No LAN http traffic using OpenVPN

balumba · March 7, 2026, 4:16pm

I’m using OpenWRT on a 4G router and OpenVPN as a client connected to my VPS in the internet. Everything works fine. I can access every device from A ← → B and vice versa by ping.

But unfortunately it’s not possible to me to access any service on port 80 (maybe also 443 but not needed and therefore not tried) on client running this service behind the router.

Let me share my diagram:

It’s possible to ping from any device on the right side to any device on the left side (and the other way round).
Side note: I have an Android App on the mobile phone on the right side to access a camera on the left side, works fine.

But as soon as I want to access from a device on the right side to any client on the left side (also Luci on the router) on an HTTP port, it does not work.

For example to access http://192.168.11.20 from 10.8.0.x device (on the right) it won’t work. In the logs of the Apache on the left (192.168.11.20) I can see a 200 successful access but no traffic seems to return back to the right side.

I’m also using policy based routing (PBR) on the router, but this is only for managing the outbound traffic for client on the left. It should not be relevant here. Also tried the same scenario without using PBR.

This is my graphical firewall setup:

The config itself:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network '4G'
        list network 'ox'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'openvpn'

config zone
        option name 'inbound'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'openvpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'inbound'
        option dest 'lan'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest-DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest-DHCP'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'
        list proto 'udp'

The config of the OpenVPN server:

port 61951
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0

route 192.168.11.0 255.255.255.0
client-to-client

ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_Yyp2Cp4AmPmQGb6x.crt
key server_Yyp2Cp4AmPmQGb6x.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log /var/log/openvpn/openvpn.log
verb 3

… and it’s ccd file for the router …

iroute 192.168.11.0 255.255.255.0

The OpenVPN client config is always the same, except the “pull-filter ignore” for the router (as I do not want having the router going this gateway):

pull-filter ignore "redirect-gateway def1 bypass-dhcp"
# ^^^ this is only in the router's config

client
proto udp
explicit-exit-notify
remote xx.xx.xx.xx 61951
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_Yyp2Cp4AmPmQGb6x name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

Maybe anybody with any idea why this http traffic from left to right won’t work, but everything else runs fine?

balumba · March 7, 2026, 4:21pm

Forgot to mention:
I’m using the latest OpenWRT:
OpenWrt 25.12.0 r32713-f919e7899d / LuCI openwrt-25.12 branch 26.064.72454~b89e6b3

egc · March 7, 2026, 4:27pm

Intra zone Forward set to ACCEPT

balumba · March 7, 2026, 4:32pm

Thanks @egc

Unfortunately this didn’t help. Same result as before.
I’ve updated my firewall diagram above and will also share the full firewall config from OpenWRT here (also in the original post).

egc · March 7, 2026, 6:44pm

balumba:

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'openvpn'

config zone
        option name 'inbound'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'openvpn'

A network can be in only one firewall zone
Probably delete the whole inbound zone
Add forwarding

config forwarding
        option src 'vpn'
        option dest 'lan'

To get a better idea of your setup, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:

ubus call system board
cat /etc/config/network
ip route show
ifconfig
logread | grep openvpn

balumba · March 8, 2026, 6:43am

Ok, I removed the whole “inbound” section and added the forwarding suggested by you. After that a router reboot.

Still no access.

Here the requested commands and their result
I have masked just the MAC addresses and my public IP from the VPS. Everything else is fine by me to share here.

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.12.71",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Zyxel LTE3301-Plus",
        "board_name": "zyxel,lte3301-plus",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32713-f919e7899d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 25.12.0 r32713-f919e7899d",
                "builddate": "1772496855"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4e:0f69:3016::/48'
        option packet_steering '1'
        option dhcp_default_duid '00047bceaf28e31f46e19ca76cc1cf4fc2f8'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface '4G'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'internet.a1.bg'
        option auth 'none'
        option pdptype 'ipv4'

config interface 'openvpn'
        option proto 'none'
        option device 'tun0'
        option defaultroute '0'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.22.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# ip route show
default via 10.159.246.50 dev wwan0 proto static src 10.159.246.49
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2
10.159.246.48/30 dev wwan0 proto kernel scope link src 10.159.246.49
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1
192.168.22.0/24 dev phy0-ap1 proto kernel scope link src 192.168.22.1

