My current router setup has several servers behind it that are exposed to the internet with port forwards. Internal users are able to access these servers with hairpin nat rules that redirect the traffic back. All of that works fine.
I'm now trying to add a OpenVPN configuration. OpenVPN clients are assigned addresses from a separate pool. When the OpenVPN clients connect, they are able to access internet and internal resources through the VPN. But attempts to hit forwarded services at the router's external address fail. I've created a src-nat masquerade rule for the OpenVPN address pool range, and tried adding dst-nat rules for the exposed servers without success.
Is it possible to make this work? Both the OpenVPN endpoint and the external address the port forwards are off of is the same, ex:
OpenVPN external endpoint is my.dynamic.addr 1194
Backend server is port forwarded from my.dynamic.addr 80
Internal users connecting to my.dynamic.addr 80 work fine, but OpenVPN clients cannot.