$ traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 30 hops max, 60 byte packets
1 10.6.0.1 (10.6.0.1) 10.527 ms 10.532 ms 10.493 ms
2 172.31.1.1 (172.31.1.1) 16.909 ms 16.891 ms 16.864 ms
3 26600.your-cloud.host (65.108.117.241) 10.365 ms 10.321 ms 10.289 ms
4 * * *
5 spine1.cloud1.hel1.hetzner.com (88.198.254.105) 11.451 ms 11.646 ms 11.616 ms
6 * * *
7 core31.hel1.hetzner.com (213.239.228.1) 9.844 ms core31.hel1.hetzner.com (213.239.228.9) 9.804 ms core32.hel1.hetzner.com (213.239.228.13) 9.776 ms
8 core52.sto.hetzner.com (213.239.254.58) 16.251 ms 16.467 ms 16.414 ms
9 * * *
10 core10.ams.hetzner.com (213.239.224.117) 41.756 ms 36.346 ms 36.256 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 wiki-03.infra.openwrt.org (64.226.122.113) 49.595 ms 44.000 ms 44.002 ms
This is the problem. The VPN on your server is configured such that it is the default gateway and the traffic that would arrive from your lan to the lan2 network is rejected.
The issue you're experiencing is not related to OpenWrt, but instead the VPN configuration on the server. To validate this, you can disable the VPN and ensure that the traceroute goes out 192.168.3.1 as would be expected. At that point, inter-vlan routing should work as expected (unless you have a local firewall that rejects connections from other subnets -- windows does this by default, so make sure you don't have a host-level firewall that can interfere with this).
Thanks @psherman !
Now its a little over my skill level, so bear with me...
I did assume that the routing from lan to lan2/server was going via wan to the VPS/VPN and back.
So if I moved the server to lan, is that the solution, or what do you propose here?
It all depends on how the VPN is configured on the host. If it works when you move it back to your lan, problem solved! If not, or if you want the server to reside on that other network, you'll need to add routes to your server's operating system (or exclude them from the VPN tunnel) such that traffic on your local subnets can flow as expected.
As I suggested, if you simply disable/stop your VPN, you should be able to reach your server from your lan (assuming there is nothing else on that host which would prevent it).
[EDIT: The above would be a temporary disabling of the VPN to prove/disprove my assertion that the VPN is the problem.]
Another approach you could take would be to run the VPN on your router and establish the tunnel that way. You would use policy based routing to set the desired behaviors (i.e. server > VPN tunnel > VPS, maybe not everything else) -- based on your goals.
However, if the VPN is going to be running on the server itself, the specifics for resolving it on your server's OS/VPN configuration would be out of scope for the OpenWrt forums.
I still believe that the issue is related to the VPN on the host. The ingress traffic is either not allowed or the related egress is going out through the VPN.
You need to either exclude the local subnets from your VPN tunnel or otherwise set static routes on the operating system of that host such that it routes traffic accordingly.