OpenVPN in bridge mode. LAN segments on the client and server routers are bridged. All devices use the server as default gateway. LAN and Internet access works.
Problem:
Devices on the client side cannot access the WAN IP address of the server. The packets are seen on the TAP interface of the client router, but dropped before reaching the server.
Change:
This used to work in r44653. The change that breaks this is between 2015-03-11 and 2017-07-21.
Questions:
How do I restore access to the WAN IP address of the OpenVPN server, which is the default gateway for all devices.
Is this a bug or an intentionally introduced change?
Nowadays, there's only a couple of reasons to utilize TAP over TUN, either Windows Servers which need to be accessed over the VPN that do not support WINS, or bridging; however, I wouldn't think you'd need to utilize TAP for bridging on OpenWrt since you can virtually bridge the ethernet and vpn interfaces via /etc/config/network
The latter is a supposition and not something I've tried, but I'd recommend giving it a shot, as TAP should be avoided unless absolutely necessary.
Because a TAP bridge is very simple to maintain. I have a 3 or 4 routers spread around the world. Zero setup on all devices connected to them. Everything is on the same network and uses the same gateway. I take a router with me, connect it to Internet, and I'm home. Any protocol that requires broadcasts works. File sharing works. My iPhone will sync with iTunes even when I am in a different country.
I don't remember if I tried using TUN in the past. Are there any advantages, and isn't it for single host to network? What I need is network to network to network... No routing.
Do you want all connected devices, across all 4 routers, to be able to access each other and all broadcast traffic; and do you want all other non-vpn devices connected to those routers to be able to access each device and router using the VPN [vice versa]?
suspect:
Tue Mar 13 21:28:39 2018 daemon.notice openvpn(site1_client_tcp)[4915]: Recursive routing detected, drop tun packet to [AF_INET]server_wan_ip.com:443
Tue Mar 13 21:28:40 2018 daemon.notice openvpn(site1_client_tcp)[4915]: Recursive routing detected, drop tun packet to [AF_INET]server_wan_ip.com:443
Tue Mar 13 21:28:40 2018 daemon.notice openvpn(site1_client_tcp)[4915]: Recursive routing detected, drop tun packet to [AF_INET]server_wan_ip.com:443
Tue Mar 13 21:28:40 2018 daemon.notice openvpn(site1_client_tcp)[4915]: Recursive routing detected, drop tun packet to [AF_INET]server_wan_ip.com:443
Let me recall that the ability to access the WAN IP of the VPN server was broken between 2015-03-11 and 2017-07-21. So this is something that can probably be fixed.
My workaround is to route traffic to the server WAN IP outside the secure VPN tunnel. Since I don't have secure services hosted there, it's not a big deal.
@janecollen
I'm not sure if I want to forward all my traffic to any third party, introducing additional latency, and paying for something that I already have for free. Even if it is that cheap, it is an additional complication.