Lost local Web UI access with HTTP 403 when OpenVPN KN-1012 server subnet requires "ip static 10.84.0.0/24 GigabitEthernet0/Vlan4" for Internet access via WAN NAT

[Serhio]

Hello,

I found a reproducible issue on Keenetic Giga KN-1012. Issue support request #654031

Environment:
- Model: Keenetic Giga KN-1012
- KeeneticOS: 5.0.8
- OpenVPN server subnet: 10.84.0.0/24
- WAN interface: GigabitEthernet0/Vlan4

- Home subnet 192.168.1.0/24
- Web UI tested via:
  - http://10.84.0.1
  - http://192.168.1.1
  - http://my.keenetic.net
- SSH access works in all scenarios from Home and OpenVPN1 segments

Current routing/NAT logic:
- WAN NAT is enabled on GigabitEthernet0/Vlan4
- OpenVPN clients are in 10.84.0.0/24

Problem:
It looks like OpenVPN clients need the following directive in order to reach external resources through GigabitEthernet0/Vlan4:
ip static 10.84.0.0 255.255.255.0 GigabitEthernet0/Vlan4

However, when this directive is present, local Web UI access starts failing with HTTP 403 Forbidden.

Reproducible behavior:

Case A — without:
no ip static 10.84.0.0 255.255.255.0 GigabitEthernet0/Vlan4

Observed results:
1. 10.84.0.1 is accessible from OpenVPN client 10.84.0.2
2. my.keenetic.net is accessible from OpenVPN client 10.84.0.2
3. 10.84.0.1 is accessible from Home client 192.168.1.124
4. OpenVPN client 10.84.0.2 cannot access external resources that should go through GigabitEthernet0/Vlan4

Case B — with:
ip static 10.84.0.0 255.255.255.0 GigabitEthernet0/Vlan4

Observed results:
1. 10.84.0.1 is NOT accessible from OpenVPN client 10.84.0.2
2. Web UI returns HTTP 403 Forbidden
3. my.keenetic.net is still accessible from OpenVPN client 10.84.0.2
4. OpenVPN client 10.84.0.2 CAN access external resources through GigabitEthernet0/Vlan4
5. 10.84.0.1 is also NOT accessible from Home client 192.168.1.124

Important note:
- SSH access to Keenetic remains available on all interface addresses in both cases.
- The issue affects Web UI access only.
- A similar effect was previously observed with:
  ip static 192.168.1.0 255.255.255.0 GigabitEthernet0/Vlan4
  In that case, replacing it with normal NAT for the Home segment restored HTTP access to 192.168.1.1.

Expected behavior:
- OpenVPN clients should be able to access external resources via WAN NAT
- Local Web UI access via 10.84.0.1 and 192.168.1.1 should continue working
- Enabling outbound NAT/routing for the OpenVPN subnet should not cause HTTP 403 on local management addresses

Actual behavior:
- The static directive for 10.84.0.0/24 appears to be required for outbound WAN access
- But when enabled, it causes Web UI access to local management IPs to fail with HTTP 403

Could you please confirm whether this is expected behavior, a NAT/static routing side effect, or a Web UI management-plane bug?

If needed, I can provide:
- full running-config
- exact test sequence
- screenshots
- self-test.txt

Thank you.