OpenWrt22.03 on RPI3b VPN client in dhcp network

I would like to use openwrt on RPI3b which is set in DHCP on a fastweb router.

Router Fastweb main gateway ( -> Openwrt ( IP in lan.

On OpenWrt i have installed VPN IPSEC go to my fritzbox ( external ip 151........).

Proceeding with a first configuration, I saw that all the traffic, including that of the internet, passed but I could not ping the hosts, not even the host of the fritzbox network ( - Gateway (

Then adding a first static route :
From OpenWrt console:
Ping from (openwrt) to (gateway fritzbox )
Ping is ok with this route ( interface vpn-vpn2 none 0 main ).

Now I would like to ping with a PC on the network (es. to the network, es. i want ping Gateway fritzbox(

I have added a route on windows ( commnd line route add mask (gw openwrt).
but ping not work.
1 8 ms 6 ms 2 ms OPENWRT []
2 * * * Request timed out.
traceroute is correct becouse without route on windows is :
Traceroute to over a max 30 ....
1 1 ms 1 ms 3 ms FASTGATE []

I don't understand why if I play on Openwrt console to or host es. is OK.
but if ping from PC on network to with (route added on windows). not work.

I think that less any route on router can help me pls?

I add all info to image.

THanks alot for help.

When using the OpenWrt console, the "real" source IP address is not but and therefore you can ping network

You need to create a static route in the fritzbox.

ip route add via dev ...

The other way would be to hide the traffic leaving the vpn-vpn2 interface behind by enabling masquerading in the openvpn zone.

1 Like

Wow i have acitved from Tab firewall, flag masquarated and now work.

So the return route was missing?

How work masquerad becouse don't need the return back route?

Thanks so much for help.

The main disadvantage is that it will cost extra CPU load (to rewrite packet headers) and you won't be able to access devices on network from network unless you create port forwarding rules.

1 Like

Thanks a lot for information.

When try to add route at Fritzbox i have this error :


I can't put the same IP that is on my network. If I put as gateway work becouse the ip is not used in network.

i don't know if is incompatible with ip vpn on fritz.

Sorry, I can't help you with that.

It's Fritz!Box specific and it seems you are not the only one experiencing such a problem.

Ah, ok thanks.
If i want (as before you said) ping from pc on network es. -> i have put static route on server via dev eth0

but not work also put the masquered. It is normal? you know if there are any workaround?

For two-way communication, you need to disable masquerading on the openvpn firewall zone of the OpenWrt router and create a static route in the Fritz!Box.

Apparently the second is not possible, so your options are limited to keep masquerading in the openvpn zone enabled.

Thus, all devices on network will have access to all devices on network

As I said before, for communication -> you need to create separate port forwarding (DNAT) rules, which is quite restrictive.

Let's say is hosting a web server and you want to access it from network
You should create a DNAT rule that looks like this:

config redirect
        option target 'DNAT'
        option name 'HTTP'
        list proto 'tcp'
        option src 'openvpn'
	    option dest 'lan'
        option src_dport '8080'
        option dest_port '80'   
        option dest_ip ''

Then if you initiate an http request from network to it will be forwarded to

Ping from to will not work and there is no workaround.

BTW (your primary router) also needs a static route to network
If you can do this, you don't need to create individual routes on each lan host.

I understand, all clear. I was thinking if i set on a PC: es. a route static via shouldn't that work?

i am doing a test but not work.
From PC i ping .
but if i try to ping not response

where is the error logic?

If is the router LAN IP address, the default policy for the INPUT chain is set to ACCEPT (as in the screenshot you posted) and the routing table of host is correct, it should work.

Run tcpdump on the router to monitor icmp traffic.

opkg update; opkg install tcpdump; tcpdump -nnqti any icmp

Hi Pavel,
i am trying to do some tests. the first thing and i am trying to disable masquerated on openwrt.
I think that to do the test you indicate I must first make sure to deactivate the masq.
And so I was looking to do the following tests

1* Test:
VPN is up -> ip
from console openwrt route print:

62.x.x.x via dev br-lan proto static dev br-lan proto kernel scope link src via dev vpn-vpn2 proto static

ping from console OWrt 1.0/24 -> 29.0/24 is OK

2* Test now test from pc on lan 1.0 to 29.0

I have try 2 Type of route test:
1 route test: mask ( so i can give at pc what route do to arrive at 29.202) mask

This config work with masquarated on Router OpenWrt.

2 : second route test: ( it does not work with both masquerade and without masquarade) mask mask

Why second route not work?

On network on the PC2: i have added this route: via dev eth0 proto static

but i see that the route is not correct becouse :

if ping from PC2 -> The PING IS OK.
if i ping ( ip openwrt) not response and don't see come tcpdump.

When ping from to
IP > ICMP echo request, id 57047, seq 1, length 64
IP > ICMP echo reply, id 57047, seq 1, length 64
The test is correct i see the response.

if i ping from PC2 ->

no traffic come
and the traceroute is this:

1 ( 0.393 ms 0.768 ms 0.929 ms
2 151.X.X.X 9.962 ms 9.895 ms 9.947 ms
3 151.X.X.X 9.880 ms 13.698 ms 13.683 ms
4 151 ....... 12.928 ms

I think that i need Force route to and not go to 29.1 -> go to external right?

PS: I have also contact Support AVM this is the result:


Dear Mr Gennaro,

Thank you for your request to AVM support.

If I understand correctly, he has configured a VPN on the FRITZ! Box and wants to use the IP of the VPN in question as a gateway for a static route to another router's network.

Please correct me if anything is wrong up to this point.

What happens in your case is in line with expectations. This is not an error as the gateway of the static route must necessarily be the IP that the other router has in the local network of the FRITZ! Box: the router in question must therefore be connected in cascade to the FRITZ! Box and not vice versa. .

More information below:

Create a static IP route in the FRITZ! Box
Online help

As stated in the online help, under Gateway you must enter the IP assigned by the FRITZ! Box to the device that would connect the FRITZ! Box network to the other network, i.e. the IP assigned by the FRITZ! Box to the other router. The address of a VPN from the FRITZ! Box cannot be used.

For any other information or clarification I am gladly available.

I wish you a nice weekend.

Kind regards from Berlin
Andrea Salafia (AVM Support)

Turns out it won't work that way because the connection to is not bridged.

The Fritz!Box acts as a proxy arp (it responds to the request who-has tell and the packet is sent to it, but because the final destination is an unknown network (, it uses its default gateway and there is no way to change this.

Regarding the response from AVM

You do exactly that, but for some reason the route is not accepted and as you can see from the link above, a similar problem has existed at least since 2016.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.