Imagine a situation like this:
The modem is only there to provide internet.
The reason for this could be a bad isp (in my case I only get fibre this month on a new ISP).
So the Edgerouter is currently providing the internal infrastructure and firewall while the modem provides the eth0 wan connectivity.
In this case the internet has been first routed over
vtun0 which encrypted the traffic over VPN. However access to the modem interface on
10.0.2.1 wasn't possible.
For this to get working you need to redo the firewall. You can adapt the code and fit your needs:
What this does is to route all traffic going to the subnet
10.0.2.0/24 directly to it and not over the vtun0 interface which would only be able to transmitt to the wan.
This is because the
10.0.2.0/24 subnet is not managed by the Edgerouter. Instead it is managed by the modem.
You can define more direct firewall routes this way. Just remember that your VPN interface e.g.
vtun0 needs to have the highest priority.
This way you will ensure that traffic to the outside (WAN) will always go trough the VPN tunnel.
Over and Out,