Sorry, I think you misunderstood me. Changing the networks was my solution until today because now I know shorewall netmap, sorry for my bad English past tense somewhat…
I am like you looking for a good solution which may also be easy.
Did you notice the advice in the link?
server 192.168.254.8 255.255.255.240
port 1195
push “route 172.20.1.0 255.255.255.0”
In /etc/shorewall/netmap, put these entries:
#TYPE NET1 INTERFACE NET2 SNAT 192.168.1.0/24 tun1 172.20.1.0/24 DNAT 172.20.1.0/24 tun1 192.168.1.0/24
The roadwarrior can now connect to port 1195 and access the lan on the right as 172.20.1.0/24.