OpenWrt/LEDE as OpenVPN client, issues with inbound VPN traffic

Hello everyone,

I'm an old time OpenWRT user (back from the White Russian days) and fairly experienced with OpenVPN and iptables. Right now I'm running LEDE 17.01.4 on my home router which, among other things, acts as an (Open)VPN client. I've been using this setup for several years already, but lately I came across a different scenario which I hadn't needed before.

Like I just mentioned, my router is set up as an OpenVPN client with one of my remote servers. In the past I've always needed to access resources available behind the VPN from my LAN, so that the traffic has been outbound first. However, this time around I need to access my home router from my remote server (long story short, I have an USB cellular modem attached to my router which I need to send SMS alerts from my server). When the VPN connection is first established I can connect from the server to the router through the VPN and the other way around. However, after a couple of minutes with no traffic, I can no longer initiate an inbound connection this way, even though the VPN is still up. As soon as I initiate another outbound connection through the VPN (be it a ping, ssh or whatever) I can again make inbound connections.

As I mentioned before I am fairly experienced with iptables (and networking in general) but I believe this might be an edge case where the custom fw3 zones, chains and rules are getting in the way. Right now I have two options: I can get rid of fw3 and just use a 'manual' iptables setup, or try to fix it the proper way. During my tests the first option worked fine, but I would rather keep things the OpenWRT way, if possible.

Here's a copy of my /etc/config/ network, openvpn and firewall files, along with the output from iptables:

# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9b:06a9:9ddc::/48'

config interface 'lan'
	option ifname 'eth0.1'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.6.1'

config interface 'wan'
	option ifname 'eth1'
	option _orig_ifname 'eth1'
	option _orig_bridge 'false'
	option proto 'pppoe'
	option username 'xxxx'
	option password 'xxxx'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'
	option auto '1'

config interface 'alias'
	option ifname 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.254'
	option netmask '255.255.255.0'

Nothing fancy here:

# cat /etc/config/openvpn 

config openvpn 'remotevpn'
	option config '/etc/openvpn/server.conf'
	option enabled '1'

# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'vpn'
	list device 'tun+'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_port '1194'
	option proto 'udp'
	option name 'Redirect UDP port 443 to OpenVPN'
	option target 'DNAT'
	option reflection '1'

config rule
	option target 'ACCEPT'
	option name 'Allow OpenVPN'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option enabled '1'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

My /etc/firewall.user file is empty. Here's the output from iptables:

# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
2      859  126K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
3      578 54161 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
4        8   328 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
5      261 70263 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
6        0     0 zone_vpn_input  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
7       18  1254 zone_wan_input  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     103K   86M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
2     103K   86M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
3      219 26395 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
4        0     0 zone_vpn_forward  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
5        0     0 zone_wan_forward  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
6        0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
2      868  250K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
3      373 65733 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
4      379  176K zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
5        0     0 zone_vpn_output  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
6      116  7895 zone_wan_output  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.6.249        udp dpt:5353

Chain forwarding_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_vpn_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_vpn_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain output_vpn_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       16   648 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
2        2   606 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        8   328 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (3 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      379  176K ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      219 26395 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
2      219 26395 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding lan -> vpn */
3      219 26395 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding lan -> wan */
4        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
5        0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      261 70263 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
3      261 70263 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      379  176K output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
2      379  176K zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      261 70263 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_vpn_dest_ACCEPT (3 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
2        0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
2        0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding vpn -> lan */
3        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
4        0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_input (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
3        0     0 zone_vpn_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_output (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
2        0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_src_ACCEPT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       49  2392 DROP       all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
2      286 31898 ACCEPT     all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 reject     all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
3        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
4        0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       18  1254 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 /* !fw3: Allow OpenVPN */
5        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
6       18  1254 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      116  7895 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
2      116  7895 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       18  1254 reject     all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

# iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 153 packets, 14389 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      308 30719 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */
2      290 29305 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
3        0     0 zone_vpn_prerouting  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
4       12  1014 zone_wan_prerouting  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 61 packets, 4390 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 73 packets, 5023 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      293 28391 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
2        2   458 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
3        0     0 zone_vpn_postrouting  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
4      291 27933 zone_wan_postrouting  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353 to:192.168.6.249:5353

Chain MINIUPNPD-POSTROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_vpn_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_vpn_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   458 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */

Chain zone_lan_prerouting (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      290 29305 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */

Chain zone_vpn_postrouting (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 postrouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
2        0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_prerouting (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 prerouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */

Chain zone_wan_postrouting (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      291 27933 MINIUPNPD-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2      291 27933 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
3      291 27933 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       11   854 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2       12  1014 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */
3        0     0 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443 /* !fw3: Redirect UDP port 443 to OpenVPN */ redir ports 1194

# iptables -t mangle -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 111K packets, 92M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1147 packets, 155K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 110K packets, 92M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      145  8928 TCPMSS     tcp  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 1082 packets, 306K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 111K packets, 92M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Thank you for your time and please excuse me in advance for the length of my (first) post, but I wanted to give as much as relevant info as possible.

Can you elaborate why did you come to this conclusion? AFAIK the firewall gets reloaded pretty quickly after the VPN connection, it shouldn't take a few minuted for the new rules to take effect.

Could it be something like the OpenVPN keepalive issue? Would this thread help?

It's a guess more than a conclusion. It has nothing to do with OpenVPN keepalive (which was in fact my first hunch and I tried enabling/disabling it and with different values) - the VPN connection is actually up, but I cannot initiate any 'new' connections from the server to the router through the VPN unless I first start a new connection the other way around, which happens instantly. There's no need for the VPN to reconnect.

The reason I suspect it's more of a side effect of fw3 underlying iptables rules is that it seems to match 'related' and 'established' connections, and if I get rid of the rules under the reject table it works immediately as intended (of course, this being far from ideal).

Ok, so I was able to solve this with the help of a friend via Twitter.

If I flush the reject chain then the connection works as expected. So I was advised to add a `LOG target rule in that chain, which revealed that packets coming from the VPN server through the WAN interface and originating on port 1194/udp (OpenVPN) were being rejected:

iptables -I reject 1 -p udp -j LOG --log-prefix "iptables reject: "

And the log produced:

[345291.019827] iptables reject: IN=pppoe-wan OUT= MAC= SRC=x.x.x.x DST=y.y.y.y LEN=160 TOS=0x00 PREC=0x00 TTL=49 ID=2897 DF PROTO=UDP SPT=1194 DPT=46254 LEN=140 
[345292.021097] iptables reject: IN=pppoe-wan OUT= MAC= SRC=x.x.x.x DST=y.y.y.y LEN=160 TOS=0x00 PREC=0x00 TTL=49 ID=2934 DF PROTO=UDP SPT=1194 DPT=46254 LEN=140 
[345293.022340] iptables reject: IN=pppoe-wan OUT= MAC= SRC=x.x.x.x DST=y.y.y.y LEN=160 TOS=0x00 PREC=0x00 TTL=49 ID=2957 DF PROTO=UDP SPT=1194 DPT=46254 LEN=140 

Now, as far as I understand it, these connections should be tracked as related or established by the ctstate/conntrack modules, but for some reason they are not. So I ended up adding an exception rule to the input_wan_rule chain (which I added to /etc/firewall.user):

iptables -A input_wan_rule -p udp --sport 1194 -j ACCEPT

Even though I managed to solve this particular problem, it would be nice to try to know why it's happening in the first place, and if it's part of the system firewall intended behavior.