I was setting up OpenVPN so that I can access my work LAN from the outside (Currently using MS VPN). In order to access the LAN via OpenVPN, they say you have to enable IP routing on the openVPN server (which is XP Pro SP2), see http://openvpn.net/index.php/documentation/howto.html#scope
This worked fine, however once I enabled IP routing not only the VPN clients can route to my LAN, but every machine in my DMZ can now route to the LAN. I have the XP Firewall set to only allow access to the openVPN port 1194 and only from my PIX 501 (which NATs in a public IP). A machine in my DMZ can route to my internal LAN just by adding a route through the openVPN server. They can't ping the openVPN server, they can't access any files or services on the openVPN server, but they can still route through it. They can ping through it, they can do remote desktop through it. Thus if any of my DMZ machines were compromised, they would have clear access to my LAN, which kind of defeats the point of a DMZ. Is this a bug? Did I do something wrong? See attached picture for config.