Routing between LAN and OpenVPN client

[Jiri]

For some reason I am facing troubles routing to LAN behind the router from OpenVPN server.

I am sorry if this has been asked, I have tried searching for topic without a satisfactory results.

My aim is to maintain a network behind Router Asus RT-AC86U, running Merlin 384.15, remotely from my RemoteServer.
On the Router, I have configured an OpenVPN client, IP 10.8.51.6, that connects onto my RemoteServer, IP 10.8.51.1. Note setting up OpenVPN server on the Router is not an option as it does not receive a public ip.

From RemoteServer, I can ping the Router, I can ssh to the Router, but I cannot even ping any LAN machine (lets say 192.168.51.12) on Router's LAN 192.168.51.0. (Ping inside LAN works fine.)

On RemoteServer I have:

root@RemoteServer:/etc/openvpn# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    100    0        0 enp1s0
10.8.51.0       *               255.255.255.0   U     0      0        0 tun1
link-local      *               255.255.0.0     U     1000   0        0 tun1
192.168.0.0     *               255.255.255.0   U     100    0        0 enp1s0
192.168.51.0    10.8.51.2       255.255.255.0   UG    0      0        0 tun1

I have also attempted to configure firewall:

root@RemoteServer:/etc/openvpn# ufw status
Status: active

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere          
Anywhere                   ALLOW       10.8.51.6          
10.8.51.6                  ALLOW       Anywhere          
1194/udp (v6)              ALLOW       Anywhere (v6)

On Router:
I have disabled ipv4 and ipv6 firewalls in GUI / Firewall / General

Established OpenVPN connection details as printed in System Log are:

Apr 30 00:02:52 rc_service: httpd 991:notify_rc start_vpnclient1
Apr 30 00:02:52 ovpn-client1[1869]: OpenVPN 2.4.8 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  8 2020
Apr 30 00:02:52 ovpn-client1[1869]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.08
Apr 30 00:02:52 ovpn-client1[1870]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 30 00:02:52 ovpn-client1[1870]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:52 ovpn-client1[1870]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:52 ovpn-client1[1870]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Apr 30 00:02:52 ovpn-client1[1870]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Apr 30 00:02:52 ovpn-client1[1870]: UDP link local: (not bound)
Apr 30 00:02:52 ovpn-client1[1870]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Apr 30 00:02:52 ovpn-client1[1870]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=6d19cea7 bf8a9784
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY OK: depth=1, C=UK, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx CA, name=RemoteServer, emailAddress=xxx
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY KU OK
Apr 30 00:02:52 ovpn-client1[1870]: Validating certificate extended key usage
Apr 30 00:02:52 ovpn-client1[1870]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY EKU OK
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY OK: depth=0, C=UK, ST=xxx, L=xxx, O=xxx, OU=jiri, CN=xxx, name=xxx, emailAddress=xxx
Apr 30 00:02:52 ovpn-client1[1870]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 30 00:02:52 ovpn-client1[1870]: [Remote_vpn] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Apr 30 00:02:53 ovpn-client1[1870]: SENT CONTROL [Remote_vpn]: 'PUSH_REQUEST' (status=1)
Apr 30 00:02:53 ovpn-client1[1870]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.51.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.51.6 255.255.255.0'
Apr 30 00:02:53 ovpn-client1[1870]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 30 00:02:53 ovpn-client1[1870]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 30 00:02:53 ovpn-client1[1870]: OPTIONS IMPORT: route-related options modified
Apr 30 00:02:53 ovpn-client1[1870]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 00:02:53 ovpn-client1[1870]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:53 ovpn-client1[1870]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 00:02:53 ovpn-client1[1870]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:53 ovpn-client1[1870]: TUN/TAP device tun11 opened
Apr 30 00:02:53 ovpn-client1[1870]: TUN/TAP TX queue length set to 1000
Apr 30 00:02:53 ovpn-client1[1870]: /sbin/ifconfig tun11 10.8.51.6 netmask 255.255.255.0 mtu 1500 broadcast 10.8.51.255
Apr 30 00:02:53 ovpn-client1[1870]: updown.sh tun11 1500 1602 10.8.51.6 255.255.255.0 init
Apr 30 00:02:55 ovpn-client1[1870]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 30 00:02:55 ovpn-client1[1870]: Initialization Sequence Completed

