Hi Guys.

I've got a debian server, connected to another LAN via VPN.
On the debian server, a ping to the other end of the VPN works properly.

Debian server (10.0.5.1) pings to VPN end point (10.0.1.1) - works.

Now, im using that server as gateway for the windows computers on the LAN. Pinging 10.0.1.1 from these computer wont work. I cant explain, but i think its a routing issue. What I have to do to get it working?

Thanks!

You probably need a static route in your route table on the Debian server. Please post the route table on this server (which you can get with the command netstat -rn), so that we can be sure of exactly what the situation is, and can recommend a fix.

eth0 (10.0.3.212) is used to connect to the ADSL modem.
eth1 (10.0.5.1) is used as LAN gateway.
ppp0 is the ADSL connection.

Your network design is flawed, The route to 10.0.0.0/16 does technically swallow the other networks which are /24's The kernel may be unable to make a correct routing decision because of this.

Well, that might be true, I changed it, but it doesent work.

I tried to ping from a LAN computer (10.0.5.21) to the VPN end point server (10.0.1.1) - that doesnt work.
Pinging from server (10.0.5.1) to VPN end point (10.0.1.1) works.
Pinging from VPN end point (10.0.1.1) to LAN computer (10.0.5.21) works too. That means - traffic is not relayed from LAN to the VPN end point.

I need to route any traffic from 10.0.5.0/24 over the VPN tunnel, so the Windows Clients on the LAN can reach the VPN end point.

Just for clarity please state when networks (LAN's) are on either side of the tunnel, because by saying tunnel end point i assume you are talking about the interface that is on the router on there otherside but what is the LAN behind that tunnel ?

Please note also that the routes need to be created on both sides the packets you send to the other LAN need to know how to come back to this LAN.

I have several observations, some of which may help clear up your routing issue.

First, routes are considered in the order they appear in the routing table; only if several offer a way to reach the desired destination is any weighting taken into consideration. As far as I can see, you have no way specified for anyone to reach addresses in the range 10.0.1.x/24, except for the inclusive 10.0.x.x/16 entry that datopdawg has noted as problematic.

If you are sure that you did the ping experiment showing that the Debian box could reach the other end of the tunnel by specifying a destination address rather than a name, then this indicates that the 10.0.x.x/16 route entry is the one that was used.

Yet machines beyond the Debian box on net 10.0.5.x are not able to ping 10.0.1.1 address. You say you are using the Debian box as a gateway for those machines; does that mean that they have a default route to the LAN interface on the Debian box (10.0.5.1?) Windows calls this a default gateway. And just for completeness, does the Debian box have forwarding turned on (/proc/sys/net/ipv4/ip_forward = 1), and are there any iptables rules in the FORWARD chain? Either of these could be blocking the ping packets.

I would agree that you should remove the 10.0/16 route, and I would replace it with an explicit route: If this still does not work, I would recommend using tcpdump to find out what the Debian box is actually doing with the packets from your windows box. You can specify that tcpdump will only report on packets with a source or destination address equal to that of the windows box under test; be sure to specify -i any or tcpdump will not listen on all your interfaces.