IP Phone over openVPN

Hi all together,

im new to openwrt but not totally unskilled
I try to connect my homeoffice. therefor i have the following setup

my computer is wired to my TP-Link Archer C50.
on the Archer, i implemented my openVPN config.
Archer is wireless connected to my Fritz!Box which is my internet router

All connections work great
so far so good.
I now connected my IP-Phone (Mitel / AAstra OpenPhone 73IP) to the Archer.
It does not get an DHCP-Address. Nevermind, i used ipphoneconfigurator.jar by Mitel and setup the phone.
Phone tries to download config container from our PBX but doesn't get an answer.

I tried from my computer.
tftp connect to pbx, no download
tftp connect to some other server in the same subnet as the PBX - i see in the server-log that it connects but download times out. Message on the server says timeout waiting for ACK block #1

Then I disconnected my Computer from the Archer, connected directly to Fritz! Box, started openVPN and successfully downloaded the config container via tftp

Net-Setup:
192.168.1.0/24 on Archer LAN-Interface br-lan
10.255.1.0/24 on Fritz!Box (Archer wlan1 / WWAN to Fritz!Box)
after that, Internet, Company-VPN-Server, Company-Net

What am I doing wrong?

Greetings
Chris

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
uci export openvpn; head -n -0 /etc/openvpn/*.conf; head -n -0 /etc/openvpn/*.ovpn; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Hi, thanks to your reply

root@OpenWrt:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> uci export openvpn; head -n -0 /etc/openvpn/*.conf; head -n -0 /etc/openvpn/*.ovpn; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd1a:1c73:2648::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device 'lan_eth0_1_dev'
    option name 'eth0.1'
    option macaddr '74:da:88:05:c1:a8'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config device 'wan_eth0_2_dev'
    option name 'eth0.2'
    option macaddr '74:da:88:05:c1:a9'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0 6t'

config interface 'wwan'
    option proto 'dhcp'

package wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'platform/10300000.wmac'

config wifi-device 'radio1'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
    option htmode 'VHT80'

config wifi-iface 'wifinet0'
    option ssid 'Chris!Box'
    option device 'radio1'
    option key '<key>'
    option network 'wwan'
    option encryption 'psk2'
    option mode 'sta'

package dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

package firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option flow_offloading '1'
    option forward 'ACCEPT'

config zone 'lan'
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option masq '1'
    option forward 'ACCEPT'

config zone 'wan'
    option name 'wan'
    option output 'ACCEPT'
    option mtu_fix '1'
    option network 'wan wan6 wwan'
    list device 'tun0'
    option input 'ACCEPT'
    option masq '1'
    option forward 'ACCEPT'

config forwarding 'lan_wan'
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config nat
    option src 'wan'
    option name 'tftp'
    option dest_ip '192.168.10.0/24'
    list proto 'tcp'
    list proto 'udp'
    option target 'MASQUERADE'

config zone
    option name 'wifi2vpn'
    option network 'wifi2vpn wwan'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option output 'ACCEPT'

config forwarding
    option dest 'wan'
    option src 'wifi2vpn'

package openvpn

config openvpn 'more'
    option config '/etc/openvpn/more.ovpn'
    option enabled '1'

