Hi nightcore500,
I was able to replicate your scenario by using another teltonika device as a server, so probably the server configuration is not quite the same; but still, you could use the following information as guidance to solve your query:
Regarding assigning an IPv4 address to the router (client) tap interface from the OpenVPN server configuration, I have been able to do it by declaring the client-config-dir directive on the server configuration. For more detailed information about this directive, you can check the link below:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/
Regarding firewall zones and rules, this is my RUT955 (OpenVPN client) configuration:
root@Teltonika-RUT955:~# cat /etc/config/firewall
config zone
option device 'tun_+ tun+ tap+'
option name 'openvpn'
option masq '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'openvpn'
option mtu_fix '0'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'openvpn'
config forwarding
option dest 'openvpn'
option src 'lan'
config rule
option dest_port '1194'
option src 'wan'
option name 'Allow-openvpn-traffic'
option target 'ACCEPT'
option vpn_type 'openvpn'
option proto 'tcp udp'
option family 'ipv4'
*If tap+ is missing on the zone config, please add it and reboot your device.
This is also how the iptables output looks like:
root@Teltonika-RUT955:~# iptables -L -v | grep tap
1 84 zone_openvpn_input all -- tap+ any anywhere anywhere /* !fw3 */
0 0 zone_openvpn_forward all -- tap+ any anywhere anywhere /* !fw3 */
0 0 zone_openvpn_output all -- any tap+ anywhere anywhere /* !fw3 */
0 0 DROP all -- any tap+ anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- any tap+ anywhere anywhere /* !fw3 */
1 84 ACCEPT all -- tap+ any anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Also, here is an image of my WebUI OpenVPN client configuration:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=13191750865080106853
https://community.teltonika-networks.com/?qa=blob&qa_blobid=15389222558620993382
Regarding the network address translation, if your OpenVPN firewall zone has enabled masquerading, all the outgoing traffic is translated to your tap interface IP address. However, if the traffic coming from your server to your LAN router RUT955 does not belongs to the same OpenVPN address network, make sure to apply iptables masquerading or a network translation on the server-side tunnel interface.
Finally, this is how my RUT955 tap interface and openvpn logs configuration look like:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=9389561436871900544
https://community.teltonika-networks.com/?qa=blob&qa_blobid=13435586397830371666
I hope this information helps you to solve your query.