TBH I'm not 100% sure. Whilst I have been somewhat involved in maintaining our TurnKey OpenVPN appliance over the years, I'm certainly not expert on it's operation; or networking in general TBH. I have tested that it works as intended for each release, but have not tried any custom config.

Following your question, I've done a bit of reading (googled "disable NAT masquerading openvpn") and I don't have any specifics for you, but have a general idea of what might be involved, plus more understanding on why we provide the default config that we do.

So essentially it seems that what you want should be possible. However it seems that the default NAT/masquerading config should "just work" without any broader network config (hence why that's what we provide by default).

I'm not 100% sure, but it seems that if NAT/MASQUERADE is disabled, then routes to the OpenVPN subnet need to be manually configured on your network. Otherwise devices outside the OpenVPN subnet will not be able to route to ones within it.

Sorry, it's not a clear answer to your question, bit it's the best I can manage. Plus there is a chance that I've completely misunderstood what I just read - so hopefully I'm not leading you astray.

To get further info, it's probably worth being aware that the current v15.x TurnKey appliance is based on Debian 9/Stretch (aka oldstable). We install OpenVPN the Debian repositories (OpenVPN v2.4.0 in our v15.x app) and beyond our "helper scripts", the "q code" hosting (to make mobile device connection super easy) and our default config, there isn't particularly special about OpenVPN in our appliance. So probably the best place to get a better understanding of OpenVPN is to read up on their docs. There are a few somewhat relevant questions on their forums too, although unfortunately don't appear to have any answers. There also seem to be quite a few relevant questions on SuperUser (i.e. the StackExchange site) but none that jump out as explicitly answering your question (although perhaps I'm missing something). Anyway, here are a few links that look like they may have value:

OpenVPN reference/docs:

• Reference manual for OpenVPN 2.4
• openvpn(8) man page (online) (essentially the same as above from what I can see)
• Configuring client-specific rules and access policies

• OpenVPN Community Project support forums
• Forum thread: Client issue in config - Proper routing rather than NAT/MASQUERADE (seems relevant?!)
• (Found some others but they either didn't have answers, or didn't seem quite directly relevant).

• SuperUser: disable NAT in openvpn
• SuperUser: OpenVPN without NAT
• SuperUser: OpenVPN gateway without NAT

Now just re-reading your question, it's seems to me that I've actually tried to answer a slightly broader meta-question, rather than explictly answering your question. Regarding configuring iptables, you can either configure that via Webmin, or via the commandline. Webmin config should be fairly straight forward and commandline config is probably more complex than I can explain here in a few words, but you'll find plenty of info via an internet search (something like "iptables tutorial" should get you up to speed pretty quick).

Anyway, whilst it's not a simple answer to yoru question, I hope my post is of some value. If you get it working to your requirements, it'd be super awesome if you could post back - I'm sure others would appreciate it! :)