I appreciate all of your help so far. I still cannot ping the server from a connected client, or vice versa.
I should mention that the VPN Network is listed as "Public" in the "Networking and Sharing Center", which is typically an early indicator that network sharing will be an issue. Ordinarily, setting a route like route 0.0.0.0 0.0.0.0
would "force" it into "Private" status.
None of the routing I've tried has resolved the issue, which I suppose isn't much of a surprise, given that both you and the other person trying to help say that additional routing isn't necessary in this case.
Updated configs / diagnostics
vpn_server: /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcb:3242:20c0::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.31.15'
option gateway '192.168.31.1'
option dns '192.168.31.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config interface 'tap0'
option type 'bridge'
option proto 'none'
option auto '1'
option ifname 'eth0.1 tap0'
vpn_server: /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config include
option path '/etc/firewall.user'
vpn_server: /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option allservers '1'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
vpn_server: *ip -4 addr ; ip -4 ro ; ip -4 ru*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
518: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.31.15/24 brd 192.168.31.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.31.1 dev br-lan
192.168.31.0/24 dev br-lan scope link src 192.168.31.15
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
vpn_server: /etc/config/openvpn
config openvpn 'vpnserver'
option enabled '1'
option dev 'tap0'
option port '1196'
option proto 'udp'
option comp_lzo 'yes'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option mode 'server'
option tls_server '1'
option server_bridge '192.168.31.15 255.255.255.0 192.168.31.93 192.168.31.99'
option client_to_client '1'
option status '/tmp/openvpn_tap0.status'
#list push 'route 192.168.31.0 255.255.255.0 192.168.31.15 350'
list push 'dhcp-option DNS 192.168.31.15'
#list push 'redirect-gateway def1'
vpn_client: client.ovpn
dev tap
client
proto udp
fast-io
remote vpn.server.address 1196
remote-cert-tls server
nobind
persist-key
persist-tun
comp-lzo no
verb 3
key-direction 1
#route 0.0.0.0 0.0.0.0 192.168.31.15 350
#route 192.168.31.0 255.255.255.0 192.168.31.1 350
#route-metric 350
<keys omitted>
vpn_client: *route print -4*
===========================================================================
Interface List
12...00 ff 81 0c 40 9e ......Private Internet Access Network Adapter
22...00 ff dc fb 95 14 ......TAP-Windows Adapter V9
19...10 02 b5 57 47 7b ......Microsoft Wi-Fi Direct Virtual Adapter
15...12 02 b5 57 47 7a ......Microsoft Wi-Fi Direct Virtual Adapter #2
14...10 02 b5 57 47 7a ......Intel(R) Dual Band Wireless-AC 7265
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.11.1 192.168.11.215 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.31.0 255.255.255.0 On-link 192.168.31.93 281
192.168.31.93 255.255.255.255 On-link 192.168.31.93 281
192.168.31.255 255.255.255.255 On-link 192.168.31.93 281
192.168.11.0 255.255.255.0 On-link 192.168.11.215 306
192.168.11.215 255.255.255.255 On-link 192.168.11.215 306
192.168.11.255 255.255.255.255 On-link 192.168.11.215 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.11.215 306
224.0.0.0 240.0.0.0 On-link 192.168.31.93 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.11.215 306
255.255.255.255 255.255.255.255 On-link 192.168.31.93 281
===========================================================================
Persistent Routes:
None
That last one is probably more of what you asked for a few days ago.
I would start looking into the upstream router, but the fact that I cannot ping the VPN server from a connected client within the tunnel (or vice versa) stands out. I think I should fix that before trying to adjust anything in the upstream router.