My router's default route sends traffic over an OpenVPN client, but I've been trying to allow incoming connections from my regular WAN at the same time. The routing policy in the OUTPUT chain makes sure that when a client in WAN connects to my VPN server port on my router, the routers replies get sent back to the WAN and not over the VPN client which is the default route. At first I thought the policy wasn't working, but it seems it is, it's a problem with OpenVPN itself, not the routing policy.
I should note that at this point I can actually connect to the VPN server port from WAN, but the server refuses the connection saying "tls-crypt unwrap error: bad packet ID (may be a replay)"
Anyone have any idea what's causing this? The VPN server is using UDP and tls-crypt. After some searching it seems that switching to TCP may be a solution, but I would rather not do that unless absolutely necessary to avoid it showing up in port scans and other security issues.
Edit: I've switched my VPN server to TCP for now and everything is working, but if anyone knows why the server isn't working with UDP please do let me know, as I prefer UDP for security reasons.
Your rule in PBR, containing 192.168.1.1/24, WAN, and OUTPUT chain is senseless. You are asking trivial questions, and trying to do what I've suggested only when nothing works. UDP is not trackable, so it shouldn't be used in PBR (however it can be used in port forwarding).
Oh right, that box is actually blank, the 192.168.1.1/24 is just an example shown by the web UI for vpn-policy-routing. The documentation does say that those values are definitely just examples and not default values. Sorry for the confusion.
Oh so UDP can't be used with policy routing? In that case I'll have to stick to TCP, at least I can access the VPN server while using a VPN client this way.
My OpenVPN server should still be fairly secure running over TCP, right? I know it might show up in port scans, but with tls-crypt the server should still be fairly well protected against exploits of vulnerabilities in OpenVPN, right?