head: /etc/openvpn/*.conf: No such file or directory

client
dev tun
proto udp
remote <company-vpn-server>
compress lzo
nobind
persist-key
persist-tun
tun-mtu 1454
remote-cert-tls server
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.255.1.171/24 brd 10.255.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.198 peer 10.8.0.197/32 scope global tun0
       valid_lft forever preferred_lft forever
unreachable default table 201 
10.8.0.0/24 via 10.8.0.197 dev tun0 table 201 
10.8.0.197 dev tun0 table 201 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 table 201 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 table 201 
192.168.10.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 201 
default via 10.255.1.1 dev wlan1 table 202 
10.8.0.0/24 via 10.8.0.197 dev tun0 table 202 
10.8.0.197 dev tun0 table 202 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 table 202 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 table 202 
192.168.10.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 202 
default via 10.255.1.1 dev wlan1 proto static src 10.255.1.171 
10.8.0.0/24 via 10.8.0.197 dev tun0 
10.8.0.197 dev tun0 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 via 10.8.0.197 dev tun0 
192.168.20.0/24 via 10.8.0.197 dev tun0 
192.168.30.0/24 via 10.8.0.197 dev tun0 
192.168.40.0/24 via 10.8.0.197 dev tun0 
local 10.8.0.198 dev tun0 table local proto kernel scope host src 10.8.0.198 
broadcast 10.255.1.0 dev wlan1 table local proto kernel scope link src 10.255.1.171 
local 10.255.1.171 dev wlan1 table local proto kernel scope host src 10.255.1.171 
broadcast 10.255.1.255 dev wlan1 table local proto kernel scope link src 10.255.1.171 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:  from all lookup local 
32758:  from all fwmark 0x20000/0xff0000 lookup 202 
32759:  from all fwmark 0x10000/0xff0000 lookup 201 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Apr 29 15:36 /tmp/resolv.conf
-rw-r--r--    1 root     root            56 Apr 29 15:36 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 10.255.1.1
search fritz.box

vpn information is chopped

Thanks
Chris

No need to masquerade on lan zone.

 option masq '1'

Not sure what is the purpose of these. wwan is already part of wan zone.

config nat
    option src 'wan'
    option name 'tftp'
    option dest_ip '192.168.10.0/24'
    list proto 'tcp'
    list proto 'udp'
    option target 'MASQUERADE'

config zone
    option name 'wifi2vpn'
    option network 'wifi2vpn wwan'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option output 'ACCEPT'

config forwarding
    option dest 'wan'
    option src 'wifi2vpn'

How were the routing tables 201 and 202 created? What are their details?

Yeah right, that are useless things i tried while testing.
I remove this entries but it has no effect.

Greetings
Chris

Alright, post once again the same commands and also this: iptables-save -c

Hi,

here you go

package network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd1a:1c73:2648::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device 'lan_eth0_1_dev'
    option name 'eth0.1'
    option macaddr '74:da:88:05:c1:a8'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config device 'wan_eth0_2_dev'
    option name 'eth0.2'
    option macaddr '74:da:88:05:c1:a9'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0 6t'

config interface 'wwan'
    option proto 'dhcp'

package wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'platform/10300000.wmac'

config wifi-device 'radio1'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
    option htmode 'VHT80'

config wifi-iface 'wifinet0'
    option ssid 'Chris!Box'
    option device 'radio1'
    option key ''
    option network 'wwan'
    option encryption 'psk2'
    option mode 'sta'

package dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'
    list dhcp_option '43,id:ipphone.mitel.com;sw_tftp=192.168.10.4;call_srv=192.168.10.4;vlan=4;l2p=6;dscp=56'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

package firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option flow_offloading '1'
    option forward 'REJECT'

config zone 'lan'
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option forward 'ACCEPT'

config zone 'wan'
    option name 'wan'
    option output 'ACCEPT'
    option mtu_fix '1'
    option network 'wan wan6 wwan'
    list device 'tun0'
    option input 'ACCEPT'
    option masq '1'
    option forward 'ACCEPT'

config forwarding 'lan_wan'
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config forwarding
    option dest 'wan'
    option src 'wifi2vpn'

package openvpn

config openvpn 'more'
    option config '/etc/openvpn/more.ovpn'
    option enabled '1'