I have even tried to set some explicit rules in iptables:

 admin@Router:/tmp/home/root# iptables -vL
Chain INPUT (policy ACCEPT 132 packets, 18447 bytes)
 pkts bytes target     prot opt in     out     source               destination  
   34  1136 ACCEPT     igmp --  eth0   any     anywhere             anywhere    

Chain FORWARD (policy ACCEPT 6 packets, 1714 bytes)
 pkts bytes target     prot opt in     out     source               destination  
    0     0 ACCEPT     all  --  any    tun11   192.168.51.0/24      anywhere    
    0     0 ACCEPT     all  --  tun11  any     anywhere             192.168.51.0/24
    0     0 ACCEPT     all  --  eth0   any     anywhere             base-address.mcast.net/4
  892  125K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 other2wan  all  --  !br0   eth0    anywhere             anywhere    
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere    
   16   784 DROP       all  --  any    any     anywhere             anywhere             state INVALID
  180 65179 NSFW       all  --  any    any     anywhere             anywhere    
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
  180 65179 OVPN       all  --  any    any     anywhere             anywhere             state NEW
.....

routes on the Router:

admin@Router:/tmp/home/root# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.8.51.0       *               255.255.255.0   U     0      0        0 tun11
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.1     *               255.255.255.255 UH    0      0        0 eth0
192.168.51.0    *               255.255.255.0   U     0      0        0 br0

Any guess on what I may be missing?

Thanks in advance.

 

[Martineau]

For some reason I am facing troubles routing to LAN behind the router from OpenVPN server.

I am sorry if this has been asked, I have tried searching for topic without a satisfactory results.

My aim is to maintain a network behind Router Asus RT-AC86U, running Merlin 384.15, remotely from my RemoteServer.
On the Router, I have configured an OpenVPN client, IP 10.8.51.6, that connects onto my RemoteServer, IP 10.8.51.1. Note setting up OpenVPN server on the Router is not an option as it does not receive a public ip.

From RemoteServer, I can ping the Router, I can ssh to the Router, but I cannot even ping any LAN machine (lets say 192.168.51.12) on Router's LAN 192.168.51.0. (Ping inside LAN works fine.)

On RemoteServer I have:

root@RemoteServer:/etc/openvpn# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    100    0        0 enp1s0
10.8.51.0       *               255.255.255.0   U     0      0        0 tun1
link-local      *               255.255.0.0     U     1000   0        0 tun1
192.168.0.0     *               255.255.255.0   U     100    0        0 enp1s0
192.168.51.0    10.8.51.2       255.255.255.0   UG    0      0        0 tun1

I have also attempted to configure firewall:

root@RemoteServer:/etc/openvpn# ufw status
Status: active

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere        
Anywhere                   ALLOW       10.8.51.6        
10.8.51.6                  ALLOW       Anywhere        
1194/udp (v6)              ALLOW       Anywhere (v6)

On Router:
I have disabled ipv4 and ipv6 firewalls in GUI / Firewall / General

Established OpenVPN connection details as printed in System Log are:

