OpenWrt Forum Archive

Topic: OpenVPN on OpenWRT CHAOS CALMER 15.05, r46767 routing

The content of this topic has been archived on 13 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello OpenWRT developer team and the OpenWRT community...

I would like to reach out to all of you for help.

The issue - Setting up packet routing on OpenWRT OS running OpenVPN instance.

There is a multiple guides available on www.openwrt.org, however, most address a very generic set up scenarios mostly applicable to interprise(ish) kinda of a set up when two OpenWRT dev. connect two remote sites via VPN tunnel.

As some one who would like to use the consumer grade hardware at home and be able to use power of linux and open source code... this scenarios described in tech wiki, at the end of the day did not resulted in a properly running router with VPN and correctly set-up routing.

I would argue that average consumer would greatly benefit if some one who knows and understands iptable routing of OpenWRT OS well enough to be able to write one reasonable guide with a clear steps setting up the routing.

I spend over a week reading the guides, felt like all of them available on the i-net... the once by openwrt.org, the off-site guides written by the people that set this up on their own... and it never worked quite right resulting in some frustrating time cursing and getting disappointed at the time waisted?! No, no it was an experience but a bit frustrating one.

Frustration came from the fact that I have a virtual PFsense instance running on the Esxi host at home doing everything I could possibly want/get out of the router. Downside is electrical bill and that's why using OpenWRT OS running on a small energy efficient dev sounded like a good idea.

Here what I wanted to do:

1. To have a mobile/remote client to connect via VPN coming in from the i-net, to WAN interface of OpenWRT in to internal LAN and
    1.1 Communicate with a local hosts in LAN;
    1.2 Be able to reach back out to the i-net so that it appears as of mobile/remote client's public IP is the one assigned to a cable modem at home.

2. All this using a 'tun' set up and NOT a bridge iface 'tap';
3. All this on using the OpenWRT OS: OpenWrt Chaos Calmer 15.05 - r46767 / LuCI (git-15.248.30277-3836b45).

That's what PFsense are able to do with only one port open for incoming packets for OpenVPN instance.

After spending countless hours reading the guides and settings things up according to the official OpenWRT wiki, all I was able to do.... is to come-in from WAN and be re-routed back to WAN. This means that mobile dev/client by utilizing the secure tunnel, connects to the router at home, and appear to have a public IP of my home ISP.

That was awesome but did not last long. I wanted to also be able to route the VPN 'tun' iface traffic in to a local LAN, and after reading 15+ guides and trying things... the initial routing broke and i never been able to replicate the set up that worked.

Now, I do anticipate the advise to read again, and try it. Trust me, I did not wanted anyone to waist their time reading this for nothing, and so I did attempts to this all of this before reaching out to the forum...

1. Re-set the OS to factory setting (OpenWRT that is) -> Start from clean set up. => Did not worked.
2. Tried to follow to a teeth the guides from OpenWRT WITHOUT modding things to fit my LAN just to see if the original guides actually do work as the written. => Never worked!
3. Followed the 3rd party guide... it worked, sort off but the guy used tap bridging and placed OpenVPN clients pull-list in to the same subnet as the LAN and that was not something I was looking for.

Following the OpenWRT wiki I was able very quickly to get the secure VPN tunnel up and running and be bale to reach the router from WAN but once you are in... the internal routing with in OpenWRT OS, from 10.0.8.0/24 subnet in to WAN and LAN just simply NOT happening. ;(

I tortured OpenVPN server settings up and down, I re-confgured /etc/conf/firewall about million times with the zone forwarding approach (tun0 is iface of VPN zone) and writing 'config rule' directives to firewall. => none of it worked. jsut none!

And yes! smile /etc/firewall.user iptables custom directive approach was one of the configurations I've tried... with no success.

