I've only skimmed this thread, so apologies if I've missed anything... but a critical question:
Is this router connected directly to the internet?
--> If so, you have opened a massive security hole by allowing input=accept on the wan zone. This should always be reject or drop when the WAN is connected to an untrusted network (i.e. the internet).
Additionally, is the vpn fully trusted (i.e. users/devices on the other side of the tunnel are trusted and should be allowed unrestricted access to the router itself as well as the LAN behind it? Currently, your firewall configuration is such that the remote hosts are assumed to be trusted. If this is not the desired situation, you need to change the vpn zone allowances.
thanks, Im aware of it, the router is behind ISPs NAT, and the vpn is fully trusted, it is mine point is that the routers lan should be accessible to all the clients on the vpn but I havent found the solution
The ISP, despite being behind NAT, should be considered untrusted. Both the ISP itself and potentially other users on your subnet from the ISP could potentially gain access to your router, and that would be bad (to be clear, it could be malicious actions by the company/users directly, or worms/viruses that have infected the ISP or user devices).
Move your VPN to a new zone. Allow that one full access if desired (input = accept, output = accept, forward is not likely relevant). This will ensure that your VPN has access, but your WAN connection does not.
I'll do that for sure as soon as i find the solution, thats funny, but keeping everything accepted I still have no access to the lan now thats the main quiestion for me
you mean like this?
frankly saying, I was keeping everything accepted just to not loose remote access to the router by a mistake because its not near to me
nevertheless its lan is still unaviable to me
I'll start with a caveat: it has been a very long time since I used any L2 VPN technologies, so it is possible (maybe likely) that I have forgotten the nuances of how to manage L2 tunnels. That said...
So I think the fundamental issue is that you are attempting to route between a VPN and a network interface that have the same IP addresses on the interfaces themselves, and both occupy the same subnet.
You cannot route between networks that are of the same or overlapping subnets (ever, this is a rule of L3/routing in all networks).
It also appears that part of your issue could be the overly broad route you have defined... it overlaps your LAN and that will cause a conflict. Instead, you should configure routes that are targeted... for example, remove the following:
You should probably define a different LAN address (let's say 10.0.3.1/24) so that your VPN doesn't overlap. Then, you may need corresponding routes back to your OpenWrt router on the other endpoints, or at least on the server.
Or... if you can add the VPN tunnel itself (possibly tap0 or something -- don't know what is happening on your connection) into the lan bridge, that would fulfill the L2 TAP type connection and then you wouldn't need any routing on the OpenWrt side (since it would already be a part of the same subnet).
At the very least, the VPN tunnel address and the LAN address should not be the same.
Beyond that, you currently have masquerading enabled on the vpn firewall zone -- that also will prevent the lan access you are trying to achieve.
So a few questions:
It appears you have full control over the server and endpoints, is that correct?
Do you have a specific reason for needing an L2 VPN solution (vs L3/routed)?
Do you have the option to use a VPN solution that is better suited to this task such as WireGuard or OpenVPN?
sir your a warlock in a nice way!!!!!!! its working! ive just moved the vpn from its own zone to the lan in interfaced and changed the ip given by the server to 10.0.80.1 and the route to 10.0.0.0/16 10.0.80.2, this works well! I dont know why RouterOS works with the same subnets perfectly, so I couldnt even think openwrt wouldnt work
Ive no clue about that just did like Maurer said, ive switched it off
Yes I do
The reason is l2tp is clear to me and it works well on RouterOS
I do. I tried to use Openvpn but it seemed too sophisticated to me, though my openwrt has an inbuilt openvpn client, also Ive heard of wireguard its undimanding to resources and RouterOS got it, maybe i'll try it some time
anyway, the solution is found so I can use l2tp for a while, thank you very much! sir Maurer you helped alot thanks to you too!