Apr 30 00:02:52 rc_service: httpd 991:notify_rc start_vpnclient1
Apr 30 00:02:52 ovpn-client1[1869]: OpenVPN 2.4.8 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  8 2020
Apr 30 00:02:52 ovpn-client1[1869]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.08
Apr 30 00:02:52 ovpn-client1[1870]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 30 00:02:52 ovpn-client1[1870]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:52 ovpn-client1[1870]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:52 ovpn-client1[1870]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Apr 30 00:02:52 ovpn-client1[1870]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Apr 30 00:02:52 ovpn-client1[1870]: UDP link local: (not bound)
Apr 30 00:02:52 ovpn-client1[1870]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Apr 30 00:02:52 ovpn-client1[1870]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=6d19cea7 bf8a9784
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY OK: depth=1, C=UK, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx CA, name=RemoteServer, emailAddress=xxx
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY KU OK
Apr 30 00:02:52 ovpn-client1[1870]: Validating certificate extended key usage
Apr 30 00:02:52 ovpn-client1[1870]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY EKU OK
Apr 30 00:02:52 ovpn-client1[1870]: VERIFY OK: depth=0, C=UK, ST=xxx, L=xxx, O=xxx, OU=jiri, CN=xxx, name=xxx, emailAddress=xxx
Apr 30 00:02:52 ovpn-client1[1870]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 30 00:02:52 ovpn-client1[1870]: [Remote_vpn] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Apr 30 00:02:53 ovpn-client1[1870]: SENT CONTROL [Remote_vpn]: 'PUSH_REQUEST' (status=1)
Apr 30 00:02:53 ovpn-client1[1870]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.51.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.51.6 255.255.255.0'
Apr 30 00:02:53 ovpn-client1[1870]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 30 00:02:53 ovpn-client1[1870]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 30 00:02:53 ovpn-client1[1870]: OPTIONS IMPORT: route-related options modified
Apr 30 00:02:53 ovpn-client1[1870]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 00:02:53 ovpn-client1[1870]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:53 ovpn-client1[1870]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 00:02:53 ovpn-client1[1870]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 30 00:02:53 ovpn-client1[1870]: TUN/TAP device tun11 opened
Apr 30 00:02:53 ovpn-client1[1870]: TUN/TAP TX queue length set to 1000
Apr 30 00:02:53 ovpn-client1[1870]: /sbin/ifconfig tun11 10.8.51.6 netmask 255.255.255.0 mtu 1500 broadcast 10.8.51.255
Apr 30 00:02:53 ovpn-client1[1870]: updown.sh tun11 1500 1602 10.8.51.6 255.255.255.0 init
Apr 30 00:02:55 ovpn-client1[1870]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 30 00:02:55 ovpn-client1[1870]: Initialization Sequence Completed

I have even tried to set some explicit rules in iptables:

 admin@Router:/tmp/home/root# iptables -vL
Chain INPUT (policy ACCEPT 132 packets, 18447 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  1136 ACCEPT     igmp --  eth0   any     anywhere             anywhere  

Chain FORWARD (policy ACCEPT 6 packets, 1714 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    tun11   192.168.51.0/24      anywhere  
    0     0 ACCEPT     all  --  tun11  any     anywhere             192.168.51.0/24
    0     0 ACCEPT     all  --  eth0   any     anywhere             base-address.mcast.net/4
  892  125K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 other2wan  all  --  !br0   eth0    anywhere             anywhere  
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere  
   16   784 DROP       all  --  any    any     anywhere             anywhere             state INVALID
  180 65179 NSFW       all  --  any    any     anywhere             anywhere  
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
  180 65179 OVPN       all  --  any    any     anywhere             anywhere             state NEW
.....

routes on the Router:

admin@Router:/tmp/home/root# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.8.51.0       *               255.255.255.0   U     0      0        0 tun11
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.1     *               255.255.255.255 UH    0      0        0 eth0
192.168.51.0    *               255.255.255.0   U     0      0        0 br0

Any guess on what I may be missing?

Thanks in advance.

I'd first check that the VPN client on the Router is not blocking inbound traffic from RemoteServer

 

[Jiri]

I'd first check that the VPN client on the Router is not blocking inbound traffic from RemoteServer

Thanks for coming back on my post. That is a brilliant idea, indeed. I am that type of person who forgets everything and everywhere.

