SSH connection protocol does not work well between VPN clients

Hello,
I have an openVPN client system with raspberry, which for price reasons I would like to replace with the GL-AR300M16 device.
All my clients connect to this openVPN use it to take advantage of ssh services within the VPN.
I bought the GL.iNet device, configured as a router without problems, then with some effort I configured the VPN connection as I need, then use the VPN for some hosts and for the rest it goes through the wan port.
Now my problem, the devices inside the VPN are pingable, you can access to http services inside the VPN but ssh doesn’t work.
However, immediately after sending an http request, the ssh protocol also works for a couple of minutes, after which it returns to not working.

My VPN conf file:

dev tun
verb 3
remote myvpnserver.it
port 17190
ifconfig        172.17.190.254      172.17.190.1
route 10.55.0.0 255.255.0.0
route 172.16.0.0 255.240.0.0
route 10.0.0.0 255.255.255.0
route 172.29.136.0 255.255.255.0
secret /etc/openvpn/ovpn0/mykey.key
persist-key
persist-tun
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp

script-security 2

My route policy (manual-list.conf)

10.55.0.0/16
172.16.0.0/16
10.0.0.0/24
172.29.136.0/24
root@GL-AR300M:/etc/init.d# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'
	option enabled '0'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config zone 'vpn_zone'
	option name 'ovpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'ovpn'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'
	option device 'tun0'
	option forward 'REJECT'

config forwarding 'forwarding_vpn1'
	option dest 'ovpn'
	option src 'lan'

config forwarding 'forwarding_guest_ovpn'
	option dest 'ovpn'
	option src 'guestzone'

config forwarding 'forwarding_lan_ovpn'
	option src 'ovpn'
	option dest 'lan'

Thanks in advance if anyone is able to understand my problem and help me out.
P.S. it is not possible to modify the server.

Can I ask the ssh server 10.55.115.48 is connected behind the vpn server myvpnserver.it?

Hi, yes, that server is inside the VPN.

The vpn client is AR300M.

What is the vpn server?

Seems your server setup is rather complicated. How can I set up the same?

yes, the AR300M is the client.
The server is an openvpn linux machine, this creates one-to-one connections with each individual client and dedicating a / 24 network, and each client within its LAN is used as a gateway to allow other devices to access the VPN.
In practice, it is a system for connecting several offices in a low-cost VPN.
As a client I currently use raspberry and everything works well, but unfortunately now the availability is low and the costs high.

This is the server configuration

dev tun

# Configurazione per tunnel con (SEDE)

verb 3

# Indirizzo IP interfaccia WAN, se IP variabile commentare la linea
local 10.55.115.50
port 17190

# puntopunto    IP locale       IP remoto
ifconfig        172.17.190.1      172.17.190.254

# Rotte statiche
route 172.17.190.0 255.255.255.0

# Per utilizzare le pre-shared key, utilizzare lo stesso file per connettersi
secret ./clients/mykey.key

# Processi a nome di questo utente...
user nobody
group nobody

# Per poter riavviare il tunnel..
persist-key
persist-tun

# Per attivare la compressione
comp-lzo

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

There is a configuration file for each client, this is the one my client test on the 172.17.190.0/24 network, on the server all routes are set to go to this client when this network is requested.

Thanks

One more info needed,

Use the two command in AR300M and get the output

route
iptables -S

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 tun0
default         vodafone.statio 0.0.0.0         UG    10     0        0 eth0
10.0.0.0        172.17.190.1    255.255.255.0   UG    0      0        0 tun0
10.55.0.0       172.17.190.1    255.255.0.0     UG    0      0        0 tun0
83.216.184.102  vodafone.statio 255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       *               128.0.0.0       U     0      0        0 tun0
172.16.0.0      172.17.190.1    255.240.0.0     UG    0      0        0 tun0
172.17.190.0    *               255.255.255.0   U     0      0        0 br-lan
172.17.190.1    *               255.255.255.255 UH    0      0        0 tun0
172.29.136.0    172.17.190.1    255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     10     0        0 eth0

iptables -S

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N GL_SPEC_OPENING
-N ROUTE_POLICY
-N forwarding_guestzone_rule
-N forwarding_lan_rule
-N forwarding_ovpn_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_guestzone_rule
-N input_lan_rule
-N input_ovpn_rule
-N input_rule
-N input_wan_rule
-N output_guestzone_rule
-N output_lan_rule
-N output_ovpn_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_guestzone_dest_ACCEPT
-N zone_guestzone_dest_REJECT
-N zone_guestzone_forward
-N zone_guestzone_input
-N zone_guestzone_output
-N zone_guestzone_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_ovpn_dest_ACCEPT
-N zone_ovpn_dest_REJECT
-N zone_ovpn_forward
-N zone_ovpn_input
-N zone_ovpn_output
-N zone_ovpn_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_DROP
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpn_input
-A FORWARD -j ROUTE_POLICY
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpn_output
-A ROUTE_POLICY -i br-lan -m mark --mark 0x40000/0x40000 -j DROP
-A ROUTE_POLICY -i br-lan -m mark --mark 0x80000/0x80000 -j ACCEPT
-A ROUTE_POLICY -i br-guest -m mark --mark 0x40000/0x40000 -j DROP
-A ROUTE_POLICY -i br-guest -m mark --mark 0x80000/0x80000 -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_ovpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_ovpn_forward -m comment --comment "!fw3: Custom ovpn forwarding rule chain" -j forwarding_ovpn_rule
-A zone_ovpn_forward -m comment --comment "!fw3: Zone ovpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_ovpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3" -j zone_ovpn_dest_REJECT
-A zone_ovpn_input -m comment --comment "!fw3: Custom ovpn input rule chain" -j input_ovpn_rule
-A zone_ovpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3" -j zone_ovpn_src_ACCEPT
-A zone_ovpn_output -m comment --comment "!fw3: Custom ovpn output rule chain" -j output_ovpn_rule
-A zone_ovpn_output -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[11]" -j DROP
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth0 -m comment --comment "!fw3" -j DROP

I tried to activate some logs:
iptables -A forwarding_rule -p tcp --dport 22 -j LOG
Then I made a connection from the client (172.17.190.101) to the server (10.55.115.49) and vice versa.
this is the log but I don’t understand much, I don’t see accept, reject, drop.

