Openvpn server: no access to local lan

Hello all,
I have an alix 2d13 with openwrt 17.01.4 configured as a switch (no wan, all 3 eth ports in bridge bringing dhcp lease from my router on
I have installed openvpn server following the wiki at
all working except that I cannot access my local lan when connecting from outside.
on 15.05 CC release all was working correctly following the old wiki at, configured in tap-bridge mode that seems now deprecated.
can anyone suggest a solution?
thank you

First, your remote lan should be something obscure like 192.168.40.X. It will not work if the remote LAN and the client's local LAN are the same subnet.

Your basic fully bridged TAP server would look something like this:

--- /etc/config/openvpn
config openvpn 'myvpn'
	option enabled '1'
	option verb '3'
	option proto 'udp'
	option port '1194'
	option dev 'tap'
	option mode 'server'
	option tls_server '1'
	option script_security '2'
# pass DHCP thru all the way to the client
	list push 'redirect-gateway def1 bypass-dhcp'
# with only one client, of course this doesn't mean anything.  With more than one you may want it.
#	option client_to_client '1'
	option keepalive '10 120'
	option ca '/etc/openvpn/wca.crt'
	option cert '/etc/openvpn/wserver.pem'
	option key '/etc/openvpn/wserver.key'
	option dh '/etc/openvpn/dh4096.pem'
	option up '/etc/openvpn/'

--- /etc/openvpn/
ip link set tap0 up
brctl addif br-lan tap0

The OpenVPN config of the client is straightforward. Make sure the 'client' and 'tap' are selected, and you have some matching certificates.

It is much better, and likely more secure to create your certificates using some GUI on a desktop (e.g. gnoMint) than to try to build them on OpenWrt.

At the client, create another network to bridge the VPN tunnel. You can add a wired or wifi interface to this network, and it will act exactly like it is plugged into the remote network, including access to all LAN machines and gatewaying to the Internet through the remote's ISP.

--- /etc/config/network
config interface 'vpnuser'
	option type 'bridge'
	option ifname 'eth1.2 tap0'
	option proto 'dhcp'
	option hostname 'some-name'
# --- Do not have the router try to reach the Internet via the VPN.
#  --- that cannot work, since the VPN client needs to reach the Internet
	option defaultroute '0' 

The last line is the trick. The client will own two IP addresses, one in its LAN, and one in the remote lan. However, OpenVPN itself running on the router must use the local LAN to reach the Internet. Disabling the client's default route prevents the client router's internal Internet connection from breaking. But, machines that are plugged into eth1.2 (in this case) will DHCP everything from the remote, including their default gateway, so their Internet access is through the remote.