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: fd4e:f69:3016::1/60 Scope:Global
          inet6 addr: fe80::7ac5:7dff:fe3e:ca14/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6362 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4652 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1243847 (1.1 MiB)  TX bytes:1542650 (1.4 MiB)

eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet6 addr: fe80::7ac5:7dff:fe3e:ca14/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4621 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2298 (2.2 KiB)  TX bytes:748823 (731.2 KiB)
          Interrupt:19

lan1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2305 errors:0 dropped:4 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1692 (1.6 KiB)  TX bytes:333541 (325.7 KiB)

lan2      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2300 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:510 (510.0 B)  TX bytes:332854 (325.0 KiB)

lan3      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan4      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:196 errors:0 dropped:0 overruns:0 frame:0
          TX packets:196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18497 (18.0 KiB)  TX bytes:18497 (18.0 KiB)

phy0-ap0  Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:799 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2997 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:135515 (132.3 KiB)  TX bytes:516067 (503.9 KiB)

phy0-ap1  Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::c:43ff:fe26:6018/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1592 (1.5 KiB)

phy1-ap0  Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7963 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1211882 (1.1 MiB)  TX bytes:2207357 (2.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          inet6 addr: fe80::d97a:69ac:ff3f:22c2/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:5411 (5.2 KiB)  TX bytes:38179 (37.2 KiB)

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.159.246.49  P-t-P:10.159.246.49  Mask:255.255.255.252
          inet6 addr: fe80::d922:5e35:37dc:24f7/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3878 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3972 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1378871 (1.3 MiB)  TX bytes:952587 (930.2 KiB)

