Forwarding not working on openvpn

Hello.

I have just set up a vpn tunnel which looks following

VPS PFsense with openvpn server

Openwrt (archer c7 v4) with openvpn client

Now I am trying to forward some ports through the VPN tunnel, like RDP for instance. I tried it before with openvpn client installed directly on windows VM. I was able to forward rdp directly to the VPN IP of the windows VM. Trying the same with forwarding the port to openvpn client on openwrt in order to forward this port further already on this device and that fails.
What is interesting that I have full communication working between vpn server and vpn client: ping etc. I can also telnet the ports that I have opened on the vpn client IP from the vpn server, but port forwarding doesnt work.

Any ideas please?

Port forwarding should work, please, give you firewall configuration. Not the whole file, but changes you've made.

Also it is reasonable to configure LAN behind client (don't forget to use iroute).

https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wireshark

Thanks for the replies guys!

I figured out where the issue is, but still dont know how to solve it.
I should probably add what I am trying to do:

rdp on public IP to VPS (pfsense) -> forwarding to 192.168.15.2 (VPN client IP, OpenWRT box at home) -> forwarding to some windows VM in my LAN

  1. When you are connecting to VPN server, it pushes below routes to the client. Basically it routes all IPv4 addresses through VPN server private IP:
0.0.0.0        192.168.15.1    128.0.0.0       UG    0      0        0 tun0
128.0.0.0       192.168.15.1    128.0.0.0       UG    0      0        0 tun0

Then forwarding works

  1. When you remove above routes, forwarding doesnt work.
  2. I figured out by nerrowing the subnets, playing with the masks, that what it needs is to have route over VPN server private IP back to the public IP I am trying to connect from.

VPN Client working routing table (not acceptable for me)

> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         192.168.15.1    128.0.0.0       UG    0      0        0 tun0
> default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0.2
> VPN PUBLIC IP  192.168.0.1     255.255.255.255 UGH   0      0        0 eth0.2
> 128.0.0.0       192.168.15.1    128.0.0.0       UG    0      0        0 tun0
> 192.168.0.0     *               255.255.255.0   U     0      0        0 eth0.2
> 192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
> 192.168.15.0    *               255.255.255.248 U     0      0        0 tun0

VPN Client working routing table with added route to public IP I am connection from (PUBLIC SRC IP)

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0.2
PUBLIC SRC IP     192.168.15.1    255.255.255.255 UGH   0      0        0 tun0
VPN PUBLIC IP  192.168.0.1     255.255.255.255 UGH   0      0        0 eth0.2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.15.0    *               255.255.255.248 U     0      0        0 tun0

Not working config when I enable "route_nopull"

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0.2
VPN PUBLIC IP  192.168.0.1     255.255.255.255 UGH   0      0        0 eth0.2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.15.0    *               255.255.255.248 U     0      0        0 tun0

This is not suitable solution for me, because it means, every time I wanna connect over VPN server to my LAN, I need to add a route for the specific IP I am connecting from, order for it to work.

Any tricks or advice how to work around it please?

https://community.openvpn.net/openvpn/wiki/RoutedLans

that doesnt help much

I cannot install vpn-policy-routing package. Neither can find in repo the dependencies of the package, that I am probably missing. Anyone can help to find the link?

according to this I should be able to

root@OpenWrt:~# opkg install libc ipset iptables resolveip kmod-ipt-ipset iptables-mod-ipopt ip-full
Package libc (1.1.19-1) installed in root is up to date.
Package ipset (6.38-1) installed in root is up to date.
Package iptables (1.6.2-1) installed in root is up to date.
Package resolveip (2) installed in root is up to date.
Package kmod-ipt-ipset (4.9.184-1) installed in root is up to date.
Package iptables-mod-ipopt (1.6.2-1) installed in root is up to date.
Package ip-full (4.16.0-8) installed in root is up to date.
root@OpenWrt:~# opkg install vpn-policy-routing
Unknown package 'vpn-policy-routing'.
Collected errors:
 * opkg_install_cmd: Cannot install package vpn-policy-routing.
root@OpenWrt:~#

Have you configured RoutedLans according to manual above? Why do you need vpn-policy-routing package? Btw I can't find it either, vpnbypass package have been suggested, and freifunk-policyrouting.