Site2Site VPN routing difficulties

Hi all!

I have two OpenWRT Devices that are connected via openVPN. The Server is the internet gateway for the server subnet, the client is not the internet gateway for the client subnet.

VPN connection itself works really well, there's just a tiny problem with the routing or the firewall

My problem is that i can ping the VPN client and the router in the client subnet, but no other device. The client net can ping all devices in the server net.

I'm really looking forward to some input here, as i have stared at the problem for so long that i might not even see it anymore despite it being really obvious

My configuration is as follows:

Server side:
192.168.100.0/24 on br-lan
openvpn creates subnet 10.10.10.0/24 for VPN clients
CCD contains this:
iroute 192.168.2.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"

Client side:
static routes on the router: 192.168.100.0/24 and 10.10.10.0/24 both via VPN gateway 192.168.2.254 (the client)

This is the routing table on the client:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 br-lan
10.10.10.0      10.10.10.13     255.255.255.0   UG    0      0        0 tun0
10.10.10.13     *               255.255.255.255 UH    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.100.0   10.10.10.13     255.255.255.0   UG    0      0        0 tun0

an excerpt from the client's firewall config

iptables-save  | grep -i vpn
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_VPN_postrouting
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_VPN_input
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_VPN_forward
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_VPN_output
-A zone_VPN_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_VPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
-A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPN forwarding policy" -j zone_VPN_dest_ACCEPT

tcpdump on a host in the client network shows that the ICMP paket reaches the host, but the way back seems blocked

00:40:04.476268 IP 192.168.2.10 > 192.168.100.100: ICMP 192.168.2.10 udp port 44447 unreachable, length 556

so again i'm looking at the firewall but i don't get it, because it works the other way round...

adding a static route on said host 192.68.2.10 seems to help.

If anybody would like to take a look at this, i will gladly provide more info. right now i can't think of more.

Thank you all