head: /etc/openvpn/*.conf: No such file or directory

client
dev tun
proto udp
remote <server>
compress lzo
nobind
persist-key
persist-tun
tun-mtu 1454
remote-cert-tls server
verb 3
<ca>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.255.1.171/24 brd 10.255.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.198 peer 10.8.0.197/32 scope global tun0
       valid_lft forever preferred_lft forever
unreachable default table 201 
10.8.0.0/24 via 10.8.0.197 dev tun0 table 201 
10.8.0.197 dev tun0 table 201 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 table 201 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 table 201 
192.168.10.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 201 
default via 10.255.1.1 dev wlan1 table 202 
10.8.0.0/24 via 10.8.0.197 dev tun0 table 202 
10.8.0.197 dev tun0 table 202 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 table 202 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 table 202 
192.168.10.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 202 
default via 10.255.1.1 dev wlan1 proto static src 10.255.1.171 
10.8.0.0/24 via 10.8.0.197 dev tun0 
10.8.0.197 dev tun0 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 via 10.8.0.197 dev tun0 
192.168.20.0/24 via 10.8.0.197 dev tun0 
192.168.30.0/24 via 10.8.0.197 dev tun0 
192.168.40.0/24 via 10.8.0.197 dev tun0 
local 10.8.0.198 dev tun0 table local proto kernel scope host src 10.8.0.198 
broadcast 10.255.1.0 dev wlan1 table local proto kernel scope link src 10.255.1.171 
local 10.255.1.171 dev wlan1 table local proto kernel scope host src 10.255.1.171 
broadcast 10.255.1.255 dev wlan1 table local proto kernel scope link src 10.255.1.171 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:  from all lookup local 
32750:  from all fwmark 0x20000/0xff0000 lookup 202 
32751:  from all fwmark 0x10000/0xff0000 lookup 201 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Apr 30 15:12 /tmp/resolv.conf
-rw-r--r--    1 root     root            56 Apr 29 15:36 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 10.255.1.1
search fritz.box

root@OpenWrt:/etc# iptables-save -c
# Generated by iptables-save v1.8.3 on Thu Apr 30 15:15:47 2020
*nat
:PREROUTING ACCEPT [1891:153370]
:INPUT ACCEPT [995:80170]
:OUTPUT ACCEPT [440:32831]
:POSTROUTING ACCEPT [52:7687]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1891:153370] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1647:112820] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[38:8618] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[206:31932] -A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_wan_prerouting
[1111:73875] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[34:6328] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[453:27948] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[606:38240] -A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_wan_postrouting
[34:6328] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1647:112820] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[1059:66188] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1059:66188] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[244:40550] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Apr 30 15:15:47 2020
# Generated by iptables-save v1.8.3 on Thu Apr 30 15:15:47 2020
*mangle
:PREROUTING ACCEPT [19000:9640345]
:INPUT ACCEPT [15112:9290094]
:FORWARD ACCEPT [3663:318095]
:OUTPUT ACCEPT [15270:6429249]
:POSTROUTING ACCEPT [18933:6747344]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[19019:9644010] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[15129:9293602] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[3654:317687] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[153:9180] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[217:13020] -A FORWARD -o wlan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[15284:6432243] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[10:460] -A VPR_PREROUTING -d 192.168.10.4/32 -p udp -m multiport --dports 69 -m comment --comment IPTel -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -d 192.168.10.4/32 -p tcp -m multiport --dports 69 -m comment --comment IPTel -j MARK --set-xmark 0x20000/0xff0000
COMMIT
# Completed on Thu Apr 30 15:15:47 2020
# Generated by iptables-save v1.8.3 on Thu Apr 30 15:15:47 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
:zone_wifi2vpn_forward - [0:0]
:zone_wifi2vpn_input - [0:0]
:zone_wifi2vpn_output - [0:0]
[157:15745] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[14965:9274869] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[13885:9173072] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[122:7320] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1010:86895] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[10:5440] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[60:9462] -A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_wan_input
[3663:318095] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2982:276577] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
[2982:276577] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[681:41518] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[157:15745] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[15123:6415992] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[14681:6377744] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[54:13104] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[388:25144] -A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[122:7320] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[54:13104] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[681:41518] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[681:41518] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1010:86895] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1010:86895] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[54:13104] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[54:13104] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1010:86895] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[463:28422] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[606:38240] -A zone_wan_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[70:14902] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[4:2304] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[13:468] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[53:12130] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[388:25144] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[388:25144] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[10:5440] -A zone_wan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[43:6690] -A zone_wan_src_ACCEPT -i wlan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Apr 30 15:15:47 2020

Greetings
Chris

The routing tables are still there, remove them and post again the output of the commands.

