Share br-lan with vpn?

I have configured an openvpn server, clients can connect, but no access to other lan clients on the server side.

I tried wireshark on 192.168.29.50 and I can see ping packets arriving from 10.8.0.2, but response is lost somewhere.

This works on windows, by enabling internet connection sharing for the ethernet connection, How can I make sure the vpn packets are correctly routed?

vpnclient 10.8.0.2
vpnserver 192.168.29.158 / 10.8.0.1
windows 192.168.29.50

*edit: added the correct /etc/config/network file

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
config rule                     
        option name 'Allow-DHCPv6'
        option src 'wan'               
        option proto 'udp'   
        option dest_port '546'        
        option family 'ipv6'   
        option target 'ACCEPT'  
                                  
config rule                   
        option name 'Allow-MLD'        
        option src 'wan'      
        option proto 'icmp'           
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'    
        list icmp_type '132/0'         
        list icmp_type '143/0'
        option family 'ipv6'  
        option target 'ACCEPT'        
                                
config rule                     
        option name 'Allow-ICMPv6-Input'
        option src 'wan'               
        option proto 'icmp' 
        list icmp_type 'echo-request' 
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big' 
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'    
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'        
        option family 'ipv6'                
        option target 'ACCEPT'              
                                               
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                
        option dest '*'            
        option proto 'icmp'                 
        list icmp_type 'echo-request'       
        list icmp_type 'echo-reply'            
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'             
        option family 'ipv6'                    
        option target 'ACCEPT'    
        config rule                            
        option name 'Allow-IPSec-ESP'       
        option src 'wan'                    
        option dest 'lan'                      
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                        
config rule                            
        option name 'Allow-ISAKMP'          
        option src 'wan'                    
        option dest 'lan'                      
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'        
                                       
config zone 'vpn'                           
        option name 'vpn'                   
        option input 'ACCEPT'                   
        option forward 'ACCEPT'              
        option output 'ACCEPT'                  
        option masq '1'                
        option mtu_fix '1'                  
        option network 'vpn'                
                                               
config forwarding 'vpn_forwarding_lan_in'       
        option src 'vpn'                        
        option dest 'lan'               
                                     
config forwarding 'vpn_forwarding_lan_out'  
        option src 'lan'                    
        option dest 'vpn'                      
                                                
config redirect                                 
        option src 'lan'              
        option proto 'tcp'                
        option src_ip '!172.16.32.1'        
        option dest_ip '172.16.32.1'        
        option target 'DNAT'                    
        option mark '1337'        

/etc/config/network

 # Bridge mode
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd72:689f:c6b8::/48'

option device
    option name 'sw0'

option interface 'sw0'
    option device 'sw0'
    option proto 'none'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'lan6'
        option device 'br-lan'
        option proto 'dhcpv6'

config interface 'vpn'
    option ifname 'tun0'
    option proto 'none'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

We can't see the network configuration because you posted part of the firewall configuration instead of /etc/config/network.

Better remove the zone and forwardings and add the vpn interface (network) to the lan firewall zone.

By default, windows firewall does not accept connections originating outside its own ip subnet. Open the host firewall or enable masquerading on the lan zone to see if this is the case.

Setting masquerade on the lan zone would simplify things as then a VPN-LAN request is altered to appear to come from the OpenWrt router's LAN IP. This does make it impossible to connect to 10.8.0.2 from the LAN but you may not want or need that function anyway.

If you don't masquerade, and the OpenWrt VPN server is not the main router in the .29 network, you need to add a route in the main router : 10.8.0.0/24 via 192.168.29.129. This allows the reply from a LAN machine to a VPN road warrior to be routed back into the VPN.

It's working now!

Removed the vpn zone and the forwardings, then added the vpn network to the lan zone.
Also the masquerade was added to the lan zone like @mk24 said.

This is how the firewall file looks now:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

               option target 'ACCEPT'  
                                  
config rule                       
        option name 'Allow-MLD'        
        option src 'wan'         
        option proto 'icmp'           
        option src_ip 'fe80::/10'     
        list icmp_type '130/0'  
        list icmp_type '131/0'    
        list icmp_type '132/0'         
        list icmp_type '143/0'         
        option family 'ipv6'            
        option target 'ACCEPT'        
                                        
config rule                          
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                        
        option proto 'icmp'            
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'     
        list icmp_type 'time-exceeded'         
        list icmp_type 'bad-header'          
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation' 
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'             
        option family 'ipv6'                   
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                    
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'             
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                             
        option name 'Allow-IPSec-ESP'       
        option src 'wan'                        
        option dest 'lan'                      
        option proto 'esp'                      
        option target 'ACCEPT'             

                                                        
config rule                                    
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'        
        option proto 'udp'                  
        option target 'ACCEPT'   

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.