This seems to be set up correctly this time.

Do you have any further ideas?

 

[Martineau]

Thanks for coming back on my post. That is a brilliant idea, indeed. I am that type of person who forgets everything and everywhere.

This seems to be set up correctly this time.
View attachment 23220
Do you have any further ideas?

The GUI 'Inbound Firewall=Allow' option updates the OVPN chain

e.g. VPN Client 4's inbound firewall is ALLOW

iptables  --line -t filter -nvL OVPN

Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 ACCEPT     all  --  tun14  *       0.0.0.0/0            0.0.0.0/0
2        0     0 DROP       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

and there should be a MASQUERADE rule outbound from the LAN thru VPN Client 4's tunnel.

iptables  --line -t nat -nvL POSTROUTING

Chain POSTROUTING (policy ACCEPT 23032 packets, 1622K bytes)
num   pkts bytes target      prot opt in     out     source               destination      
1        0     0 MASQUERADE  all  --  *      tun14   192.168.51.0/24      0.0.0.0/0

On the RemoteServer you need to ensure you have enabled the option to create the required route/iroute directives to 192.168.51.0/24

Although you say you want to remotely administer 192.168.51.0/24, I assume this includes the router?, if not then you should explicitly block access inbound from the VPN Client.

If you simply want say Port Forwarding inbound from the VPN client, then you will need to create the necessary FORWARD/PREROUTING rules .

P.S. You should also be able to check if there are any hits on the rules.

EDIT: Just reread your OP...

On Router:
I have disabled ipv4 and ipv6 firewalls in GUI / Firewall / General

Is that true?

 

[Jiri]

The GUI 'Inbound Firewall=Allow' option updates the OVPN chain

e.g. VPN Client 4's inbound firewall is ALLOW

Thanks a lot for coming back with so much detail, Martineau.

I confirm the VPN inbound setting for client 1.

admin@Router:/tmp/home/root# iptables  --line -t filter -nvL OVPN
Chain OVPN (1 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

and there should be a MASQUERADE rule ...

I shall admit I am new to the topic, but I don't think I want any NAT between the RemoteServer and the Router.
Ideally I want to access machines on 192.168.51.0/255.255.255.0 network by IP address and port.

That applies for outbound from the LAN thru VPN Client 1's tunnel as well, although its not a hard requirement this way.
Do you have any particular reason you suggest masquerading?

Although you say you want to remotely administer 192.168.51.0/24, I assume this includes the router?

Well, a very good question. Yes, although I my intention was to discuss the related challenges I face in a different thread.
Also it appears wise to sort out the routing first - My hope is that for Router's gui I would simply access 192.168.51.254:80 (Routers interface on 192.168.51.0/255.255.255.0 network) once the 192.168.51.0/255.255.255.0 network becomes visible to VPN.

If you simply want say Port Forwarding inbound from the VPN client...

Port forwarding would be a very clumsy solution.

The application is a mobile class room. Selection of machines varies lesson by lesson.
Just imagine the face of a desperate teacher, who calls me that Crumbles do not work on his new Pi's and I will tell him to wait until I set up port forwarding for 15 machines...

On disabled firewall:
Is that true?

It's a testing environment, it helps to narrow down the problem. I do not see a problem with it, as long as it gets reverted before going to production .

Is there any way of tracking individual packets (let's say icmp ping) as they pass iptables rules on Asus Merlin?
There seem to be some logging already enabled:

admin@SCFKasus:/tmp/home/root# iptables -vS
..
-N logaccept
-N logdrop
...
-A logaccept -m state --state NEW -c 0 0 -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -c 0 0 -j ACCEPT
-A logdrop -m state --state NEW -c 0 0 -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -c 0 0 -j DROP
...

Do you know where I can find these logs?

