Help with iptables accesing devices on different subnets

[2rl]

Hi! I've been reading a lot about iptables in last few days but I can't get my head around the configuration that I need. I'm still learning and this is beyond my scope.

 

I've set the Rock64 as an access point connected to a vpn server.  I need to access any devices that are connected to my main router in 192.168.10.1. My wlan access point is in 172.24.1.1. eth0 and wlan0 are always tunnelled through tun0 and it must stay that way.

Connected from wlan0 I can ping 192.168.10.176 (eth0) but not 192.168.10.1 (Internet router) or anything else outside wlan0 subnet.

 

My aim is to access smb servers, nfs servers and ssh to any ip in this subnet 192.168.10.x from wlan0 while connected to the vpn and viceversa. Is this even possible?

 

 

This is my ip route output:

ip route
0.0.0.0/1 via 10.8.8.1 dev tun0 
default via 192.168.10.1 dev br0 
10.8.8.0/24 dev tun0 proto kernel scope link src 10.8.8.55 
128.0.0.0/1 via 10.8.8.1 dev tun0 
169.254.0.0/16 dev wlan0 scope link metric 1000 
172.24.1.0/24 dev wlan0 proto kernel scope link src 172.24.1.1 
185.44.76.118 via 192.168.10.1 dev br0 
192.168.10.0/24 dev br0 proto kernel scope link src 192.168.10.176 

output of ip addr:

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether 9e:0d:db:d2:f9:a1 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9e:0d:db:d2:f9:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.176/24 brd 192.168.10.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fd7c:b18a:e451:0:9c0d:dbff:fed2:f9a1/64 scope global mngtmpaddr 
       valid_lft forever preferred_lft forever
    inet6 fe80::9c0d:dbff:fed2:f9a1/64 scope link 
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 08:10:7b:15:4a:31 brd ff:ff:ff:ff:ff:ff
    inet 172.24.1.1/24 brd 172.24.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.8.55/24 brd 10.8.8.255 scope global tun0
       valid_lft forever preferred_lft forever

 

and this is my iptables:

 

# Generated by iptables-save v1.6.0 on Thu Sep 20 11:15:24 2018
*raw
:PREROUTING ACCEPT [6734:463678]
:OUTPUT ACCEPT [6489:2129649]
COMMIT
# Completed on Thu Sep 20 11:15:24 2018
# Generated by iptables-save v1.6.0 on Thu Sep 20 11:15:24 2018
*mangle
:PREROUTING ACCEPT [6734:463678]
:INPUT ACCEPT [6730:463225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6489:2129649]
:POSTROUTING ACCEPT [6571:2139731]
COMMIT
# Completed on Thu Sep 20 11:15:24 2018
# Generated by iptables-save v1.6.0 on Thu Sep 20 11:15:24 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Sep 20 11:15:24 2018
# Generated by iptables-save v1.6.0 on Thu Sep 20 11:15:24 2018
*filter
:INPUT ACCEPT [10:1262]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:2170]
-A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o tun0 -j ACCEPT
COMMIT
# Completed on Thu Sep 20 11:15:24 2018

This is my /etc/network/interfaces:

 

# Network is managed by Network manager
auto lo
iface lo inet loopback

auto br0

iface br0 inet dhcp

bridge-ports eth0 wlan0

And finally my hostapd.conf just to show that I've commented br0 in order to be able to tunnel wlan0 traffic throug the vpn. If I uncomment it I can access the other devices but wlan0 stops being tunneled

#
# armbian hostapd configuration example
#
# nl80211 mode
#

ssid=ARMBIAN
interface=wlan0
#bridge=br0
hw_mode=g
channel=40
driver=nl80211

logger_syslog=0
logger_syslog_level=0
wmm_enabled=1
wpa=2
preamble=1

wpa_psk=66eb31d2b48d19ba216f2e50c6831ee11be98e2fa3a8075e30b866f4a5ccda27
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0

noscan=1

Many thanks for any help given!