@Sunshine 

Hello,

I just can't believe that it's designed this way for "security considerations". I'm utterly dumbfounded. Are you suggesting that I leave my router exposed to the internet and place myself at risk so that I can manage it. How is that more secure? I can't believe the people at TP-Link are this shortsighted and not allow management from the VPN network. Just add a checkbox in the settings to allow access. This is not a solution.

I also have tried blocking / redirecting the DNS queries, but this results in the router getting stuck in retry loop (thousands of requests a minute), and a big spike in router CPU usage as a side effect. The fix really needs to come from TP-Link.

Hello i also have this problem.

When i connected with OpenVPN i can`t access to router with local ip address. (error 403).

when i enable remote management for now it`s the only way to access to the router i don't have all options in menu.

few options like update firmware is missing :/

i think OpenVPN with aes encryption is secure (more secure than enable remore managment) so why tplink block access to device in vpn tunel ?

  @Sunshine 

So i add under archer mr 600v3 second ip address in Advanced -> Network -> LAN Settings and now i can log to the router in vpn tunel and i have all options in menu but it works only for first router restart :/ after i login to mr600 i have error  code 71241 cant get mac computer address but it still works and i can login without 403 error but after reboot (i have in options set restart everyday) openvpn stop working - i have error 7813 the vpn subnet/netmask and LAN IP address cannot be in the same subnet.

So this solutions to add second ip address works if router will be not restart ;/

  @Sunshine 

Hello,

I can also confirm that adding a 2nd ip as the vpn network works, but you can not reboot the device. After a reboot the VPN server shuts off, because there is a conflict between 2nd ip and vpn ip.