[ 8066.928174] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=60 TOS=0x08 PREC=0x40 TTL=63 ID=6231 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x3f00 
[ 8066.968624] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=52 TOS=0x08 PREC=0x40 TTL=63 ID=6232 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK URGP=0 MARK=0x3f00 
[ 8066.989739] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=73 TOS=0x08 PREC=0x40 TTL=63 ID=6233 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK PSH URGP=0 MARK=0x3f00 
[ 8067.054855] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=52 TOS=0x08 PREC=0x40 TTL=63 ID=6234 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK URGP=0 MARK=0x3f00 
[ 8067.076385] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=1405 TOS=0x08 PREC=0x40 TTL=63 ID=6235 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK URGP=0 MARK=0x3f00 
[ 8067.097626] IN=br-lan OUT=tun0 MAC=94:83:c4:1a:4f:77:08:00:27:77:48:0c:08:00 SRC=172.17.190.101 DST=10.55.115.49 LEN=251 TOS=0x08 PREC=0x40 TTL=63 ID=6236 DF PROTO=TCP SPT=37890 DPT=22 WINDOW=502 RES=0x00 ACK PSH URGP=0 MARK=0x3f00 
[ 8073.923156] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=29731 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x3f00 
[ 8073.959693] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=29732 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0 MARK=0x3f00 
[ 8073.977555] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=73 TOS=0x00 PREC=0x00 TTL=61 ID=29733 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 MARK=0x3f00 
[ 8074.014539] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=29734 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0 MARK=0x3f00 
[ 8074.091636] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=29737 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=245 RES=0x00 ACK URGP=0 MARK=0x3f00 
[ 8074.129376] IN=tun0 OUT=br-lan MAC= SRC=10.55.115.49 DST=172.17.190.101 LEN=100 TOS=0x00 PREC=0x00 TTL=61 ID=29738 DF PROTO=TCP SPT=53540 DPT=22 WINDOW=245 RES=0x00 ACK PSH URGP=0 MARK=0x3f00

ssh log from server:

ssh -vvv root@172.17.190.101
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "172.17.190.101" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 172.17.190.101 [172.17.190.101] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.6
debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 172.17.190.101:22 as 'root'
debug3: hostkeys_foreach: reading file ".ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file .ssh/known_hosts:113
debug3: load_hostkeys: loaded 1 keys from 172.17.190.101
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 172.17.190.101 port 22

ssh log from client:

ssh -vvv 10.55.115.49
OpenSSH_8.6p1, OpenSSL 1.1.1l  FIPS 24 Aug 2021
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 10.55.115.49 originally 10.55.115.49
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 10.55.115.49 is address
debug1: re-parsing configuration
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 10.55.115.49 originally 10.55.115.49
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.55.115.49 [10.55.115.49] port 22.
debug3: set_sock_tos: set socket 5 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 10.55.115.49:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent

My very limited experience of this–something working for a few minutes, then not–is the server having problems with two clients with the same CN, as the server works with one client, then gets a request from a different client with the same CN, breaking down the first, creating the second, and cycling back.

May be nothing to do with your situation, since I don’t follow your routing rules.

The server currently already works with over 100 connected clients, which as hardware use a raspberry with Fedora and simple forward.
My rules are actually very simple, the GL.Inet has to connect to the VPN and let all clients go through the VPN when they want to go to the networks 10.55.0.0/16, 172.16.0.0/16, 10.0.0.0/24 and 172.29.136.0/24, otherwise use the WAN connection.
In turn, anyone from these networks must be able to reach clients connected via the GL.iNet, in this case the network is 172.17.190.0/24.
All other rules within GL.iNet are automatic and I don’t know how to simplify them.

I’m not much of an expert too, on the raspberry I had activated the forward and the masquerade and with that it was enough to make everything work as I don’t need special filters.

AR300M run the vpn client connect to vpn server(10.55.114.48)
you can config ssh login to 10.55.114.48, through the wan interface. as follow:

  1. ssh AR300M, add on route:
    ip route add 10.55.114.48 via 192.168.18.1 dev eth0.2

you can modify, the AR300M, wan interface"eth0.2", and the wan interface gateway is 192.168.18.1

  1. allow the forward, lan to wan, as:
    iptables -I FORWARD -i br-lan -o eth0.2 -j ACCEPT

or sample to test:
iptables -I FORWARD -j ACCEPT

now, ssh login through the wan interface.

The server is an openvpn linux machine, can ssh login through wan ip:10.55.114.48

so in the ovpn client, config the router, access 10.55.114.48, througth the wan ip.

maybe, you can config in the server, allow ACCEPT the pkg from vpn interface, as:

iptables -I INPUT -i ovpnxxx -j ACCEPT

the ovpnxxx is the vpn server network interface. so the server can accept the pkg from ovpn to his local ip.