Now I am relevantly savvy with Linux in genera, at least enough to be able to set up PFSesnse on a virtual host, and a custom separate DNS server (bind9) on a Ubuntu instance... so on and so forth, but whats happening with in the OpenWRT OS a routing between subnets... I can't figure out sad

... and so that's why I am reaching out to the community. Guys, please help, there is got to be some one out there who have done it successfully and willing to share. And if not, maybe at least clarify if the set-up of the PFsense+OpenVPN I'm trying to replicate with OpenWRT+OpenVPN is something that is not realistic by default?!

Thank you in advance for your time.

PS: OpenWRT OS team - your documentation absolutely horrible!!! But your project and work that you do on your spare time is awesome. Thank you for all the work you do and I do realize that you are not getting paid for any of it. You guys are the once who bring some level of home router security back to the average, less tech advanced consumers. And that's huge and important. Thank you!

Double the post because one in General Discussion in hope that some one who was more successful at setting OpenVPN on CC 15.05 than me and hopefully would share.
The second post is under "Documentation" forum in home that some one from OpenWRT project would take a look at the OpenWRT wiki to see the difficult experience users have attempting to follow the guide currently posted on wiki page.
Even some one familiar with Linux admin routines has a hell of a time getting this work smile
reading multiple guides post on openwrt.org site itself made it apparent that there is a key steps are missing in all of them in one way or other.
That makes people (me at least) wonder if the wiki page relevant to a current CC 15.05 release. It does not seem to be working config. If some one would be able to actually clarify it say definitely - This is for BB release and DOES NOT currently works on CC 15.05, people would not spend a lot of time replicating it to find out it does not work. sad

Did you try to simply copy the working openvpn config from your pfsense to openwrt? There is not much openwrt specific about setting up openvpn, apart from maybe the firewall integration but even that can be set up quickly with "iptables -I FORWARD -i tun+ -j ACCEPT" and "iptables -I FORWARD -o tun+ -j ACCEPT" in rc.local or firewall.user.

Edit: also since there usually is no bidirectional routing in place you need to masquerade the traffic leaving your vpn interface, this is the most important thing at all if you want to reach stuff beyound the openvpn server! "iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE".

Thank you "jow" for your comment.
I love the question... and yes your right on target... here's what happened tho:

1. custom options in: /etc/firewall.user
     Yes, I did include the options, in terms of forwarding.
     The option "iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE" i did NOT try.

What you are suggesting makes sense ... theoretically ?! but after trying everything in the world, I'm even more confused than ever before. So... if the custom iptables instructions are in place and laded when firewall starts, do I still need to have tun0 iface assigned to a vpn zone and write out the zone forwarding or that's not needed if iptables rules are in place?

There is so many variables and if one thing is not in place, vpn routing just does not work... right?

That's why I am desperately asking some one more experienced for a total sequence of configuration changes to OpenWRT OS (/etc/config/firewall; /etc/config/network) and OpenVPN daemon config (/etc/config/openvpn)

Four sleepless nights later lol  aaaaa ... oi! smile))) I am so disappointed in myself lol for not been able to do this!

Now, I love your question about copying the config file from OpenVPN instance on PFsense.... - yes, I stuck my grubby  little fingers in to the holly grail of PFsense (i think it based on CentosOS?!)
So, I ssh-ed in to it, looked around and this what i learned - the OpenVPN so deeply integrated in to PFsense in terms of administration and seamless GUI management, there is no simple saved config file for OpenVPN daemon. It appears to be dynamic and compiled every time when PFsense boots up. I did figure out how to integrate all the certificates and the keys in to client123.ovpn config file to "feed" it in to iTunes to pass it in to iOS OpenVPN Connect app.... that was useful and works... but the OpenVPN server config - nope, no dice. sad

(Last edited by SoCal_sky on 27 Oct 2015, 22:55)

SoCal_sky wrote:

What you are suggesting makes sense ... theoretically ?! but after trying everything in the world, I'm even more confused than ever before. So... if the custom iptables instructions are in place and laded when firewall starts, do I still need to have tun0 iface assigned to a vpn zone and write out the zone forwarding or that's not needed if iptables rules are in place?

