Environment

I use OpenWRT as a VPN client connecting to another site as illustrated below:

Problem

• The OpenWRT can initiate the VPN connection, but I can only reach site A from within OpenWRT shell.
• Ping to remote site A from my PC, phone, or other devices connected to OpenWRT is not possible.

Locate the cause

When pinging from my PC, phone or other devices, I use tcpdump to dump packages on tun0, but only see ICMP request packages (without response package).
This means the iptables FORWARD rule works without droping or rejecting your packages.
On the remote site, I do tcpdump too, but see no request packages.
This means the packages are forwarding from br-lan to tun0 but cannot go through the tun0 to the remote side.

Solution

The reason is not easy to find if you meet this the first time. But the answer is so simple!! After dobule checking the iptables-save, I find it is related to the NAT things.
You may have noticed the two sites have different subnets. In fact, the OpenWRT doesn’t include a POSTROUTING rule to do the SNAT. I solved this by adding one simple rule in OpenWRT:

iptables -t nat -I POSTROUTING -s 10.10.0.0/24 -o tun0 -j MASQUERADE

This rule modifies the source IP so the remote site knows who to reply. Cheers!