Whenever the device hosting the OpenVPN server is NOT running on the primary router (aka, default gateway), then you need to add a static route to that primary router to tell it how to route packets from the tunnel's private IP network back to that router!
What's happening is that packets from the OpenVPN client are being dropped on the network behind the OpenVPN server, and when devices are reached on that network, they don't know how to route back the replies. They have no idea where packets from the tunnel's IP network are coming from. So they send the replies back to their default gateway, which doesn't know how to route back the replies either. And so the replies never make it back to the OpenVPN client.
That's why you need that static route on the primary router, so you can correct this routing problem.
I should add, sometimes ppl can't add static routes to the primary router because they have a modem+router from their ISP, which doesn't support modifications of this type. In that case, you can alternatively NAT the traffic from the tunnel over the private network.
Joined: 18 Mar 2014 Posts: 4373 Location: Netherlands
Posted: Thu May 23, 2019 13:07 Post subject:
The other possibility is also outlined by @eibgrad, that is setting a static route on your ISP router (and maybe an extra NAT rule but most of the ISP routers I have worked with do not need that as they are NATting all traffic)