Once you have those custom rules in place you do not need to do anything else regarding zones, forwardings etc.

SoCal_sky wrote:

There is so many variables and if one thing is not in place, vpn routing just does not work... right?

Yes, more or less though one can usually differentiate the failure modes, for example when attmepting to ping via VPN into your lan the following things might happen:

* You get "Destination Port Unreachable" -> this is an indication that traffic would flow but the default firewall policies are preventing it
* You get nothing at all, ping "hangs" -> this is an indication of improper routing, more specifically a missing return route. Usually you would solve that by setting up proper routing into both directions but often this is not feasible, for example in a road warrior scenario, in this case you can cure the problem by masquerading response traffic.

Yes Sir, smile that's exactly what I did... i had a host in LAN pinging the client connected from WAN via VPN tunnel... here's what happening...
Once client is connected to a tunnel (done that by opening a port in WAN interface) tunnel gets established, OpenVPN Connect client is happy... everything is good... but...

The host connected via VPN can ping the router itself (routers IP is 192.168.0.1) the clients IP is 10.0.8.6.
I can start a browser on host machine connected via VPN and pull up the front GUI config of LuCI. That's it! I can't ping other hosts in LAN, and that's the case when get a time out... as of host I am pinging does not respond.
So the packets do reach from VPN in to the router on 'tun0' interface, but replies never get routed properly back to 'tun0' interface.

I can see traffic from VPNed clients in to the router but nothing get returned.

I told the WPS LED to blink green on incoming VPN traffic and blink yellow on outgoing VPN traffic.
And so.... it flashes green and does not flashes yellow!

If i pull the log in page of the router from the VPNed client... LED lids up blinking green/yellow just as expected.

That's what leads me to believe internal routing (ether by OepenWRT OS or by OpenVPN server) is not configured properly. And this is where I get stuck and can't figure out why traffic does not get's passed back to VPN.

Yes, smile there is a list push 'route 192.168.0.0 255.255.255.0' directive in openvpn config.

One of the million guides I read suggested that in CC 15.05, there should not be a "list" option and the directive should be just: push "route ....."

Is that right? is it not? should there be a single quotes '' or double "" ?! There is no consensus or clarity... just a mess in my head at this point. ;(

Now, I hear what you are saying about masquerading the return traffic.... but I don't think i know how to do this.. sad

(Last edited by SoCal_sky on 27 Oct 2015, 23:31)

You can masquerade with

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE 

Hello Mr. "jow".
Thank you for your guidance.
I have added instructions you provided for iptables. I used /etc/firewall.user file.
Restarted the router, restarted ddns daemon, got IP updated.

The result: my iOS client comes through the firewall on the port I specified, get's forwarded to OpenVPN server;

OpenVPN server assigns the IP from 10.0.8.xx subnet address to the client;

From that point I can see incoming traffic (requests from the iOS) coming through to a tun0 interface, but in return - silence... nothing gets routed back to the VPN client.

If I pull the internal privet web interface of the router (192.168.0.1) using the remote host connect via vpn (in this case my phone with iOS Safari browser) I can log in to the routers WEB-GUI and when that takes place - I can see traffic flowing both ways just as expected. 

Could I confirm with you one more time...

I have not done any config changes to the /etc/config/firewall and /etc/firewall.user other than:
1. opened one port on WAN to let the VPN client to connect to OpenVPN server
2. the custom instructions for the iptables:

iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE


Was I supposed to do anything else?

According to this guide: http://wiki.openwrt.org/inbox/vpn.howto there is more instructions should be added, and there is a hardcoded reference to the port used by the client to come-in through the WAN. 
Those seem to be applicable to much older vertion of OpenWRT OS ( Backfire" 10.03.1 ) and i'm not sure if they are still applicable to the current CC 15.05.

Could you please advise and suggest what other config changes should I make to get this working.

Thank you Sir for you time.

