Sorry, what can you do? You have router (1), lan client (2), OpenVPN-client (3) with lan behind it, lan client (4), and another OpenVPN-client (5). What can you do, and what can not?
I can't ping or access any client LAN computers from server LAN computers and vice versa. But... then i login ssh to server router, i can ping client router and client LAN computers and vice versa. So routing available only between 2 routers, but not the LAN's behind it.
Mobile VPN client can connect to VPN router, but i cannot ping or access any LAN's.
OK, so from router running OpenVPN-server you can access lan behind OpenVPN-client?
Thank you for replay, yes i can.
OK, can you ping from OpenVPN-client lan of router running OpenVPN-server?
No, i can't ping client LAN router or LAN device behind it. Destination is unreachable.
Not lan-client behind router, running OpenVPN-client, but lan-client of router, running OpenVPN-server?
I can't...
$ ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1): 56 data bytes
92 bytes from 192.168.2.1: Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 9001 0 0000 3f 01 5fde 192.168.2.120 192.168.8.1
192.168.2 - lan
192.168.7 - tun0
192.168.8 - lan behind client
From what device have you run ping?
Have you configured forwarding from vpn to lan on router, running OpenVPN-client?
Network topology is right. I have sent ping from 192.168.2.120.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fxxxxxxx:/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.8.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xxxxxx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
======================
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '1194'
option src 'wan'
option name 'VPN'
option src_dport '1194'
option target 'DNAT'
option dest_ip '192.168.8.114'
option dest 'lan'
list proto 'udp'
config zone
option network 'VPN'
option input 'ACCEPT'
option name 'openvpn_fw'
option output 'ACCEPT'
option masq '1'
option forward 'ACCEPT'
config forwarding
option dest 'lan'
option src 'openvpn_fw'
config forwarding
option dest 'openvpn_fw'
option src 'lan'
Copy-paste zone section for wan, and edit it. I am not sure, where it works, 'config zone' without name.
What does it mean?
And please, from router, running OpenVPN-server, run traceroute 192.168.8.1
Not solved this yet?
Waiting for answer.
In a process i have killed Site B router... have to wait few days for manual reboot.