Site2Site VPN routing difficulties

Hi all!

I have two OpenWRT Devices that are connected via openVPN. The Server is the internet gateway for the server subnet, the client is not the internet gateway for the client subnet.

VPN connection itself works really well, there's just a tiny problem with the routing or the firewall

My problem is that i can ping the VPN client and the router in the client subnet, but no other device. The client net can ping all devices in the server net.

I'm really looking forward to some input here, as i have stared at the problem for so long that i might not even see it anymore despite it being really obvious

My configuration is as follows:

Server side: on br-lan
openvpn creates subnet for VPN clients
CCD contains this:
push "route"

Client side:
static routes on the router: and both via VPN gateway (the client)

This is the routing table on the client:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 br-lan   UG    0      0        0 tun0     *      UH    0      0        0 tun0     *        U     0      0        0 br-lan   UG    0      0        0 tun0

an excerpt from the client's firewall config

iptables-save  | grep -i vpn
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_VPN_postrouting
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_VPN_input
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_VPN_forward
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_VPN_output
-A zone_VPN_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_VPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
-A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPN forwarding policy" -j zone_VPN_dest_ACCEPT

tcpdump on a host in the client network shows that the ICMP paket reaches the host, but the way back seems blocked

00:40:04.476268 IP > ICMP udp port 44447 unreachable, length 556

so again i'm looking at the firewall but i don't get it, because it works the other way round...

adding a static route on said host seems to help.

If anybody would like to take a look at this, i will gladly provide more info. right now i can't think of more.

Thank you all