(Last edited by SoCal_sky on 29 Oct 2015, 11:18)

After looking in to this issue more and modifying ip tables instructions in /etc/firewall.user to:
Assuming:
tun0 - is an interface assigned to a OpenVPN instance;
eth0.1 - is an interface assigned to a LAN


iptables -A INPUT -p tcp –dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0.1 -j ACCEPT
iptables -A FORWARD -i eth0.1 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0.1 -j MASQUERADE

... routing from tun0 to internal LAN still not working.

Kernel parameter for ipv4 forwarding is set to 1 to enable forwarding:

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

Could anyone from OpenWRT project comment on this issue?

Is there something in CHAOS CALMER 15.05, r46767  Kernel or iptables was modified in some way causing the routing not work?

If not, than how would a user of the OpenWRT OS can set up the routing between VPN tunnel and the LAN, and the WAN?

(Last edited by SoCal_sky on 4 Nov 2015, 11:59)

Hi guys, could anyone please provide some help with this....
Thank you.

I have to admit, that I did not read all of your posts.
The combination pfSense (2.2.4) with OpenVPN on OpenWRT should work out fine. I've been using such a setup for quite some time.
The trick is to let pfSense push most of the configuration to the client and not to use adaptive compression - it's faulty.
Then it'll work with Device Mode tun.
In case you are connecting over 3G/4G networks, you may suffer from missing pmtu support. You will need to set the tun-mtu accordingly (the real mtu will differ at both ends).

Basically, you'll need this on pfSense - as an example:
tun-mtu 1500;fragment 1280;mssfix;route 192.168.250.0 255.255.255.0;keepalive 15 45;push "route 192.168.250.0 255.255.255.0";fast-io;

Where 192.168.250.0 is the routed network. Don't mix that up with the linknet (pfSense calls that "IPv4 Tunnel Network").

On the OpenWRT router you should manually create a config in /etc/openvpn/
with the following content:
#-----------
remote [your pfsense gateway] 1194
fragment 1280
mssfix
tun-mtu 1500
dev tun0
dev-type tun
proto udp
client
tls-auth ta.key 1
# let pfSense create these certs/keys:
# and copy them over via ssh/scp
ca /etc/openvpn/yourca.crt
cert /etc/openvpn/your.crt
key /etc/openvpn/your.key
#
ns-cert-type server
verb 5
key-method 2
script-security 3
cipher AES-256-CBC
# if compression is faulty, this will help
comp-lzo
comp-noadapt
fast-io
#--------------
remember, that pfSense may also push (/override) values to (/o) the client.

You still have to reference that config in /etc/config/openvpn:
...
config openvpn custom_config

    # Set to 1 to enable this instance:
    option enabled 1

    # Include OpenVPN configuration
    option config /etc/openvpn/my-vpn.conf
...

Now there are only forwarding issues to be solved. As jow stated, you'll need to forward from your local network to the remote network. Just some insecure basic samples for a sample custom script.

iptables -A INPUT -i tun0 -j ACCEPT                                         
iptables -A OUTPUT -o tun0 -j ACCEPT               
#route vpn                                                     
iptables -A FORWARD -i bri0 -o tun0 -j ACCEPT                         
iptables -A FORWARD -o bri0 -i tun0 -j ACCEPT                         

# bri0 is your OpenWRT bridged lan interface in this example - you could also use vlans depending on how complex your setup should be. it may correlate to eth0.1 in your example.

echo "1 " > /proc/sys/net/ipv4/ip_forward
#valid input
iptables -A INPUT -i lo -j ACCEPT
# route/nat back established connections
# accept answer packets for outgoing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept newly established connections, as long as they don't stem from your mobile broadband interface:
iptables -A INPUT -m state --state NEW -i !3g-WWAN -j ACCEPT

Since mobile broadband internet connections tend to be unstable, a custom reconnect/watchdog script may be necessary.
Such a script could be invoked by cron. It could, if necessary reset USB/modem or modem radio (At+cfun), call ifup, ifdown and restart the openvpn service or re-run the firewall script or do some ddns.

