Please close post. Fault was elsewhere - server had multiple instances with duplicate remote subnets causing a race.
Test now works as desired:
- Site 1 gateway connects as client to my openvpn server
- Site 2 gateway connects as client to my openvpn server
- Server iroute(s) and ccd entries enable site to site
- Anyone at either site can ping anyone else
- Road warriors can ping anyone at either site
The modifications to factory:
- remove default rules lines in /etc/vpn.user
- remove ‘lan2wan_forwarding disable’ line in /etc/init.d/startvpn
- after connecting the vpn, from LuCI Network Firewall settings
- allow forwarding in general section
- edit lan and ovpn zones to allow forwarding between both
Modifications were required to enable site-to-site traffic via vpn and keep remaining going to usual gateway. The factory design prevents leakage when VPN’ing but that leakage is what I want : )
Thanks for great site. Lots of great searchable info.