Sorry,

root@OpenWrt:/etc# iptables-save -c
# Generated by iptables-save v1.8.3 on Thu Apr 30 15:27:12 2020
*nat
:PREROUTING ACCEPT [9:518]
:INPUT ACCEPT [4:258]
:OUTPUT ACCEPT [2:237]
:POSTROUTING ACCEPT [1:132]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[9:518] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[9:518] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_wan_prerouting
[6:365] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[4:208] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:157] -A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[9:518] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[6:365] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[6:365] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Apr 30 15:27:12 2020
# Generated by iptables-save v1.8.3 on Thu Apr 30 15:27:12 2020
*mangle
:PREROUTING ACCEPT [101:7634]
:INPUT ACCEPT [91:7114]
:FORWARD ACCEPT [10:520]
:OUTPUT ACCEPT [83:13319]
:POSTROUTING ACCEPT [93:13839]
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wlan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Apr 30 15:27:12 2020
# Generated by iptables-save v1.8.3 on Thu Apr 30 15:27:12 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[100:7582] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[96:7324] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[4:258] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_wan_input
[10:520] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[5:260] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
[5:260] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:260] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[93:15375] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[91:15138] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:132] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[1:105] -A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:132] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[5:260] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[5:260] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4:258] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4:258] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:132] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:132] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4:258] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4:208] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2:157] -A zone_wan_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[1:105] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1:105] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wlan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT

This is only the iptables output.

sorry again, i misunderstood you then,
hope now all rules are gone.

root@OpenWrt:/etc# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> uci export openvpn; head -n -0 /etc/openvpn/*.conf; head -n -0 /etc/openvpn/*.ovpn; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd1a:1c73:2648::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device 'lan_eth0_1_dev'
    option name 'eth0.1'
    option macaddr '74:da:88:05:c1:a8'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config device 'wan_eth0_2_dev'
    option name 'eth0.2'
    option macaddr '74:da:88:05:c1:a9'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0 6t'

config interface 'wwan'
    option proto 'dhcp'

package wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'platform/10300000.wmac'

config wifi-device 'radio1'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
    option htmode 'VHT80'

config wifi-iface 'wifinet0'
    option ssid 'Chris!Box'
    option device 'radio1'
    option key ''
    option network 'wwan'
    option encryption 'psk2'
    option mode 'sta'

package dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'
    list dhcp_option '43,id:ipphone.mitel.com;sw_tftp=192.168.10.4;call_srv=192.168.10.4;vlan=4;l2p=6;dscp=56'
    list dhcp_option

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

package firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option flow_offloading '1'
    option forward 'REJECT'

config zone 'lan'
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option forward 'ACCEPT'

config zone 'wan'
    option name 'wan'
    option output 'ACCEPT'
    option mtu_fix '1'
    option network 'wan wan6 wwan'
    list device 'tun0'
    option input 'ACCEPT'
    option masq '1'
    option forward 'ACCEPT'

config forwarding 'lan_wan'
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

package openvpn

config openvpn 'more'
    option config '/etc/openvpn/more.ovpn'
    option enabled '1'

