LVS-DR and OpenVPN: returning packets not being routed into the vpn

Question

i've set up a load balancer with ldirectord, and an active-passive mysql service managed by it, on two additional real servers.

LVS is running in Direct Routing mode, so the client requests are directly routed to the real server currently active.

Real server ip: 192.168.3.41
Virtual ip: 192.168.3.100
Client ip (my workstation): 192.168.100.117

I've also setup an OpenVPN P-t-P tunnel between our local office gateway and the load balancer, to manage hosts remotely.

Load Balancer VPN ip: 172.16.3.1
Client side VPN endpoint ip: 172.16.3.2

This is the problem: If i try to connect to mysql using the real ip everything works fine, but i need to be able to connect also using the virtual ip, and that does not work.

Did some network troubleshooting and it seems that when calling the virtual ip, returning packets are not being routed into the vpn tunnel, the real server replies correctly but packets flow stops when turning back to the load balancer.

Launching NetCat on the client listening to any port, and trying to connect from the real server using its real ip as source ip works, but not using the virtual ip as source.

Additionally, if i try to connect to a service (lighttpd on port 80) running on the load balancer itself using the same virtual ip, it works!

For this reason i suspect of something related to ldirectord, but i can't figure out what!

So, to sum up:

Client calls 192.168.3.41 on port 3306: working.
Client calls 192.168.3.100 on port 80 (local lighttpd on load balancer): working.
Client calls 192.168.3.100 on port 3306: NOT working, packets are returning into the load balancer from the real server and aren't being routed into the vpn.

These are my load balancer configurations:

FORWARD CHAIN:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  95M   68G ACCEPT     all  --  *      *       192.168.3.0/24       0.0.0.0/0           
  58M 8719M ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
  17M   16G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0               state RELATED,ESTABLISHED 
    0     0 DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

POSTROUTING CHAIN:

Chain POSTROUTING (policy ACCEPT 1377K packets, 84M bytes)
 pkts bytes target     prot opt in     out     source               destination          
 862K   51M MASQUERADE  all  --  *      *       192.168.3.0/24       0.0.0.0/0           
 101K 6159K MASQUERADE  all  --  *      bond1   172.16.3.0/24        0.0.0.0/0           

BOND 1 Interface:

# ifconfig bond1
bond1     Link encap:Ethernet  HWaddr 00:22:19:d5:6d:da  
          inet addr:192.168.3.11  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:28854406358 errors:0 dropped:356 overruns:0 frame:0
          TX packets:27339806726 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:11071114840327 (10.0 TiB)  TX bytes:6071397046829 (5.5 TiB)

TUN 0 Interface:

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.16.3.1  P-t-P:172.16.3.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6047779884 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7219390246 errors:0 dropped:3234101 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1060763811007 (987.9 GiB)  TX bytes:5651690621029 (5.1 TiB)

Routing Table:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.3.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.100.0   172.16.3.2      255.255.255.0   UG    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 bond1
172.16.3.0      172.16.3.2      255.255.255.0   UG    0      0        0 tun0
0.0.0.0         xxx.xxx.xxx.xxx 0.0.0.0         UG    0      0        0 bond0

Kernel parameters:

# sysctl -a|grep forw
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth3.forwarding = 1
net.ipv4.conf.eth3.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond1.forwarding = 1
net.ipv4.conf.bond1.mc_forwarding = 0
net.ipv4.conf.bond2.forwarding = 1
net.ipv4.conf.bond2.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1

# sysctl -a|grep arp
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.arp_announce = 0
net.ipv4.conf.eth0.arp_ignore = 0
net.ipv4.conf.eth0.arp_accept = 0
net.ipv4.conf.eth1.proxy_arp = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.arp_announce = 0
net.ipv4.conf.eth1.arp_ignore = 0
net.ipv4.conf.eth1.arp_accept = 0
net.ipv4.conf.eth2.proxy_arp = 0
net.ipv4.conf.eth2.arp_filter = 0
net.ipv4.conf.eth2.arp_announce = 0
net.ipv4.conf.eth2.arp_ignore = 0
net.ipv4.conf.eth2.arp_accept = 0
net.ipv4.conf.eth3.proxy_arp = 0
net.ipv4.conf.eth3.arp_filter = 0
net.ipv4.conf.eth3.arp_announce = 0
net.ipv4.conf.eth3.arp_ignore = 0
net.ipv4.conf.eth3.arp_accept = 0
net.ipv4.conf.bond0.proxy_arp = 0
net.ipv4.conf.bond0.arp_filter = 0
net.ipv4.conf.bond0.arp_announce = 0
net.ipv4.conf.bond0.arp_ignore = 0
net.ipv4.conf.bond0.arp_accept = 0
net.ipv4.conf.bond1.proxy_arp = 0
net.ipv4.conf.bond1.arp_filter = 0
net.ipv4.conf.bond1.arp_announce = 0
net.ipv4.conf.bond1.arp_ignore = 0
net.ipv4.conf.bond1.arp_accept = 0
net.ipv4.conf.bond2.proxy_arp = 0
net.ipv4.conf.bond2.arp_filter = 0
net.ipv4.conf.bond2.arp_announce = 0
net.ipv4.conf.bond2.arp_ignore = 0
net.ipv4.conf.bond2.arp_accept = 0
net.ipv4.conf.tun0.proxy_arp = 0
net.ipv4.conf.tun0.arp_filter = 0
net.ipv4.conf.tun0.arp_announce = 0
net.ipv4.conf.tun0.arp_ignore = 0
net.ipv4.conf.tun0.arp_accept = 0

thank you in advance for helping me.