I have the following setup:

• subnet 1 - 10.0.1.0/24 with a machine used as NAT and also running an OpenVPN client
• subnet 2 - 192.168.1/24 with an OpenVPN server (the server in subnet 1 connect here)
• subnet 3 - 10.0.2.0/24 that uses the NAT machine (subnet 1) to access the internet, so all non-local traffic is routed there to the eth0 interface

The OpenVPN client creates the tun0 interface and appropriate routing so that I can access machines from 192.168.1/24

[root@ip-10-0-1-208 ~]# telnet 192.168.1.186 8081
Trying 192.168.1.186...
Connected to 192.168.1.186.
Escape character is '^]'.

[root@ip-10-0-1-208 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
169.254.169.254 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.0.0     10.8.0.5        255.255.0.0     UG    0      0        0 tun0

However, when I try the same from subnet 3, it can't reach that machine.

[root@ip-10-0-2-61 ~]# telnet 192.168.1.186 8081
Trying 192.168.1.186...

I suspect that it's because subnet 3 is routed to eth0 on the NAT machine in subnet 1 and it cannot jump to tun0.

What's the easiest way to resolve it? I don't want to use iptables. I can't change the routing from machines in subnet 1 because it's done in AWS and so it works only with specific interfaces. Also, the NAT machine gets its IP with DHCP and so bridging is a bit complicated.

IP forwarding is set on the NAT machine

[root@ip-10-0-1-208 ~]# cat /proc/sys/net/ipv4/ip_forward
1

Thank you!