No LAN Access connected with VPN

Hi,

I install OpenWrt on TP-Link TL-WA1201 v2. The device is connected to internet by wifi and it shares internet on eth0 port.
I have install openvpn server with this tuto: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server with success

Except I cannot ping or access devices on LAN from vpn. no problem from the router (ssh).
ip of routeur is 10.0.1.20 and lan devices 10.0.1.2 10.0.1.3 and 10.0.1.4
I add push "route add 10.0.1.0/24" in ovpn conf.

I try to follow some topic on internet but without sucess

You LAN devices might have their own firewall which does not allow traffic from the OpenVPN subnet.
If you followed the wiki then the OpenVPN subnet is 192.168.9.0/24 in that case tweak the firewall of your LAN clients to allow that subnet.

Alternatively you can turn on MASQUERADE on the LAN zone, provided you did not place the vpn interface in that zone.

P.S. why not use WireGuard, much faster and easier to setup

You are right for 192.168.9.0.

Normally I remove the firewall of the Lan device. I will double check. I never have this issue, and I was using openwrt also.

The vpn is in Lan zone via option covered device.

Do you need /etc/conf/network and firewall?

I use openvpn because... Voilà. First time with this issue. It just for configure the network, after I will use another connexion with WireGuard or openvpn but server will be in Lan.

The fw of lan device was enable/stop i put in disable/stop but not better.
So as you recommend I install WireGuard and I am in the same situation
here I copy firewall and network config files.

Really I don't understand the problem.
Is it possible to map point-to-point one address to another like
192.168.9.1 <-> 10.0.1.51
192.168.9.2 <-> 10.0.1.52
etc

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:a025:d819::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.1.20'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.254'

config interface 'wwan'
	option proto 'static'
	option device 'phy0-sta0'
	option ipaddr '192.168.1.111'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	list dns '8.8.8.8'

root@OpenWrt:~# cat /etc/config/firewall

config defaults                    
        option input 'REJECT'      
        option output 'ACCEPT'     
        option forward 'REJECT'    
        option synflood_protect '1'
                               
config zone 'lan'              
        option name 'lan'      
        option input 'ACCEPT'         
        option output 'ACCEPT'        
        option forward 'ACCEPT'       
        list network 'lan'            
        list device 'tun0'                      
                                      
config zone 'wan'                     
        option name 'wan'             
        option input 'REJECT'         
        option output 'ACCEPT'        
        option forward 'REJECT'        
        option masq '1'                
        option mtu_fix '1'             
        list network 'wan'             
        list network 'wan6'            
        list network 'wwan'            
                                       
config forwarding                      
        option src 'lan'               
        option dest 'wan'

It looks like your router is setup as a client wifi:
https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi

Basically it has a WAN via wifi and has its own subnet

First remove option gateway '192.168.1.254' it is not necessary

You want to have a VPN server on this router which should be possible but you have to port forward from the main router (192.168.1.254 to this router
192.168.1.111) if you take that into account a default VPN server setup should work.

For WireGuard see: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

I think I forget to present the network and I m sorry for this.

ISP <--> Routeur (box) <--wifi--> OpenWRT <--wire eth0--> Cluster Proxmox.
I would like to connect to Proxmox and VM on 10.0.1.0/24 via VPN on OpenWrt device.

I already try with wireguard, the tuto is good easy to install but same problem, maybe it's because i am use as wifi client.

before i was with this config:

Router(box) <--wire--> OpenWrt <--> LAN and no problem
It's not the same install of proxmox I try to check also on this way

If the VPN is working e.g. you connect from outside with your phone/laptop on cellular and you can connect to the OpenWRT router and to the the ISP router then you know the VPN is working.

