OpenVPN routing (no NAT)

[bsdzip]

Can't really figure out what I'm doing wrong here and google or forums doesn't give me the answers.
What I'm trying to achieve is to have a routed network between two sites with the help of OpenVPN, PF and my beloved FreeBSD. My goal is also to avoid using NAT.
Feels like I'm stumbling on the finish-line...

Connecting clients, both the FBSD ovpn client and other windows roadwarrior boxes is no issue, it works like a charm. The problem is routing from server side LAN to client side LAN (including LAN IF of FW)

LAN1 -- FBSD1 (ovpn client) -- Internet -- FBSD2 (ovpn server) -- LAN2
              Road warriors /

LAN1: 192.168.5.0/24
FBSD1:
   tun0 inet 172.16.10.102 --> 172.16.10.101
   lan_if 192.168.5.1 (default for subnet)

LAN2: 192.168.1.0/24
FBSD2: 
   tun0 inet 172.16.10.1 --> 172.16.10.2
   lan_if 192.168.1.254 (default for subnet)

Internet traffic is supposed to go strait out (NAT) and VPN traffic over the tun0 on both sites.


Common config for both boxes:

gateway_enable="YES"
pf_enable="YES"

Some other config that I believe is of interest
openvpn.conf

   client:
   route-method exe
   route-delay 2

   server:
   push "route 192.168.1.0 255.255.255.0"
   push "route 192.168.5.0 255.255.255.0"
   route 192.168.5.0 255.255.255.0
   client-to-client
   client-config-dir /usr/local/etc/openvpn/ccd

ccd/fbsd1

   server:
   iroute 192.168.5.0 255.255.255.0

[cmd=]netstat -rn[/cmd]

   server:
   172.16.10.0/24     172.16.10.2        UGS         1 17792880   tun0
   192.168.5.0/24     172.16.10.102      UGS         0     2406   tun0

   client:
   172.16.10.0/24     172.16.10.101      UGS         0       17   tun0
   192.168.1.0/24     172.16.10.1        UGS         0    21614   tun0

These routes are manually added, openvpn adds the local tun0 IP as the gateway (witch one is right?)

pf.conf (slightly modified for testing)

   client and server:
   nat on $ext_if from !$ext_if to !$vpn_if -> ($ext_if)
   block in log
   pass out keep state
   pass on $vpn_if keep state

What works is:
connect/ping from LAN1 -> LAN2
ping from LAN1 -> FBSD2 (inc. lan_if)
ping from FBSD2 -> FBSD1 (tun_if)
ping from LAN2 -> FBSD1 (tun_if)

What doesn't work:
connect/ping from LAN2 -> LAN1
ping from FBSD2 -> FBSD1 (lan_if)
ping from LAN2 -> FBSD1 (lan_if)

Using tcpdump, packages from LAN2 -> LAN1 will show on FBSD2 tun0 but not on FBSD1 tun0

Regards

 

[bsdzip]

Thanks DutchDaemon for reformating.

One thing that makes me confused in the routing table is this:

Server "netstat -rn"

...
172.16.10.0/24     172.16.10.2        UGS         0     7985   tun0
172.16.10.2        172.16.10.1        UH          2        0   tun0
192.168.5.0/24     172.16.10.2        UGS         0      106   tun0
192.168.1.0/24     link#2             UC          0        0    xl0

Server ifconfig

...
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 172.16.10.1 --> 172.16.10.2 netmask 0xffffffff
        Opened by PID 26239

Client "netstat -rn"

...
172.16.10.0/24     172.16.10.101      UGS         0        0   tun0
172.16.10.101      link#6             UH          0        0   tun0
172.16.10.102      link#6             UHS         0        0    lo0
192.168.1.0/24     172.16.10.101      UGS         0     4011   tun0
192.168.5.0/24     link#2             U           1  1688963    xl1

Client "ifconfig"

...
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 172.16.10.102 --> 172.16.10.101 netmask 0xffffffff
        Opened by PID 65639

The client routing table makes most sense to me. Why is OpenVPN not routing the 172.16.10.0/24 network straight to the tun0 interface? And why is 172.16.10.2 routed to 172.16.10.1?