Tried using my VPN client (Barracuda) on a laptop connected to an OpenWRT router. I get a "Handshake Request Timeout" in the Barracuda VPN client when trying to connect.
Upon looking at tcpdump on the router itself:
router@OpenWRT:~# tcpdump -i usb0 -avvvn host vpn.xxx.xxx.srv
tcpdump: listening on usb0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:37:41.338449 IP (tos 0x0, ttl 63, id 35057, offset 0, flags [none], proto UDP (17), length 112)
openwrt.router.ip.addr.65063 > vpn.xxx.xxx.srv.691: [udp sum ok] UDP, length 84
19:37:41.395273 IP (tos 0x0, ttl 52, id 60320, offset 0, flags [none], proto UDP (17), length 1428)
vpn.xxx.xxx.srv.691 > openwrt.router.ip.addr.65063: [udp sum ok] UDP, length 1400
19:37:43.793222 IP (tos 0x0, ttl 52, id 20933, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:43.861090 IP (tos 0x0, ttl 52, id 25541, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:45.524296 IP (tos 0x0, ttl 52, id 58310, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:47.517554 IP (tos 0x0, ttl 52, id 34760, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:49.531520 IP (tos 0x0, ttl 52, id 52937, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:51.519627 IP (tos 0x0, ttl 52, id 29130, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:53.582866 IP (tos 0x0, ttl 52, id 30668, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:55.540372 IP (tos 0x0, ttl 52, id 16847, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:57.543779 IP (tos 0x0, ttl 52, id 1489, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:37:59.532714 IP (tos 0x0, ttl 52, id 44242, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:38:01.529980 IP (tos 0x0, ttl 52, id 33235, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:38:03.529405 IP (tos 0x0, ttl 52, id 59859, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:38:05.591956 IP (tos 0x0, ttl 52, id 46549, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:38:07.548529 IP (tos 0x0, ttl 52, id 62423, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:38:09.579085 IP (tos 0x0, ttl 52, id 56537, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
19:38:11.541198 IP (tos 0x0, ttl 52, id 11482, offset 1440, flags [none], proto UDP (17), length 629)
vpn.xxx.xxx.srv > openwrt.router.ip.addr: ip-proto-17
And here is a wireshark capture of the connection failing (VPN server IP is masked with red boxes):
In contrast, here is the Wireshark capture of a successful connection over WiFi phone tethering:
It looks like the packets from the VPN server are not properly forwarded back to the laptop connected on the LAN side. The VPN server is responding according to tcpdump on the device, but the laptop is not seeing those packets according to Wireshark captures. So they seem to be not forwarded properly.
Firewall settings are basically as below:
(except that Input on the WAN zone is also Accept in my case)
Everything else seems to work just fine (e.g. browsing, messengers, etc.).
Is there a firewall settings that can be adjusted to make sure this works?