Well done !! 😉
This is the ‘basic’ OpenVpn H2L, when you are ready, we can start to try something slightly different …..
P.S. the S.NAT, in the openvpn, has its function, it a topology like yours, where all the hosts have ZS as default gateway, is not necessary, but think at another type of topology, where, maybe, ZS (10.1.1.254) is a simply host used only as VPN server, placed in a existing network (eg. 10.1.1.0/24) with other hosts, and the default gateway is another router (10.1.1.1)….whithout the SNAT, incoming packets destinated to the lan hosts, will be forwarded out with their real ip address (something like 192.168.250.10)….. the host, eg 10.1.1.25, for reply to the host 192.168.250.10 will forward the packet to its default gateway (10.1.1.1), in this case, or the deafult gateway has a static route for the network 192.168.250.0/24 or the packet will be lost.
With the SNAT, the source ip address of all packets that are arrived via vpn and that are forwarded out by ZS from one of its interface, will be translated with the ip address of the outgoing interface (10.1.1.254), so , for the host (10.1.1.25) is easy to reply
This is the output with the SNAT checked