I'm documenting this to help others and as a reminder to me in the future, as I've not found any documentation or posts that references the following point.

Note: This would only apply if you are using a DSA (Distributed Switch Architecture) based version of OpenWRT with VLAN's configured and with OpenVPN in a 'TAP' [layer 2] mode set-up. Also, as a symptom of the issue you can connect to the VPN but cannot access sites internal or external to your network, with no obvious errors except for name resolution errors in the remote devices browser session.

The key missing link in the above is when you add the TAP device to the Bridge, you also need to go to the 'Bridge VLAN Filtering' tab and add the TAP device to the relevant VLAN for your LAN as un-tagged traffic.

In my case as my LAN is also the default VLAN, I set the 'Primary VLAN ID' option as well so I have a 'u *' in the VLAN box under TAP0 [my TAP device] - For context - u = un-tagged traffic to the VLAN and the * = primary VLAN ID. Once this is done all the internal and external sites work as expected.

On the old none DSA config the TAP device was not part of the VLAN from memory. Hopefully this may save others the few hours of forum scrolling and head scratching I've had to get this working over the past few days.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.