If the VPN is working and you cannot connect to certain LAN clients then see my earlier comment:

I don't understand the settings I should do with put VPN in another Zone.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show

If you have implemented OpenVPN please share:

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn

If you have implemented WireGuard please share:

wg show

ubus call system board

{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link TL-WA1201 v2",
	"board_name": "tplink,tl-wa1201-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:a025:d819::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.1.20'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wwan'
	option proto 'static'
	option device 'phy0-sta0'
	option ipaddr '192.168.1.111'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	list dns '8.8.8.8'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '150'
	option limit '200'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list device 'tun0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-SSH'
	list proto 'tcp'
	option dest_port '****'
	option target 'ACCEPT'
	option src 'wan'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '7194'
	option proto 'udp'
	option target 'ACCEPT'

ip route show

default via 192.168.1.254 dev phy0-sta0 
10.0.1.0/24 dev br-lan scope link  src 10.0.1.20 
192.168.1.0/24 dev phy0-sta0 scope link  src 192.168.1.111 
192.168.9.0/24 dev tun0 scope link  src 192.168.9.1 

ovpn

Thu May 23 06:22:56 2024 daemon.warn openvpn(server)[1944]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Thu May 23 06:22:57 2024 daemon.notice openvpn(server)[1944]: OpenVPN 2.5.8 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu May 23 06:22:57 2024 daemon.notice openvpn(server)[1944]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Thu May 23 06:23:00 2024 daemon.warn openvpn(server)[1944]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: TUN/TAP device tun0 opened
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: net_iface_mtu_set: mtu 1500 for tun0
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: net_iface_up: set tun0 up
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: net_addr_v4_add: 192.168.9.1/24 dev tun0
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.9.1 255.255.255.0 init
Thu May 23 06:23:02 2024 daemon.warn openvpn(server)[1944]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: UDPv4 link local (bound): [AF_INET][undef]:7194
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: UDPv4 link remote: [AF_UNSPEC]
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: GID set to nogroup
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: UID set to nobody
Thu May 23 06:23:02 2024 daemon.notice openvpn(server)[1944]: Initialization Sequence Completed
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_VER=2.6.3
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_PLAT=linux
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_TCPNL=1
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_MTU=1600
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_NCP=2
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_PROTO=990
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_LZO_STUB=1
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_COMP_STUB=1
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 peer info: IV_COMP_STUBv2=1
Thu May 23 06:23:10 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:40531 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:40531 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:40531
Thu May 23 06:23:10 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:40531 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
Thu May 23 14:39:47 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:40531 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_VER=2.6.3
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_PLAT=linux
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_TCPNL=1
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_MTU=1600
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_NCP=2
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_PROTO=990
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_LZO_STUB=1
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_COMP_STUB=1
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 peer info: IV_COMP_STUBv2=1
Thu May 23 14:40:48 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:57092 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:57092 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:57092
Thu May 23 14:40:48 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:57092 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_VER=2.6.3
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_PLAT=linux
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_TCPNL=1
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_MTU=1600
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_NCP=2
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_PROTO=990
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_LZO_STUB=1
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_COMP_STUB=1
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 peer info: IV_COMP_STUBv2=1
Thu May 23 14:54:20 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:43674 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43674 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:43674
Thu May 23 14:54:20 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:43674 MULTI_sva: pool returned IPv4=192.168.9.3, IPv6=(Not enabled)
Thu May 23 14:55:20 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:57092 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 14:56:46 2024 daemon.err openvpn(server)[1944]: 89.219.181.98:33177 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 23 14:56:46 2024 daemon.err openvpn(server)[1944]: 89.219.181.98:33177 TLS Error: TLS handshake failed
Thu May 23 14:57:31 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:43674 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 14:59:01 2024 daemon.err openvpn(server)[1944]: 89.219.181.98:38347 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 23 14:59:01 2024 daemon.err openvpn(server)[1944]: 89.219.181.98:38347 TLS Error: TLS handshake failed
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_VER=2.6.3
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_PLAT=linux
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_TCPNL=1
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_MTU=1600
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_NCP=2
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_PROTO=990
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_LZO_STUB=1
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_COMP_STUB=1