You will NOT need to forward/postroute/masquerade tunnel traffic over your tunnel interface. Instead you will use mere IP routing without any NAT for this. You may let your pfSense NAT outbound internet requests afterwards, if necessary.
Doing so may be an impact to the overall performance. Please consider to let OpenWRT NAT your outbound internet traffic - with the exception of your internally routed subnets. (e.g. 192.168.250.0/24 and it's equivalent on your pfSense network e.g. 10.0.80.0/24).

Also keep in mind, if you set the default route over the tunnel, that a host route for the tunnel remote endpoint exists.

Please try these first steps and let us know, what else you need.

(Last edited by epek on 5 Nov 2015, 00:01)

epek wrote:

I have to admit, that I did not read all of your posts.
The combination pfSense (2.2.4) with OpenVPN on OpenWRT should work out fine. I've been using such a setup for quite some time.

Hello "EPEK", while I do appreciate you taking your time to respond... unfortunately you missed the whole point of this topic and the reason I reached out to the community for help...


I'm NOT trying to get the VPN tunnel up between OpenWRT dev and PFSense Appliance.



This post is about getting the routing and the firewall rules set correctly, to allow:

1. OpenWRT router with OpenVPN server running in it... to allow a remote client (mobile cellular client AND any other remote client)  to connect via VPN tunnel from WAN;

2. Once connection is made and VPN tunnel is established, allow traffic from remote client to be forwarded in to local LAN behind the OpenWRT router, facilitating communication between remote client and the hosts in a LAN;

3. Once connection is made and VPN tunnel is established, allow traffic from remote client to be forwarded in to external WAN, facilitating communication between remote client and the Internet through OpenWRT router. Only the traffic between remote client and the OpenWRT router is "wrapped" in to a VPN tunnel.



That's what this post is about, and NOT about establishing a tunnel between two routers.


It sounds that you know your stuff, and if you could please please read what I am (and many many other users out there) is trying to configure... this would be such a huge and much appreciated help.

The only reason PFSense was mentioned in this post is because PFSennse router is doing the routing in exactly the same way as it described above.


The gaol is to get OpenWRT+OpenVPN router OS (running on a low powered Netgear hardware) to do the same..... so that OpenWRT router could be used INSTEAD of PFSense


Thank you for your time Sir.

(Last edited by SoCal_sky on 5 Nov 2015, 23:39)

Hello SoCal_sky!

The answer and the example configs  I gave you, are easily adapted for your use case, no matter if pfSense was involved or not.
Please always check your routing tables first, before looking at the firewall rules.

Regarding 1)
It doesn't really matter, if your are using pfSense or OpenWRT, since they both use OpenVPN.
For the set of available features of your OpenWRT binary see

openvpn --version
OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 25 2015
library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

The INPUT for port 1194/TCP looks correct. You may want to fine tune it to use the appropriate interface using the -i parameter.

Regarding 2)
First look at the "push routes" part of the OpenVPN config examples, please.
What you want to do in step 2 does not require iptables forward chains, basically.
Check the routing tables and try to traceroute from your road warrior to the server and vice versa.
If that fails, try without forwarding rules (try policy allow in your test setup). Start to work on the firewall only if the routing is working in the first place.
Iptables shall only secure the router from invalid requests, it has no influence on routing itself, unless network address translation is used later on.

As step 2.1 now set up firewalling rules:
tun0/tunX is -as you assumed- the router tunnel interface with OpenVPN's tunnel endpoint address (from the road warrior's view).
a) Access to your OpenWRT+OpenVPN router from the clients. Create rules for the INPUT chain (e.g. port 53,80,443). Create an OUTPUT rule for RELATED and ESTABLISHED states, if the OUTPUT policy is not ACCEPT.
b) Create FORWARD chain rules for the 'advertised' subnets. i.e. the pushed routes and the local networks. You still won't need any POSTROUTING, PREROUTING chains nor MASQUERADE, DNAT, SNAT targets at this point.
E.g. iptables -A FORWARD -i tun+ -o eth0.1 -j ACCEPT and vice versa may be sufficient.
c) You may want to create RELATED, ESTABLISHED state rules, so a forwarded connection backwards to the road warrior will work.
See my previous example config for this.

