I was actually able to figure it out. It’s not the firewall, it’s iptables. It’s not routing green packets to the vpn interface. I did some research online and found what looks like an answer.
I ran these iptables commands in an SSH session and am now able to ping the remote network from computers on my LAN.
iptables -A FORWARD -i enp0s20u4 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o enp0s20u4 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE <– edit: this is all I needed to run
Where enp0s20u4 is my green interface and tun0 is my openvpn tunnel.
And now it works! I haven’t tested it to see if it persists through reboots yet, but this is a big improvement from where I was.
Shouldn’t NS should be adding these routes to iptables when the vpn client is setup though?