This is written in Raspberry Pi/Raspian Wheezy.
I've added a second page showing the connection in action as I VNC my home desktop over VPN.
When I'm away from home, I need to be able to access some of my home computers. In the past I ssh'd into my always-on small computer, which in the past was an unSlung NSLU2, and, is now a Raspberry Pi (the B with 4 USB ports).
That allows me to easily do rather simple things like tansfer files up or down, or, check on MythTV. For that, I ssh in to Pi, WOL Myth, and tunnel MythWeb over another ssh connection. That means more than one port being forwarded at the router—one for each computer I connect to.
OpenVPN sounds like a simpler method, as only one port is needed. I can open a VPN connection and do everything else from there. So far, my tests are giving satisfactory results, but it wasn't easy getting there.
It was easy enough to get OpenVPN installed and running on PI. Connection to Pi—easy. But connecting to other computers on the network was more difficult. Or, it may be that there is a lot of confusing and partial information on the Internet. Tap or tun? That seemed to be a major issue. "Routes" and static routing on the gateway was also confusing/misleading. Of course, I had to allow for the fact that my slow DSL was part of the frustration.
Finally, after a few attempts, I have it working by combining a few things I found during my searches - and it appears that's it's real easy.
I will restate my mission. I simply need a connection from my travelling laptop into my home network. I do not need to access my travelling laptop from my home network (after all, I'm not at home).
The method here allows me to do everything I need, plus, I can browse the web from my traveller with the source address being my home connection.
Summary of network:
Internet—6/1 AT&T to ARRIS NGV589 modem/router/access point. NAT to LAN router - address provided 192.168.1.64. LAN router NAT's network on 192.168.11.0/24.
Raspberry Pi—192.168.11.158. OpenVPV server default at 10.8.0.0.
Modem—I switched DSL services while I was experimenting. I had old/slow DSL with a modem feeding the public address to my router, and, I was forced to switch to Uverse. The provided Arris is a combo unit with the wireless off, and, only one address available to the LAN. I know that results in double-NAT, but, it hasn't caused a problem so far.
LAN router—gets 192.168.1.64 from the modem and provides 192.168.11.0/24 to the LAN. LAN device addresses are reserved and there's a couple of forwarded ports, but nothing else.
Pi—gets 192.168.11.158, and, runs OpenVPN full time providing 10.8.0.0. Pi does some other small tasks like being syslog server for router logs and handles waking MythTV when required for recording. It's definitely not strained, even when handling VPN.
MythTV—is at 192.168.11.126. It does NOT run OpenVPN. It's normally off, and, PI WOL's it for recording. As part of shutdown it sends the next recording time to Pi.
Desktop computer—is at 192.168.11.76. It does NOT run OpenVPN. It's normally off, and, PI WOL's it, if needed.
My testing, so far, has been from my laptop connected to the Internet through my Internet-On-The-Go hot spot. While VPN'd in, I have ssh/sftp'd in to the Pi, and, transferred files, and, did the MythTV WOL (from the Pi), and, accessed MythWeb. That is via the http server on MythTV and permits status checking, and, schedule adjustment.
I have VNC's into the desktop. I run x11vnc server on the desktop, and, TightVNC viewer on the laptop. It works OK (for me).
I've also browsed the Internet, and, that worked acceptably well for routine activities, with an IP check showing my connection being my home network.
Using Htop to monitor the Pi's CPU activity, I found the max % was in the 25-35 range while doing most things, so it definitely wasn't being overworked. That may be due to the relatively slow speed of my connection.
One other thing—I have a dynamic connection and do not use a dynamic DNS service. One of the things Pi does is locally check my public IP several times a day, and, sends an email to my phone when it changes. I use a script to send the address to my laptop's /etc/hosts. That is why the remote in the .ovpn is a name + port.
The files I added/modified while setting this up. I don't know if they are "right", but they do make it work.