Thu May 23 15:00:59 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 peer info: IV_COMP_STUBv2=1
Thu May 23 15:00:59 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:35087 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 15:01:14 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:35087 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:35087
Thu May 23 15:01:14 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:35087 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_VER=2.6.3
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_PLAT=linux
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_TCPNL=1
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_MTU=1600
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_NCP=2
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_PROTO=990
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_LZO_STUB=1
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_COMP_STUB=1
Thu May 23 15:03:40 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 peer info: IV_COMP_STUBv2=1
Thu May 23 15:03:40 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:43179 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 15:03:46 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:43179 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:43179
Thu May 23 15:03:46 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:43179 MULTI_sva: pool returned IPv4=192.168.9.3, IPv6=(Not enabled)
Thu May 23 15:05:07 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:35087 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 15:07:59 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:43179 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_VER=2.6.3
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_PLAT=linux
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_TCPNL=1
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_MTU=1600
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_NCP=2
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_PROTO=990
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_LZO_STUB=1
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_COMP_STUB=1
Thu May 23 16:09:36 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 peer info: IV_COMP_STUBv2=1
Thu May 23 16:09:36 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:52236 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 16:09:37 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:52236 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:52236
Thu May 23 16:09:37 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:52236 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_VER=2.6.3
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_PLAT=linux
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_TCPNL=1
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_MTU=1600
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_NCP=2
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_PROTO=990
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_LZO_STUB=1
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_COMP_STUB=1
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 peer info: IV_COMP_STUBv2=1
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36578 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:36578
Thu May 23 16:15:48 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:36578 MULTI_sva: pool returned IPv4=192.168.9.3, IPv6=(Not enabled)
Thu May 23 16:17:39 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:52236 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 16:23:40 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:36578 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_VER=2.6.3
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_PLAT=linux
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_TCPNL=1
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_MTU=1600
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_NCP=2
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_PROTO=990
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_LZO_STUB=1
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_COMP_STUB=1
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 peer info: IV_COMP_STUBv2=1
Thu May 23 16:29:57 2024 daemon.warn openvpn(server)[1944]: 89.219.181.98:36247 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:36247 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:36247
Thu May 23 16:29:57 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:36247 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
Thu May 23 17:28:02 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:36247 [client] Inactivity timeout (--ping-restart), restarting
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_VER=2.6.3
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_PLAT=linux
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_TCPNL=1
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_MTU=1600
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_NCP=2
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_PROTO=990
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_LZO_STUB=1
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_COMP_STUB=1
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 peer info: IV_COMP_STUBv2=1
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: 89.219.181.98:53099 [client] Peer Connection Initiated with [AF_INET]89.219.181.98:53099
Thu May 23 17:42:07 2024 daemon.notice openvpn(server)[1944]: client/89.219.181.98:53099 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)

So.
I create zone for vpn and I allow to forward for LAN et WAN.
Masquerad for LAN.
Input Output forward I select access
I have access to the LAN, internet everything ok.

My config is good or I should modify something?

Thank you for your help! Never disappointed with openwrt

I just reviewed your config and it looks OK except for this:

Your LAN (255.255.255.0) has 254 available ip addresses if you start at 150 your max limit is 104, so limit 200 is too much
Otherwise it looks fine.
As said your openvpn clients have an ip address of 192.168.9.X and your LAN clients in subnet 10.0.1.0/24 will not accept traffic from another subnet so not from 192.168.9.X.
You can tweak the firewall of all your local LAN clients to allow traffic from 192.168.9.0/24 but alternatively you can Masq traffic coming out of the router going to the LAN zone so that all traffic now comes from the router (the masquerading will change the source from 192.168.9.X to 10.0.1.20) and traffic will be accepted by the local LAN clients firewall.

To be honest it is the quick an dirty solution as you loose access control and logging in a home situation not a problem

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.