Seems you are using dhcpcd, dnsmasq and networking (ifupdown) together with OpenVPN. It looks a little bit like a Rube Goldberg machine ;-)
I can offer you a solution with systemd-networkd that is doing all in once (except OpenVPN). On the raspi three ways different network traffic has to go, so we need a router there. I use Raspbian Stretch Lite 2018-06-27 upgraded to latest software. I suppose your OpenVPN is setup and you can connect to the OpenVPN server and you are using an USB ethernet dongle for eth1
.
For the example I use these ip addresses:
10.10.10.2 ┌──────────┐ 10.10.10.1
/ vpn-tunnel │ │ \
(tun0) =══════════════╗ ╔═════════════════════════ VPN-SERVER
Desktop <---------> (eth1)RPI(eth0) <-----------> ROUTER <--> │ INTERNET │
\ wired / \ wired / wan │ │
(by dhcp) 192.168.1.1 192.168.0.2 192.168.0.1 └──────────┘
Setup systemd-networkd
For detailed information look at [1]. Here only in short. Execute these commands:
rpi ~$ sudo -Es
rpi ~# apt install openvpn-systemd-resolved
rpi ~# systemctl mask networking.service
rpi ~# systemctl mask dhcpcd.service
rpi ~# sudo mv /etc/network/interfaces /etc/network/interfaces~
rpi ~# sed -i '1i resolvconf=NO' /etc/resolvconf.conf
rpi ~# systemctl enable systemd-networkd.service
rpi ~# systemctl enable systemd-resolved.service
rpi ~# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
To configure the interfaces create these two files:
rpi ~# cat > /etc/systemd/network/04-eth0.network <<EOF
[Match]
Name=eth0
[Network]
Address=192.168.0.2/24
Gateway=192.168.0.1
IPForward=yes
EOF
rpi ~# cat > /etc/systemd/network/08-eth1.network <<EOF
[Match]
Name=eth1
[Network]
Address=192.168.1.1/24
DHCPServer=yes
EOF
Reboot.
Setup routing
Now you have to set a static route in your internet router so it can find the route over the raspi to your desktop. On most internet router you can set a static route but how to do that varies from model to model. It's up to you to find it out. For our example the gateway (next hop) is 192.168.0.2, destination network is 192.168.1.0/24 (or 192.168.1.0 netmask 255.255.255.0). On a Raspberry Pi it would look like this (don't set it on your Raspi router!)
rpi ~$ sudo ip route add 192.168.1.0/24 via 192.168.0.2 dev ethX
That means for the internet router: "send all packets belonging to subnet 192.168.1.0/24
(destination network) to the next router on my subnet, your raspi-router 192.168.0.2
(gateway). It knows where to go on."
If you have no access to the internet router you can fake it with NAT (network address translation) to tell it a lie that all packets are coming from your raspi. Set this on your Raspberry Pi:
rpi ~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
But this should only be the second choise because it's not clean routing and has limitations and may be confusing. Your internet router also uses NAT so we have a double NAT that's not good for performance.
Start the VPN tunnel and things should go.
references:
[1] Howto migrate from networking to systemd-networkd with dynamic failover
[2] Raspberry pi as access point with vpn