Regarding 3)
[cite]3. Once connection is made and VPN tunnel is established, allow traffic from remote client to be forwarded in to external WAN, facilitating communication between remote client and the Internet through OpenWRT router. Only the traffic between remote client and the OpenWRT router is "wrapped" in to a VPN tunnel. [/cite]

Step 2 faciliates, that only your internal subnets get routed through the OpenVPN tunnel.
Every route other than the more specific routes, that you pushed to the road warriors, will leave through their respective default gateway.
At this point there is still no NAT involved.

If you decide that your OpenVPN server should act as a "default" gateway for your road warriors (see OpenVPN howtos), too, you will need a static host route in your road warrior's routing table, so that the host in "remote .... 1194" is guaranteed to be accessible through their default gateway in any case. If the tunnel and routing are then up and seem to be working basically, you can then move on to creating masquerading (NAT) for them on the server.

You can always redirect certain destinations by pushing a route from the server to the clients.

Please keep in mind, that OpenWRT's standard firewall scripts and the GUI allow for a restriction of source and target network ranges when using NAT.

BTW: pfSense is based on FreeBSD, linux is not involved here.

Does that answer your questions?

(Last edited by epek on 9 Nov 2015, 01:25)

I would like to join this forum with a similar recommendation.
First, I am fascinated by OpenWrt.
Second, I spent a whole week tuning openvpn and finally got it working, but....

Earlier I used Microsoft pp2p from my workplace to my home router on DD-wrt. Normally I established a connection over pp2p VPN and could access my home cameras (local LAN) and bypass the corporate restrictions (Internet access through my home router over VPN).

Recently my company hardened the rules and closed all the ports on the corporate proxy necessary for pp2p. So, I switched to OpenWrt Openvpn (tcp protocol, port 443). The idea is the same - have a VPN tunnel for surfing and home LAN access.

I could not find any consistent manual on network settings when my Openvpn is up. I can access my home router OpenWrt Luci interface from my workplace via openvpn, but I cannot access the hosts on my LAN. I can surf the Internet from work through my Openvpn channel to my home router but, strangely, some sites would not open (nor would they be pinged) which is confusing to me.

What shall I read for correct network settings on my router or using Luci Openvpn interface for these? (My Openvpn server-client and home router LAN are on different subnets).

Thanks

SIMPLE ANSWER - Start with these links
https://wiki.openwrt.org/start?do=search&id=openvpn
https://community.openvpn.net/openvpn/w … AndRouting
http://www.frogiswrong.com/blog/article … ore-detail
I think the "Streamlined" link is the current best overall.

NOT SO SIMPLE - seeing you are new to the forum, JOW is a dev and his comments are probably the most accurate, however his suggestions for rules are not fully incorporated in any WIKI link I can find.  There are probably another half dozen or so similar forum posts.  Easiest way to find is to search the iptable string.  Not the first time I have heard the issue with access to some web sites, and not others.  Not sure there is a solution. 

The WIKI articles are mostly server articles and you will see client configs NOT focused on OpenWRT clients.  They also are a mix of UCI config and some Luci.  Not all include the created config files (basically inconsistent and confusing). I think there are some issues with OpenWrt OpenVPN controls (enable disable in the service I find unreliable).  Missing from the WIKI are articles with OpenWrt configs for the most popular services, but this is not relevant to you.   Also, and I can not put my finger on it, OpenWrt's implementation of OpenVpn does not include all OpenVPN options. 

It was not until recently I learned one can use an OPVN file and reference it in the OpenVpn config.  Not tried this, though it seems like it should be easier to manage a mix of OpenWrt and other clients. 

