Question about setting up an openvpn server on openwrt

Hi, I am trying to set up an openvpn server on my openwrt router so that my friend could tap into my local network and we can play some games together. I have done this when I was using ASUS router as my main router and it provided the feature to set up an openvpn server on it. It was quite simple and worked without any problems, however, I am having difficulties setting it up on my openwrt since I switched my main router to a openwrt router.
So basically, because I want him to tap into my local network, I should use the tap mode and we should be in the same subnet. Below is my config file for my server:
/etc/config/openvpn:

config openvpn 'myvpn_test'
	option enabled '1'
	option port '1194'
	option proto 'tcp-server'
	option dev 'tap'
	option server '192.168.3.0 255.255.255.0'
	option persist_key '1'
	option persist_tun '1'
	option max_clients '5'
	option topology 'subnet'
	option keepalive '10 60'
	option verb '3'
	option status '/var/log/openvpn_status.log'
	option client_to_client '1'
	list push 'route 192.168.3.0 255.255.255.0'
	list push 'redirect-gateway def1 bypass-dhcp'
	list push 'dhcp-option DNS 192.168.3.1'
	list push 'dhcp-option DOMAIN lan'
	option ca '/etc/openvpn/ca.crt'
	option dh '/etc/openvpn/dh.pem'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option log '/tmp/openvpn.log'
	option float '1'
	option learn_address '/usr/bin/ovpn-learnaddress'
	option comp_lzo 'no'
	option dhcp_option 'DOMAIN 192.168.3.1'
	option client_config_dir '/etc/openvpn/ccd'

/etc/openvpn/ccd/client1:

ifconfig-push 192.168.3.201 255.255.255.0

and the client config file is as follows:

client
dev tap
proto tcp-client
remote my.domain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
verb 3
comp-lzo no

He can successfully connect to my server, however, he cannot ping to my router and my computer and cannot access the internet. I noticed that, in the connection detail page of his openvpn connection, the dhcp server address is wong:


I believe this should be 192.168.3.1, which is the local address for my router, although I am not sure if this is the cause of him not able to ping to my router and computer and not able to access the internet after connecting to my server. And in his log it shows this line:

2023-07-05 17:37:43 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.3.201/255.255.255.0 on interface {CB53E94D-0218-4BFD-A8F2-B1C8F06E8D92} [DHCP-serv: 192.168.3.0, lease-time: 31536000]

I don't see anywhere I pushed the 192.168.3.0 as the dhcp server address to him but he always gets this.

Does anyone know where I did wrong and how can I fix it? Or what more information/logs should I seek?
Thanks!

Try the following:

Comment out the server option and all push directives.
Use option server-bridge instead.
Without any arguments, the client should obtain an IP address directly from your LAN DHCP server.
If you want more control, the syntax is as follows:

server-bridge gateway netmask pool-start-IP pool-end-IP

Don't forget to add tap0 to your lan bridge.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports '...'
        list ports 'tap0'

Thanks for the reply
Actually I have tried using server_bridge before and the dhcp server address was still the same...
the line I wrote was:

option server_bridge '192.168.3.1 255.255.255.0 192.168.3.201 192.168.3.205'

BTW, I am curious about one thing: I've seen some post online (including yours) about the config file's format being like

server-bridge ...

the plugin says there is error. I can only use

option server_bridge ...

this format. Why are there two diffrent formats and how do we know when to use which format?

for the lan bridge, I added the tap0 to it but the corresponding config generated was like this:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1 eth2 eth3 tap0'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

does this work? or should I change it to:

config interface 'lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'tap0'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

I prefer to use the original openvpn syntax, so I always use custom config files.

#/etc/config/openvpn

config openvpn 'custom_config_tap'
        option config '/etc/openvpn/tapserver.conf'
        option enabled '1'

#/etc/openvpn/tapserver.conf

user nobody
group nogroup
dev tap
port 1194
proto udp
server-bridge
...

This was the old syntax.I don't know what version of OpenWrt you are using.
Run brctl show and if you see tap0 listed, don't change anything.

BTW I just tested openvpn in tap mode with windows client and it works as expected.

EDIT:
I also see a wrong DHCP server address, but that's not a problem.

image


tap0 is indeed listed already. but then I dont know what else I can do to make it work... because besides the dhcp server address being wrong, I didn't see anything syspicious. And now my client machine just can't access to anything, internet/router/other machines in the local network.
I'll try using the original openvpn syntax and see if that's better.

Oh I just changed the server option to server_bridge and tried again. But the client machines still can't access anything. Now im going to try the original syntax.