Weird routing issue from VPN to LAN


New Around Here
Having a weird routing issue from VPN to LAN, on RT-AX88U with Merlin 386.3_2

Running OpenVPN server on the router, client on Windows10.
My goal is to make both internet and LAN accessible to client.
Connection to VPN works fine and internet is accessible, but no access to LAN (ping timeout to any LAN IP including the router IP and the VPN gateway IP).
(LAN is , router IP is

Tried enabling/disabling Firewall - makes no difference.
Tried the solution from this thread - not working.
After trying a bunch of random stuff, I've found a sort of workaround.
When I add and then remove (!) the following LAN static route in the router, it starts working as expected:

Network/Host IP:
Metric: 1
Interface: VPN

Sometimes it works while the above static route still exists (mostly it doesn't), but after router reboot it consistently stops working again (whether it exists or not), until the route is added and then removed again.

How can I make it work permanently?
Any help would be appreciated.


Regular Contributor
I am only marginally familiar with VPNs, so consider that caveat to anything that follows :)

What do you accomplish by running a VPN client on Windows IN ADDITION to the VPN running on the router? I would assume that your Windows client is encrypting it's network activity, and nothing on your network (short of a configured VPN server) is going to know how to respond to it. I thought the whole point of running the VPN on your router was so that all your local network devices can take advantage of the VPN without having to be configured in any special way.


New Around Here
Sorry, I should've explained my setup better.
The router is in the office, and the Windows client is at home.
There are some servers in the office that aren't accessible from the internet, and I want to make them accessible to client only after client connects to the VPN.
There are also some servers on the internet (not in the office), which are firewalled and are accessible only from the office, and I want to allow the client at home to access these servers when the client connects to the office VPN.

Also, I don't know if it's relevant, but the router has a DualWAN setup (2 different ISPs, one static and one PPPoE).


Part of the Furniture
Examine the router's syslog for openvpn messages. Do the same for the Windows VPN client's log. Are there any errors or routing conflicts?

How is your VPN client configured? Is it TUN or TAP? Is it using split tunnelling?

If possible, temporarily disable dual WAN to see if that's the problem.


New Around Here
There is no errors in server or client logs (only some irrelevant warnings).

Client config:
dev tun
proto tcp
remote x.x.x.x YYYY
cipher AES-256-GCM
auth SHA256
key-direction 1
remote-cert-tls server

Server config:
(Putting the client inside the LAN. Also tried VPN network/subnet outside the LAN, but it had no effect on the original problem):
daemon ovpn-server1
topology subnet
proto tcp-server
port YYYY
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
auth SHA256
keepalive 15 60
push "route vpn_gateway 500"
client-config-dir ccd
push "redirect-gateway def1"
push "dhcp-option DNS x.x.x.x"
push "block-outside-dns"
key-direction 0

I think I figured out the cause...
It wasn't the Dual WAN itself that was the problem, but the Dual WAN Routing rules, when Dual WAN mode was Load Balance.
Removing these routing rules, or setting Dual WAN mode to Fail Over fixes the original problem.

It creates a new problem though.
Now I can't assign specific devices (or subnets) to a specific WAN, and I'd like to do that.
Is there a way to do that without it breaking the VPN, or when WAN is in Fail Over mode?

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!