head: /etc/openvpn/*.conf: No such file or directory

client
dev tun
proto udp
remote 
compress lzo
nobind
persist-key
persist-tun
tun-mtu 1454
remote-cert-tls server
verb 3
<ca>
</ca>
<cert>
</cert>
<key>
</key>
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    inet 169.254.94.127/16 brd 169.254.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 169.254.94.127/16 brd 169.254.255.255 scope global noprefixroute br-lan
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    inet 169.254.94.127/16 brd 169.254.255.255 scope global noprefixroute eth0.1
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 169.254.125.157/16 brd 169.254.255.255 scope global noprefixroute eth0.2
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.255.1.171/24 brd 10.255.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
    inet 10.255.1.50/24 brd 10.255.1.255 scope global secondary noprefixroute wlan1
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.198 peer 10.8.0.197/32 scope global tun0
       valid_lft forever preferred_lft forever
unreachable default table 201 
10.8.0.0/24 via 10.8.0.197 dev tun0 table 201 
10.8.0.197 dev tun0 table 201 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 table 201 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 table 201 
192.168.10.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 201 
default via 10.255.1.1 dev wlan1 table 202 
10.8.0.0/24 via 10.8.0.197 dev tun0 table 202 
10.8.0.197 dev tun0 table 202 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 table 202 proto kernel scope link src 10.255.1.171 
89.202.34.64/27 via 10.8.0.197 dev tun0 table 202 
192.168.10.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 202 
default via 10.255.1.1 dev wlan1 proto dhcp src 10.255.1.50 metric 308 
10.8.0.0/24 via 10.8.0.197 dev tun0 
10.8.0.197 dev tun0 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 proto dhcp scope link src 10.255.1.50 metric 308 
89.202.34.64/27 via 10.8.0.197 dev tun0 
169.254.0.0/16 dev eth0 scope link src 169.254.94.127 metric 202 
169.254.0.0/16 dev br-lan scope link src 169.254.94.127 metric 205 
169.254.0.0/16 dev eth0.1 scope link src 169.254.94.127 metric 206 
169.254.0.0/16 dev eth0.2 scope link src 169.254.125.157 metric 207 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 via 10.8.0.197 dev tun0 
192.168.20.0/24 via 10.8.0.197 dev tun0 
192.168.30.0/24 via 10.8.0.197 dev tun0 
192.168.40.0/24 via 10.8.0.197 dev tun0 
local 10.8.0.198 dev tun0 table local proto kernel scope host src 10.8.0.198 
broadcast 10.255.1.0 dev wlan1 table local proto kernel scope link src 10.255.1.171 
local 10.255.1.50 dev wlan1 table local proto kernel scope host src 10.255.1.171 
local 10.255.1.171 dev wlan1 table local proto kernel scope host src 10.255.1.171 
broadcast 10.255.1.255 dev wlan1 table local proto kernel scope link src 10.255.1.171 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 169.254.0.0 dev eth0.1 table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.0.0 dev eth0.2 table local proto kernel scope link src 169.254.125.157 
broadcast 169.254.0.0 dev br-lan table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.0.0 dev eth0 table local proto kernel scope link src 169.254.94.127 
local 169.254.94.127 dev eth0.1 table local proto kernel scope host src 169.254.94.127 
local 169.254.94.127 dev br-lan table local proto kernel scope host src 169.254.94.127 
local 169.254.94.127 dev eth0 table local proto kernel scope host src 169.254.94.127 
local 169.254.125.157 dev eth0.2 table local proto kernel scope host src 169.254.125.157 
broadcast 169.254.255.255 dev eth0.1 table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.255.255 dev eth0.2 table local proto kernel scope link src 169.254.125.157 
broadcast 169.254.255.255 dev br-lan table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.255.255 dev eth0 table local proto kernel scope link src 169.254.94.127 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:  from all lookup local 
32750:  from all fwmark 0x20000/0xff0000 lookup 202 
32751:  from all fwmark 0x10000/0xff0000 lookup 201 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root           215 Apr 30 15:18 /tmp/resolv.conf
-rw-r--r--    1 root     root            56 Apr 29 15:36 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
# Generated by dhcpcd from wlan1.dhcp, wlan1.ra
# /etc/resolv.conf.head can replace this line
domain fritz.box
nameserver 10.255.1.1
nameserver fd00::c225:6ff:fef4:5c11
# /etc/resolv.conf.tail can replace this line