Thanks a lot,
Jiri

 

[Martineau]

Is there any way of tracking individual packets (let's say icmp ping) as they pass iptables rules on Asus Merlin?
There seem to be some logging already enabled:

[/COLOR][/FONT][/LEFT][/COLOR][/FONT][/LEFT]
[FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT][FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT]admin@SCFKasus:/tmp/home/root# iptables -vS
..
-N logaccept
-N logdrop
...
-A logaccept -m state --state NEW -c 0 0 -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -c 0 0 -j ACCEPT
-A logdrop -m state --state NEW -c 0 0 -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -c 0 0 -j DROP
...

​

Yes use the 'non-terminating' '-j LOG' target (in a separate chain if appropriate) so that it is executed before the 'terminating' rule 'ACCEPT/DROP' etc.

Do you know where I can find these logs?i

System Log GUI usually '/tmp/syslog.log'

​

Port forwarding would be a very clumsy solution.

The application is a mobile class room. Selection of machines varies lesson by lesson.
Just imagine the face of a desperate teacher, who calls me that Crumbles do not work on his new Pi's and I will tell him to wait until I set up port forwarding for 15 machines...

It's a testing environment, it helps to narrow down the problem. I do not see a problem with it, as long as it gets reverted before going to production .

Given the previous lack of detail, I can only try and helpfully suggest solutions - clumsy or not.
However, agreed, masquerading is only useful if you have subnets behind 192.168.51.0/255.255.255.0, and they too would need to access the RemoteServer.

However, given the scenario, perhaps TAP rather than TUN would be far easier or here's a thought why not run the OpenVPN server on 192.168.51.1 then the RemoteServer initiates a VPN Client connection with full access to 192.168.51.0/255.255.255.0 if you only need to act as administrator on the remote LAN?

Good luck

 

[miazza]

Hello , I write in this post because I have a similar issue on my VPN that I cannot manage to solve.
I can assess my VPN from mobile ISP and I can reach all the LAN devices attached to the 86U as from home.
All except one ... ... I cannot reach my Gigaset VOIP phone Web page; I can reach it when I am at home and attached to the router but I get no answer when connected with the VPN.

Do you have any suggestion about how to solve this problem ? is there any particular setting for this kind of device ?

Thanks

 

[Martineau]

Hello , I write in this post because I have a similar issue on my VPN that I cannot manage to solve.
I can assess my VPN from mobile ISP and I can reach all the LAN devices attached to the 86U as from home.
All except one ... ... I cannot reach my Gigaset VOIP phone Web page; I can reach it when I am at home and attached to the router but I get no answer when connected with the VPN.

Do you have any suggestion about how to solve this problem ? is there any particular setting for this kind of device ?

Thanks

I suggest you open your own thread

 

[Jiri]

So finally solved!

Martineau, thanks a log for your help.

a way of tracking individual packets (let's say icmp ping) .....usually '/tmp/syslog.log' ...

Thanks for confirming me the location. I looked there several times, but did not have enough log level set up. Once I new the location, it was clear I am not logging enough or at the right place.

I ended up logging at OUTPUT table of RemoveServer (to check RemoteServer is routing correctly):

iptables -t security -I OUTPUT -p icmp -j LOG --log-prefix "OUTPUT: security " --log-ip-options

And the earliest entry point of the Router:

iptables -t raw -I PREROUTING 1 -p icmp -j LOG --log-prefix "PREROUTING: raw " --log-ip-options

This has clearly shown that ping packets from RemoteServer to Router were coming through and got logged as expected. Ping packets to Router's subnet 192.168.51.0/24 were routed correctly and also appeared on RemoteServer's tun interface, but they were nowhere to be seen at the Router above entry point of the router.

It was clear something unexpected was going on with the OpenVPN tunnel (as you indicated in your last post).

It turned out I was missing

iroute 192.168.51.0 255.255.255.0

directive in the client config directory. An article that enlightens this problematic can be found here.

Once applied, all services started to work as expected and I can access the Route's gui via its LAN address (192.168.51.254:80).

Thanks a lot,
Jiri