root@OpenWrt:~# logread | grep openvpn
Sun Mar  8 08:25:40 2026 daemon.warn openvpn(vpn_home)[2466]: Unrecognized option or missing or extra parameter(s) in vpn_home.ovpn:23: block-outside-dns (2.6.14)
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: Note: Kernel support for ovpn-dco missing, disabling data channel offload.
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: OpenVPN 2.6.14 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: library versions: OpenSSL 3.5.5 27 Jan 2026, LZO 2.10
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: DCO version: N/A
Sun Mar  8 08:25:40 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:40 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:40 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 1 second(s)
Sun Mar  8 08:25:41 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:41 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:41 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 1 second(s)
Sun Mar  8 08:25:42 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:42 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:42 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 1 second(s)
Sun Mar  8 08:25:43 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:43 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:43 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 1 second(s)
Sun Mar  8 08:25:44 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:44 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:44 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 2 second(s)
Sun Mar  8 08:25:46 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:46 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:46 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 4 second(s)
Sun Mar  8 08:25:50 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:50 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:50 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 8 second(s)
Sun Mar  8 08:25:58 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:25:58 2026 daemon.err openvpn(vpn_home)[2466]: write UDPv4 []: Network unreachable (fd=5,code=128)
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: Network unreachable, restarting
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,network-unreachable] received, process restarting
Sun Mar  8 08:25:58 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 16 second(s)
Sun Mar  8 08:26:14 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:61951, sid=e4ff9900 0154c718
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY OK: depth=1, CN=cn_HSPjtplMpuTTj9kz
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY KU OK
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: Validating certificate extended key usage
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY EKU OK
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY X509NAME OK: CN=server_Yyp2Cp4AmPmQGb6x
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY OK: depth=0, CN=server_Yyp2Cp4AmPmQGb6x
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 253 bits X25519
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: [server_Yyp2Cp4AmPmQGb6x] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-128-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: Pushed option removed by filter: 'redirect-gateway def1 bypass-dhcp'
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: route-related options modified
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: tun-mtu set to 1500
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: TUN/TAP device tun0 opened
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: net_iface_mtu_set: mtu 1500 for tun0
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: net_iface_up: set tun0 up
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: net_addr_v4_add: 10.8.0.2/24 dev tun0
Sun Mar  8 08:26:14 2026 daemon.notice netifd: Interface 'openvpn' is enabled
Sun Mar  8 08:26:14 2026 daemon.notice openvpn(vpn_home)[2466]: /usr/libexec/openvpn-hotplug up vpn_home tun0 1500 0 10.8.0.2 255.255.255.0 init
Sun Mar  8 08:26:14 2026 daemon.notice netifd: Interface 'openvpn' has link connectivity
Sun Mar  8 08:26:14 2026 daemon.notice netifd: Interface 'openvpn' is setting up now
Sun Mar  8 08:26:15 2026 daemon.notice netifd: Interface 'openvpn' is now up
Sun Mar  8 08:26:15 2026 daemon.notice openvpn(vpn_home)[2466]: Initialization Sequence Completed
Sun Mar  8 08:26:15 2026 daemon.notice openvpn(vpn_home)[2466]: Data Channel: cipher 'AES-128-GCM', peer-id: 1
Sun Mar  8 08:26:15 2026 daemon.notice openvpn(vpn_home)[2466]: Timers: ping 10, ping-restart 120
Sun Mar  8 08:26:15 2026 daemon.notice openvpn(vpn_home)[2466]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sun Mar  8 08:26:15 2026 user.notice firewall: Reloading firewall due to ifup of openvpn (tun0)
Sun Mar  8 08:26:25 2026 user.notice pbr [4456]: Setting up routing for 'openvpn/tun0/10.8.0.2' [✓]
Sun Mar  8 08:26:27 2026 user.notice pbr [4456]: Routing 'Roland-Laptop-TalkTalk' via openvpn [✓]
Sun Mar  8 08:26:29 2026 user.notice pbr [4456]: Setting interface trigger for openvpn [✓]
Sun Mar  8 08:26:29 2026 user.notice pbr [4456]: pbr 1.2.2-r8 monitoring interfaces: 4G openvpn ox
Sun Mar  8 08:26:37 2026 user.notice pbr [4456]: pbr 1.2.2-r8 started with gateways: 4G/wwan0/10.159.246.49 [✓] openvpn/tun0/10.8.0.2 ox/tun1/0.0.0.0
Sun Mar  8 08:29:33 2026 daemon.notice openvpn(vpn_home)[2466]: [server_Yyp2Cp4AmPmQGb6x] Inactivity timeout (--ping-restart), restarting
Sun Mar  8 08:29:33 2026 daemon.notice openvpn(vpn_home)[2466]: SIGUSR1[soft,ping-restart] received, process restarting
Sun Mar  8 08:29:33 2026 daemon.notice openvpn(vpn_home)[2466]: Restart pause, 1 second(s)
Sun Mar  8 08:29:34 2026 daemon.warn openvpn(vpn_home)[2466]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar  8 08:29:34 2026 daemon.notice openvpn(vpn_home)[2466]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:29:34 2026 daemon.notice openvpn(vpn_home)[2466]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Mar  8 08:29:34 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link local: (not bound)
Sun Mar  8 08:29:34 2026 daemon.notice openvpn(vpn_home)[2466]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:29:34 2026 daemon.notice openvpn(vpn_home)[2466]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:61951, sid=370a4d7a 0cb9156c
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY OK: depth=1, CN=cn_HSPjtplMpuTTj9kz
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY KU OK
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Validating certificate extended key usage
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY EKU OK
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY X509NAME OK: CN=server_Yyp2Cp4AmPmQGb6x
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: VERIFY OK: depth=0, CN=server_Yyp2Cp4AmPmQGb6x
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 253 bits X25519
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: [server_Yyp2Cp4AmPmQGb6x] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:61951
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 2,cipher AES-128-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Pushed option removed by filter: 'redirect-gateway def1 bypass-dhcp'
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: route-related options modified
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: OPTIONS IMPORT: tun-mtu set to 1500
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Preserving previous TUN/TAP instance: tun0
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Initialization Sequence Completed
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Data Channel: cipher 'AES-128-GCM', peer-id: 2
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Timers: ping 10, ping-restart 120
Sun Mar  8 08:29:35 2026 daemon.notice openvpn(vpn_home)[2466]: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt

egc · March 8, 2026, 8:42am

That looks good, you have a connection but missing is a route to the server, normally you push that route from the server side so in the servers OpenVPN config"

push "route  <servers_subnet> 255.255.255.0 vpn_gateway"

For testing i would also disable PBR

balumba · March 8, 2026, 9:27am

Thanks for having a look again @egc
Maybe I’m doing anything wrong…

Added to the OpenVPN server.conf file:

push "route 10.8.0.0 255.255.255.0 vpn_gateway"

Restarted the service, connected all devices new to OpenVPN.