==> /tmp/resolv.conf <==
# Generated by dhcpcd from wlan1.dhcp, wlan1.ra
# /etc/resolv.conf.head can replace this line
domain fritz.box
nameserver 10.255.1.1
nameserver fd00::c225:6ff:fef4:5c11
# /etc/resolv.conf.tail can replace this line

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 10.255.1.1
search fritz.box
root@OpenWrt:/etc# 

I also found out that the IP tel won't get addresses from the dhcp server

Thu Apr 30 15:36:37 2020 daemon.info dnsmasq-dhcp[8441]: DHCPDISCOVER(br-lan) 00:30:42:0e:ba:aa
Thu Apr 30 15:36:37 2020 daemon.info dnsmasq-dhcp[8441]: DHCPOFFER(br-lan) 192.168.1.156 00:30:42:0e:ba:aa
Thu Apr 30 15:36:42 2020 daemon.info dnsmasq-dhcp[8441]: DHCPDISCOVER(br-lan) 00:30:42:0e:ba:aa
Thu Apr 30 15:36:42 2020 daemon.info dnsmasq-dhcp[8441]: DHCPOFFER(br-lan) 192.168.1.156 00:30:42:0e:ba:aa

Telefone display says DHCP: NOK

Look, it is the third time in a row that you post the commands and there are multiple routing tables.
Fix that, since it was not meant to be like this, verify that it is fixed when you run the command ip -4 ro li tab all and there are no 201 or 202 tables, and then post them again here.

Telephone is supposed to send a DHCPREQUEST after the offer, instead it seems that it disregards the offer.

Hey sorry, now I understand which routes you mean
these are the routes to our company lan
they are pushed by the vpn server on vpn connect

the company lans are
192.168.10.0
192.168.20.0
192.168.30.0
192.168.40.0
10.255.1.0 is my "normal" LAN at home
192.168.1.0 is my Homeoffice-openwrt-lan
10.8.0.0 is the vpn transfer lan

just tried a tcpdump at our vpn server and found this

16:17:58.692945 IP 10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
16:17:58.722139 IP 10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552

no firewall is blocking any part of the communication from vpn server to PBX so maybe openWRT is blocking something?

I am not talking about the routes which are correct here:

192.168.10.0/24 via 10.8.0.197 dev tun0 
192.168.20.0/24 via 10.8.0.197 dev tun0 
192.168.30.0/24 via 10.8.0.197 dev tun0 
192.168.40.0/24 via 10.8.0.197 dev tun0 

I am talking about these routes which are defined in the routing tables 201 and 202

192.168.10.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 201 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 201 
...
192.168.10.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.20.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.30.0/24 via 10.8.0.197 dev tun0 table 202 
192.168.40.0/24 via 10.8.0.197 dev tun0 table 202 