I run TAP (as opposed to TUN) and while I can get to the local resources, I usually have to access them by IP vs name or browse (Windows Clients).  I tried, but not very hard, to get TUN working with the above additional rules.  It's hard to get things tested as one needs to be outside the LAN to test.  Having TAP running, my incentive is low.

If you want specific help you will need to post your configs, and may be better off starting a new thread.  Include your HW, SW versions for anything relevant, and config files (openvpn - both, network, firewall and anything else relevant).  Also probably should follow the WIKI and redirect your OpenVPN logs to a separate file that you can easily grab.

Thank you, RangerZ. It looks that I shall have to provide my config and seek somebody's help. My intention was to look into the things myself, but as far as I understand there is no simple and step-by-step guide into the most obvious configuration which is similar to that of Microsoft pp2p VPN (connect to the router from outside and pretend you are on the LAN behind the router...)

The fact that you are connected is half the battle.  I encourage you to read the links and fail a few times. 

If  your goal is LAN access, consider TAP.  Indeed, there is no reason why you can not have multiple servers running.  I have both.  TAP for my PC with LAN & internet access.  TUN for my iPhone for internet only access.  If you are using the standard PC based client, you can choose which OPVN file you want to connect with.

OpenVPN is not simple IMHO.

Shame on me!! It was so simple and I did it from the Luci firewall tab. I had my tun0 interface forward to wan only. I added lan - and voila! I have access both to internet and lan. The only problem remaining is not all internet sites available (some are pinged and some are not). Where shall I dig to?

start with your local station routing table - maybe those sites are routed internally, then check you have a dns resolution correctly set up for those sites and lastly - check if you don't have a proxy intercepting your traffic.

local station settings

          0.0.0.0          0.0.0.0        10.0.18.1       10.0.18.12     20
          0.0.0.0        128.0.0.0      192.168.5.5      192.168.5.6     30
         10.0.0.0        255.0.0.0         On-link        10.0.18.12     21
       10.0.0.100  255.255.255.255        10.0.18.1       10.0.18.12     20
        10.0.18.0    255.255.255.0         On-link        10.0.18.12    276
       10.0.18.12  255.255.255.255         On-link        10.0.18.12    276
      10.0.18.255  255.255.255.255         On-link        10.0.18.12    276
   10.255.255.255  255.255.255.255         On-link        10.0.18.12    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0      192.168.5.5      192.168.5.6     30
      192.168.5.1  255.255.255.255      192.168.5.5      192.168.5.6     30
      192.168.5.4  255.255.255.252         On-link       192.168.5.6    286
      192.168.5.6  255.255.255.255         On-link       192.168.5.6    286
      192.168.5.7  255.255.255.255         On-link       192.168.5.6    286
      192.168.6.0    255.255.255.0         On-link       192.168.6.1    276
      192.168.6.1  255.255.255.255         On-link       192.168.6.1    276
    192.168.6.255  255.255.255.255         On-link       192.168.6.1    276
    192.168.179.0    255.255.255.0         On-link     192.168.179.1    276
    192.168.179.1  255.255.255.255         On-link     192.168.179.1    276
  192.168.179.255  255.255.255.255         On-link     192.168.179.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.5.6    286
        224.0.0.0        240.0.0.0         On-link     192.168.179.1    276
        224.0.0.0        240.0.0.0         On-link       192.168.6.1    276
        224.0.0.0        240.0.0.0         On-link        10.0.18.12    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.5.6    286
  255.255.255.255  255.255.255.255         On-link     192.168.179.1    276
  255.255.255.255  255.255.255.255         On-link       192.168.6.1    276
  255.255.255.255  255.255.255.255         On-link        10.0.18.12    276
===========================================================================

openvpn IP  -  192.168.5.6
win 10 PC local IP -    10.0.18.12

Some sites IPs could not be pinged when openvpn is up. DNS is not involved...

The discussion might have continued from here.