OpenVPN at OpenWRT does not work for LAN nodes which are also connected as VPN clients

OpenWRT router runs the OpenVPN server.

We want: As long as a node has either LAN or VPN access (or both) to be able to access all other nodes in LAN and all other nodes in VPN.

We have the following networks:

  • WAN: with router at
  • LAN: with router at
  • VPN: with router at

Some nodes in the LAN are also connected to VPN. Therefore they have 2 IP addresses: 10.100.0.x and 10.110.0.x. Some other LAN nodes are not connected to VPN and have only the LAN IP.

Additionally the OpenVPN server has been configured with the option:
list push "route"
This adds an entry in the routing table of the VPN clients that routes the traffic towards the LAN of the VPN server via the VPN server ( and not via their gateway. This is needed by the VPN road warriors.


We have the following configuration:

Node LAN IP VPN IP Description
Router Router & VPN server
A NO LAN node without VPN connection
B LAN node with VPN connection
C NO VPN road warrior

We want all nodes to be able to access each other.

This is the connectivity table among the nodes. Each cell shows if the node in row can ping the IP in the column.

A ( B ( B ( C (
C Y N <--- Y Y

There is no connectivity from a VPN road warrior to the LAN interface of a node which is connected both to the LAN and to VPN. However if the LAN node is disconnected from the VPN then the VPN road warrior can access the LAN IP.

I'm not exactly sure why you would need to have the device on the LAN connected to the VPN, given that the VPN server seems to be running on the same router that is controlling the LAN. There would seem to be no gain here, but maybe I'm missing something.

That said, you probably can't reach the LAN interface of that host because the OpenVPN environment is likely rewriting the routing table to push all traffic through the tunnel so it won't respond via the LAN interface.

You might be able to get it to work by addressing that device using the OpenVPN provided VPN address. To do this, you may need to enable the client-to-client directive.

1 Like