Do a tcpdump -i any -vne host 192.168.10.4 on OpenWrt when you try the registration. But first fix the routing tables above.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    inet 169.254.94.127/16 brd 169.254.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 169.254.94.127/16 brd 169.254.255.255 scope global noprefixroute br-lan
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    inet 169.254.94.127/16 brd 169.254.255.255 scope global noprefixroute eth0.1
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 169.254.125.157/16 brd 169.254.255.255 scope global noprefixroute eth0.2
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.255.1.124/24 brd 10.255.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.198 peer 10.8.0.197/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 10.255.1.1 dev wlan1 proto dhcp src 10.255.1.124 metric 308 
10.8.0.0/24 via 10.8.0.197 dev tun0 
10.8.0.197 dev tun0 proto kernel scope link src 10.8.0.198 
10.255.1.0/24 dev wlan1 proto dhcp scope link src 10.255.1.124 metric 308 
89.202.34.64/27 via 10.8.0.197 dev tun0 
169.254.0.0/16 dev eth0 scope link src 169.254.94.127 metric 202 
169.254.0.0/16 dev br-lan scope link src 169.254.94.127 metric 205 
169.254.0.0/16 dev eth0.1 scope link src 169.254.94.127 metric 206 
169.254.0.0/16 dev eth0.2 scope link src 169.254.125.157 metric 207 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 via 10.8.0.197 dev tun0 
192.168.20.0/24 via 10.8.0.197 dev tun0 
192.168.30.0/24 via 10.8.0.197 dev tun0 
192.168.40.0/24 via 10.8.0.197 dev tun0 
local 10.8.0.198 dev tun0 table local proto kernel scope host src 10.8.0.198 
broadcast 10.255.1.0 dev wlan1 table local proto kernel scope link src 10.255.1.124 
local 10.255.1.124 dev wlan1 table local proto kernel scope host src 10.255.1.124 
broadcast 10.255.1.255 dev wlan1 table local proto kernel scope link src 10.255.1.124 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 169.254.0.0 dev eth0 table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.0.0 dev eth0.1 table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.0.0 dev br-lan table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.0.0 dev eth0.2 table local proto kernel scope link src 169.254.125.157 
local 169.254.94.127 dev eth0 table local proto kernel scope host src 169.254.94.127 
local 169.254.94.127 dev eth0.1 table local proto kernel scope host src 169.254.94.127 
local 169.254.94.127 dev br-lan table local proto kernel scope host src 169.254.94.127 
local 169.254.125.157 dev eth0.2 table local proto kernel scope host src 169.254.125.157 
broadcast 169.254.255.255 dev eth0 table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.255.255 dev eth0.1 table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.255.255 dev br-lan table local proto kernel scope link src 169.254.94.127 
broadcast 169.254.255.255 dev eth0.2 table local proto kernel scope link src 169.254.125.157 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root           215 Apr 30 15:31 /tmp/resolv.conf
-rw-r--r--    1 root     root            56 Apr 30 15:31 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
# Generated by dhcpcd from wlan1.dhcp, wlan1.ra
# /etc/resolv.conf.head can replace this line
domain fritz.box
nameserver 10.255.1.1
nameserver fd00::c225:6ff:fef4:5c11
# /etc/resolv.conf.tail can replace this line

==> /tmp/resolv.conf <==
# Generated by dhcpcd from wlan1.dhcp, wlan1.ra
# /etc/resolv.conf.head can replace this line
domain fritz.box
nameserver 10.255.1.1
nameserver fd00::c225:6ff:fef4:5c11
# /etc/resolv.conf.tail can replace this line

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 10.255.1.1
search fritz.box

Don't know why these routes were there. And without doing anything, they are no more in there
maybe my skills are not so good than i thougt

