RT-AC88U drops the OpenVPN inbound ACCEPT iptables rule after a time

[JDA]

This is for ASUS Merlin running latest version on two RT-AC88U routers, one as an openvpn server, and the other as a client.
I route 10.0.0.0/8 subnets on either side of the openvpn link.
When the link is established, the client route iptables has the following line in it:

Chain OVPNSI
ACCEPT udp -- anywhere anywhere udp dpt:1194

So I can ping from 10.0.server.50 -> 10.0.client.20 no problem.

But after a time, with an active openvpn link still running, and everything else as normal, this iptables line disappears, and that same ping does not work.
If I go to the client router "firewall" page and change nothing, and click "Apply", the iptables rule is restored, and all works fine.
When the iptables rule is gone, the 10.0.client.20 computer has no problem reaching or pinging 10.0.server.50, so it is a problem with openvpn INCOMING to the client and OUTGOING works fine.
There is no NAT on the openvpn internal routing.
If I ssh into the client router, and enter "service firewall_restart", this line is restored, and the ping to the client works again.

thank you for any advice!

 

[ColinTaylor]

When the link is established, the client route iptables has the following line in it:

I assume this is a typo and you really meant "router".

Chain OVPNSI
ACCEPT udp -- anywhere anywhere udp dpt:1194

That is the firewall rule that allows a remote client to connect to an OpenVPN server on this router. As you said this is the client machine this rule is redundant and shouldn't be there, unless you're also running a server on this router.

 

[JDA]

Thank you Colin, I do have a server enabled on the client router, for access when the router is somehow not working properly as a client. I did turn off the server, and did see that line go away. I confirmed when the server was disabled on the client router that the pings work fine from a server router host to a client router host with that line absent.

So now the problem changes to: why after a time can I not ping from a server router host to a client router host, and doing a "server firewall_restart" on the client router restores the ping functionality? The "iptables -L" output is identical when working or not working.

 

[ColinTaylor]

So now the problem changes to: why after a time can I not ping from a server router host to a client router host, and doing a "server firewall_restart" on the client router restores the ping functionality? The "iptables -L" output is identical when working or not working.

Another typo, should be "service restart_firewall".

Your iptables command will only show the filter table. I suggest you dump all the rules with the following command and then compare the working/non-working versions.

iptables-save