (172.16.64.1) 18.031 ms 15.952 ms 14.631 ms 

This displays that R2 is able to trace to my Vultr server and ping the OpenVPN router IP.

Traceroutes from R1

# traceroute 172.16.64.2 traceroute to 172.16.64.2 (172.16.64.2), 30 hops max, 60 byte packets 1 172.16.64.2 (172.16.64.2) 27.038 ms 26.968 ms 26.940 ms # traceroute 10.0.102.1 traceroute to 10.0.102.1 (10.0.102.1), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * # traceroute 10.0.102.9 traceroute to 10.0.102.9 (10.0.102.9), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 

This displays that R1 is only able to ping the OpenVPN client IP of R2, but no further.

Help Appreciated

If anyone is able to offer some assistance with this, I'd greatly appreciate it. Thank you.