This is my route from the router now:

root@OpenWrt:~# ip route show
default via 10.160.168.29 dev wwan0 proto static src 10.160.168.30
10.8.0.0/24 via 10.8.0.1 dev tun0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2
10.160.168.28/30 dev wwan0 proto kernel scope link src 10.160.168.30
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1
192.168.22.0/24 dev phy0-ap1 proto kernel scope link src 192.168.22.1

There is now a new route pushed by the server but anyway, still no success…

IP 10.8.0.1 is the OpenVPN server IP address.
IP 10.8.0.2 is the OpenVPN router IP address.

egc · March 8, 2026, 9:59am

No not the OpenVPN subnet but the subnet of the VPS.

If that does not help the problem might be on your VPS

balumba · March 8, 2026, 11:07am

I think, I give up. Very strange thinks are ongoing.

Adding the suggested route to the server (with the VPS subnet) then I can’t access my VPS anymore from any device in the router LAN. Even the main problem still exist.

Next was to remove this again.

Just by testing, it’s possible to connect from the right side to the left side via VPN by using an ssh connection on port 22. Everything is fine.
reminder: Ping also works fine.

But why in hell not with port 80 - or in general HTTP(S) access…

balumba · March 19, 2026, 8:47am

Got it now. No longer using OpenVPN but Wireguard now.

For somebody with the same problem, here my configs
Som changes as described in my original post: The VPN network is now 10.66.66.0/24

On the VPS:

# cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 49318
PrivateKey = *****
PostUp = iptables -I INPUT -p udp --dport 49318 -j ACCEPT
PostUp = iptables -I FORWARD -i ens6 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 49318 -j ACCEPT
PostDown = iptables -D FORWARD -i ens6 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens6 -j MASQUERADE

### Client router
[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128,192.168.11.0/24

### Client client-mobile (on the right side)
[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128

The router’s configs:

# cat /etc/config/network

[...]
config interface 'wireguard'
        option proto 'wireguard'
        option private_key '*****'
        list addresses '10.66.66.2/32'
        list addresses 'fd42:42:42::2/128'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option multipath 'off'
        option defaultroute '0'

config wireguard_wireguard
        option description 'wg0-client-router.conf'
        option public_key '*****'
        option preshared_key '*****'
        option endpoint_host 'xx.xx.xx.xx'
        option endpoint_port '49318'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        list allowed_ips '10.66.66.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'


# cat /etc/config/firewall

[...]
config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wireguard'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

There is one key point that is a bit weird. As soon as the router is connected to the VPN it need to have at least 1 byte of connection, otherwise it does not show as “up” on the VPS.

For that I need to look for a solution with any “if-up” on OpenWRT. But this is something not very urgent.

egc · March 19, 2026, 8:56am

That is not necessary if you comment/remove Table = off because that prevents routing of the allowed IPs. It might be necessary in some cases e.g if you have 0.0.0.0/0 in allowed IPs but do not want a default route but I do not see that here.

Because you forgot to set Persistent Keep Alive to 25 (option persistent_keepalive '25' )
WireGuard Server Setup Guide
WireGuard Client Setup Guide

But great to hear you have got it working

balumba · March 19, 2026, 9:29am

@egc Thanks for the hint for both.

Did do both recommendations

Comment Table = off in VPN server config and no longer setting an additional route
- Works
Adding Persistent Keep Alive to 25 to client config via LuCi
- Works now as well. The interface is directly up

Side effect: As I’m using PBR (Policy Based Routing) this also work with Wireguard very well.

system · March 29, 2026, 9:30am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.