[SOLVED] Openvpn lede connection problem with ipcop as server

I tried connecting the router lede (tplink-1043nd-v2) as client with ipcop as a server using openvpn.
I from the point of view of the user can already ping to ip tunnel 10.10.73.1
But I from the point of view the user can not ping and access to server port 80 on ip 192.168.0.170
Previously when the connection is still using ipcop vs ipcop, connection to the server behind ipcop can happen
Problem arises when openvpn client ipcop is replaced with openvpn client lede
Please help for enlightenment
Sorry for my bad English

note:

  • ipcop openvpn server is not in administration by me
  • I get 1 hint, if I temporarily turn off the firewall with /etc/init.d/firewall stop. Then I can access host 192.168.0.170 which is behind the ipcop.

My diagram:

user------------------------lede--------------------------net-------------------ipcop------------server
192.168.73.20----192.168.73.26----10.10.73.2----------10.10.73.1-------------192.168.0.170

My routes:

Destination      Gateway          Genmask         Flags Metric Ref    Use Iface
default          202.158.xxx.xxx   0.0.0.0         UG    0      0        0 eth0
10.8.0.0         10.8.0.2          255.255.255.0   UG    0      0        0 tun0
10.8.0.2         *                 255.255.255.255 UH    0      0        0 tun0
10.10.73.1       *                 255.255.255.255 UH    0      0        0 tun1
192.168.0.0      10.10.73.1        255.255.255.0   UG    0      0        0 tun1
192.168.5.0      *                 255.255.255.0   U     0      0        0 wlan0-1
192.168.73.0     *                 255.255.255.0   U     0      0        0 br-lan
202.158.xxx.xxx  *                 255.255.255.240 U     0      0        0 eth0

[details=click this for detail: Openvpn config]config openvpn 'OscarBEKASI'
option float '1'
option comp_lzo 'yes'
option dev 'tun'
option verb '3'
option remote '123.231.xxx.xxx'
option port '2073'
option keepalive '10 60'
option proto 'udp'
option cipher 'BF-CBC'
option ifconfig '10.10.73.2 10.10.73.1'
option tls_client '1'
option route '192.168.0.0 255.255.255.0'
option tun_mtu '1400'
option ca '/etc/luci-uploads/cbid.openvpn.OscarBEKASI.ca'
option cert '/etc/luci-uploads/cbid.openvpn.OscarBEKASI.cert'
option key '/etc/luci-uploads/cbid.openvpn.OscarBEKASI.key'
option enabled '1[/details]

[details=click this for detail: Network config]config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd6b:cc75:5764::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '208.67.222.123 208.67.220.123'
option ipaddr '192.168.73.26'

config interface 'wan'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'static'
option netmask '255.255.255.240'
option gateway '202.158.xxx.xxx'
option ipaddr '202.158.xxx.xxx'

config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6'

config interface 'guest'
option _orig_ifname 'wlan0-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option dns '208.67.222.123 208.67.220.123'

config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'

config interface 'vpn1'
option proto 'none'
option ifname 'tun1'
option auto '1'[/details]

[details=click this for detail: Firewall config]
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest dns'
option src 'guest'

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest dns on wan'
option src 'guest'
option dest 'wan'
option enabled '0'

config rule
option target 'ACCEPT'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option name 'guest dhcp'
option src 'guest'

config rule
option src 'guest'
option dest 'lan'
option name 'Deny Guest -> LAN'
option proto 'all'
option target 'DROP'

config rule
option target 'ACCEPT'
option src 'guest'
option dest 'wan'
option name 'Allow Guest -> WAN http'
option proto 'tcp'
option dest_port '80'

config rule
option target 'ACCEPT'
option src 'guest'
option dest 'wan'
option name 'Allow Guest -> WAN https'
option proto 'tcp'
option dest_port '443'

config rule
option src 'guest'
option dest 'wan'
option name 'Deny Guest -> WAN'
option proto 'all'
option target 'DROP'

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config include
option path '/etc/firewall.user'

config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'

config forwarding
option dest 'wan'
option src 'guest'

config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'

config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn0 vpn1'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'wan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'[/details]

[details=click this for detail: firewall.user config]iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53

iptables -t nat -A PREROUTING -s 192.168.5.0/24 -p udp --dport 53 -j DNAT --to 192.168.5.1
iptables -t nat -A PREROUTING -s 192.168.5.0/24 -p tcp --dport 53 -j DNAT --to 192.168.5.1[/details]

I get 1 hint, if I temporarily turn off the firewall with /etc/init.d/firewall stop.
Then I can access host 192.168.0.170 which is behind the ipcop.
But unfortunately until now I still have not found the enlightenment...
Please help me give the solution, as well as for learning for me...

Case is solved:
https://forum.openwrt.org/viewtopic.php?id=71749

Thanks for brother "gamba47"