@PhilipDAth wrote: It looks like you have thee subnets, so test it first on a Digital Ocean machine with:   ip route add 192.168.88.0/24 via 10.99.10.2 ip route add 10.255.255.0/24 via 10.99.10.2 ip route add 192.168.89.0/24 via 10.99.10.2   Assuming 10.99.10.2 is your StrongSwan machine.  If after doing that you can ping the machine then add it to rc.local so it happens every boot.  You'll need to be root to execute the above commands. I figured out why it wouldn't work. Strongswan does the routes automatically, but DigitalOcean (my provider) doesn't allow traffic from different source IP (other than a private IP) to be forwarded to private networks. In other words, the VM is reachable, but not the network behind it. ... View more

@Andreas-B   Problems with old tech scanners is widespread, across all sorts of networks.   Put them on their own Wi-Fi network that has the oldest WiFi standards enabled (802.11a and 802.11b) and the original (weak) password security, and turn off anything remotely clever.     ... View more

Thank you everyone for the clarification. ... View more