Access a second subnet over OpenVPN server

[Korozion]

Hello,
I am facing a problem with my OpenVPN server setup on an Asus router RT-AX86U with Asuswrt-merlin (latest, v388.1)

First let me explain my network setup. I remotely connect to my openvpn server (10.10.20.0/24), which is hosted on my Router_A (192.168.20.0/24). From there, I can access everything on the 192.168.20.0/24 subnet. But I have another subnet, behind another Router_B (192.168.30.0/24). The problem is that I can not reach anything on this last subnet unless I configure the OpenVPN server to route both LAN and internet traffic.

Here is a graph of my network:

As I want to allow a few friends to access my server, I do not want to route their internet traffic through my home network. So the goal is to reach Server_B (on the linked image) which is on 192.168.30.0/24 subnet with the OpenVPN server set to LAN only.

The OpenVPN server config :

daemon ovpn-server2
topology subnet
server 10.10.20.0 255.255.255.0
proto udp4
multihome
port 1195
dev tun22
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 3
push "route 192.168.20.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
push "dhcp-option DNS 192.168.20.254"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 192.168.20.1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 2 server'
down 'ovpn-down 2 server'
status-version 2
status status 5

# Custom Configuration
push "route 192.168.30.0 255.255.255.0"

Note : when switching from "clients use both LAN and internet" to "clients use LAN only", only the parameter push "redirect-gateway def1" is removed. Is there some way to modify so it allows access to second subnet, but not to my internet ?

Client config file :

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1195
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
push "route 192.168.30.0 255.255.255.0"

Some configs and notes :

• The router A has a route set to 192.168.30.0 255.255.255.0 with 192.168.20.3 as gateway
• Router B has a route set to 10.10.20.0 255.255.255.0 with 192.168.20.1 as gateway (I read that this is necessary in this scenario, but it did not change anything)
• Router B firewall is inactive
• From machines within 192.168.30.0/24 I can ping any machine in 192.168.20.0/24 and 10.10.20.1
• I tried adding push "route 192.168.30.0 255.255.255.0" on the client.ovpn file, but with same results.
• On the windows client, the command route print does show 192.168.20.0 255.255.255.0 10.10.20.1 10.10.20.2 501 among others, but nothing for 192.168.30.0, so the route is not deployed on client machines. I tried to manually add it with route -p add 192.168.30.0 MASK 255.255.255.0 192.168.20.3 but pinging does nothing. However, when I do route -p add 192.168.30.0 MASK 255.255.255.0 10.10.20.1 I can see on my router A that an icmp request is sent from 10.10.20.2 to 192.168.30.1 but with no reply.
• With the previous route added on the windows client, when trying to ping someone in 192.168.20.0, I can see on my router that 3 requests are sent (tun22, br0 and eth1). But when pinging someone on 192.168.30.0, only one request is sent on tun22

I am currently out of ideas.

Thank you for your help