OpenVPN - TAP working client to client - But cannot ping routers LAN IP

Hi,

I've got a VPN in TAP mode between two routers.
The clients on both ends can ping each other which is great.

10.0.0.1 / 192.168.80.50 - Router A - VPN Server
10.0.0.2 / 192.168.80.52 - Router B - VPN Client

However I cannot communicate between (a client on Router A) and the opposite routers LAN IP example 192.168.80.52 and vice versa.

tcpdump shows when pinging the opposite router, no traffic is going across the TAP interface.
When I ping an opposite client, this does go across the TAP interface.

Am I missing something?

Server

config openvpn 'OpenVPN_Server'
        option dev 'tap'
        option ca '/etc/luci-uploads/cbid.openvpn.OpenVPN_Server.ca'
        option dh '/etc/luci-uploads/cbid.openvpn.OpenVPN_Server.dh'
        option cert '/etc/luci-uploads/cbid.openvpn.OpenVPN_Server.cert'
        option key '/etc/luci-uploads/cbid.openvpn.OpenVPN_Server.key'
        option keepalive '10 120'
        option enabled '1'
        option client_to_client '1'
        option verb '5'
        option server_bridge '192.168.80.60 255.255.255.0 192.168.80.70 192.168.80.80'
        list push 'dhcp-option DNS 8.8.8.8'


config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.80.50'
        option gateway '10.0.0.1'
        option ifname 'eth0.1 tap0'


config interface 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0.2'
        option ipaddr '10.0.0.1'

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0.2
192.168.80.0    *               255.255.255.0   U     0      0        0 br-lan

Client

config openvpn 'OpenVPN_Client'
        option persist_key '1'
        option persis_tun '1'
        option keepalive '10 120'
        option ca '/etc/luci-uploads/cbid.openvpn.OpenVPN_Client.ca'
        option cert '/etc/luci-uploads/cbid.openvpn.OpenVPN_Client.cert'
        option key '/etc/luci-uploads/cbid.openvpn.OpenVPN_Client.key'
        option enabled '1'
        option verb '5'
        option persist_tun '1'
        option client '1'
        option pull '1'
        list remote '10.0.0.1'
        option nobind '1'
        option dev 'tap'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.80.52'
        option gateway '10.0.0.2'
        option ifname 'eth0.1 tap0'

config interface 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0.2'
        option ipaddr '10.0.0.2'

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0.2
192.168.80.0    *               255.255.255.0   U     0      0        0 br-lan

Don't use gateway option in the lan interface.
Are the hosts in client lan able to get dhcp settings from server side dhcp server or are you using static IPs?

I've taken the gateway out as you said.

Yes I can get an IP from the Server side.

It just seems the Server LAN IP is blocked for the Tap device. But the clients of the server are fine, can be pinged. Quite strange.

Let me get it straight.
Clients from Router A LAN can ping clients from Router B LAN and vice versa.
But clients from router B cannot ping Router A IP 192.168.80.50?
How about router A clients? Can they ping Router B IP 192.168.80.52?

That is right.

And no Router A clients can't ping Router B IP.

Does the ping reach the router?
Is there any response sent back? From the right interface?
Anything interesting in the logs as being blocked/dropped?

See also:

tcpdump -n -i any icmp

So tcpdump shows.

Ping | Client on A ----> Router B - The ping hits Router A only, never reaches Router B.

Strange, I'll have to workaround it.