Here is tcpdump output

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:02:08.464062  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 1, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:08.464062  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 1, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:08.464062  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 1, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:08.464209 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 1, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:08.494932  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 53623, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.60183 > 10.8.0.198.2000: UDP, length 516
17:02:08.495217 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24135, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 53623, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.60183 > 10.8.0.198.2000: UDP, length 516
17:02:09.462715  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 2, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:09.462715  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 2, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:09.462715  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 2, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:09.462893 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 2, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:09.493527  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 54621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.32918 > 10.8.0.198.2000: UDP, length 516
17:02:09.493811 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24136, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 54621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.32918 > 10.8.0.198.2000: UDP, length 516
17:02:10.462324  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 3, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:10.462324  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 3, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:10.462324  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 3, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:10.462490 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 3, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:10.492469  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 55621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.37663 > 10.8.0.198.2000: UDP, length 516
17:02:10.492742 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24148, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 55621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.37663 > 10.8.0.198.2000: UDP, length 516
17:02:11.462472  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 4, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:11.462472  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 4, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:11.462472  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 4, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:11.462647 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 4, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:11.493015  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 56621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.60620 > 10.8.0.198.2000: UDP, length 516
17:02:11.493287 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24246, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 56621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.60620 > 10.8.0.198.2000: UDP, length 516
17:02:12.462088  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 5, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:12.462088  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 5, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:12.462088  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 5, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:12.462240 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 5, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:12.494009  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 57620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.56131 > 10.8.0.198.2000: UDP, length 516
17:02:12.494281 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24337, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 57620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.56131 > 10.8.0.198.2000: UDP, length 516
17:02:13.462231  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 6, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:13.462231  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 6, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:13.462231  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 6, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:13.462410 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 6, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:13.492738  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 58621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.57712 > 10.8.0.198.2000: UDP, length 516
17:02:13.493010 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24394, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 58621, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.57712 > 10.8.0.198.2000: UDP, length 516
17:02:14.462364  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 7, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:14.462364  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 7, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:14.462364  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 7, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:14.462534 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 7, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:14.492142  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 59620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.38280 > 10.8.0.198.2000: UDP, length 516
17:02:14.492415 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24479, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 59620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.38280 > 10.8.0.198.2000: UDP, length 516
17:02:15.461987  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 8, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:15.461987  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 8, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:15.461987  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 8, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:15.462161 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 8, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:15.491984  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 60620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.53887 > 10.8.0.198.2000: UDP, length 516
17:02:15.492256 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24551, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 60620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.53887 > 10.8.0.198.2000: UDP, length 516
17:02:16.462130  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 9, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:16.462130  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 9, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:16.462130  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 9, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:16.462298 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 9, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:16.492286  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 61620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.42727 > 10.8.0.198.2000: UDP, length 516
17:02:16.492556 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24643, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 61620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.42727 > 10.8.0.198.2000: UDP, length 516
17:02:17.461742  In 00:30:42:0e:ba:aa ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 60, id 10, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:17.461742  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 10, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:17.461742  In 00:30:42:0e:ba:aa ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 10, offset 0, flags [none], proto UDP (17), length 58)
    192.168.1.156.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:17.461912 Out ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 59, id 10, offset 0, flags [none], proto UDP (17), length 58)
    10.8.0.198.2000 > 192.168.10.4.69:  30 RRQ "/ram/ip_tel/opi7x.cnt" octet
17:02:17.492410  In ethertype IPv4 (0x0800), length 560: (tos 0x0, ttl 62, id 62620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.42512 > 10.8.0.198.2000: UDP, length 516
17:02:17.492681 Out ethertype IPv4 (0x0800), length 588: (tos 0xc0, ttl 64, id 24705, offset 0, flags [none], proto ICMP (1), length 572)
    10.8.0.198 > 192.168.10.4: ICMP 10.8.0.198 udp port 2000 unreachable, length 552
	(tos 0x0, ttl 62, id 62620, offset 0, flags [DF], proto UDP (17), length 544)
    192.168.10.4.42512 > 10.8.0.198.2000: UDP, length 516

I don't know about the routes, this is something you need to investigate. Check if you have mwan3 or VPN Policy Based Routing packages which are known to create such routing tables.

Regarding the tftp, OpenWrt is using source port 2000, same as source port of the phone and destination port 69. The return traffic comes from tftp server from port 60183, and this is not allowed. You can add a firewall rule to allow traffic from 192.168.10.4 towards 192.168.1.156, wan to lan, udp protocol.

Corporate network has no routes to your lan? ( or firewall -> less likely )

Can you verify the routes on the tftp-server and emote-vpn-server? ( and probably the remote networks default gateway too )

Most business vpn's will not be setup with knowledge of a clients internal networks. As this configuration is more typical of a site to site vpn... more configuration is needed on the corporate network side to provide knowledge of what endpoints/nets exist at the remote side and associated rules or configuration to facilitate traffic flow.

Natting properly out the client tunnel is a possible workaround.