VPN connection to server with public IP that is part of remote subnet

Question

I need to setup a connection between an Ubuntu Server 16.04 LTS running an OpenVPN daemon and multiple new Windows clients (Windows 10 Pro & 8.1 Pro).

On the server there is a bridge between the OpenVPN tap device and the NIC that is attached to the company network, which carries the server's (public) IP address. This IP address is part of the subnet from which all clients are to be supplied.

With multiple Linux clients I never had any problems connecting to the company network and accessing all the company services (after the correct routes had been applied), but on the Windows systems I am not yet able to establish a stable connection.

The above problem again with example IP addresses:

• Company subnet is 1.0.0.0/24 (public addresses, cannot be changed!)
• VPN server has address 1.0.0.1
• Firewall is configured to allow incoming traffic for 1.0.0.1 on port 1194 and deny everything else
• Client has local IP address 10.90.86.45/24, local gateway 10.90.86.1 and VPN address 1.0.0.200

The result of "route print" after setting all the routes that were necessary during the attempts with the Linux clients:

Network Destination      Netmask   Gateway              Interface     Metric
        0.0.0.0          0.0.0.0   10.90.86.1           10.90.86.45      2
     10.90.86.0    255.255.255.0   On-link              10.90.86.45    257
    10.90.86.45  255.255.255.255   On-link              10.90.86.45    257
   10.90.86.255  255.255.255.255   On-link              10.90.86.45    257
      127.0.0.0        255.0.0.0   On-link                127.0.0.1    306
      127.0.0.1  255.255.255.255   On-link                127.0.0.1    306
127.255.255.255  255.255.255.255   On-link                127.0.0.1    306
        1.0.0.0    255.255.255.0   On-link                1.0.0.200     20
      1.0.0.200  255.255.255.255   On-link                1.0.0.200     20
        1.0.0.1  255.255.255.255   10.90.86.1           10.90.86.45     20
      224.0.0.0        240.0.0.0   On-link                127.0.0.1    306
      224.0.0.0        240.0.0.0   On-link                1.0.0.200    266
      224.0.0.0        240.0.0.0   On-link              10.90.86.45    257
255.255.255.255  255.255.255.255   On-link                127.0.0.1    306
255.255.255.255  255.255.255.255   On-link                1.0.0.200    266
255.255.255.255  255.255.255.255   On-link              10.90.86.45    257

Despite those three lines with metric 20 (which are enough on Linux) all pings to systems in the 1.0.0.0 subnet fail (again, on Linux I get a response from every system)

"tracert 1.0.0.1" results in

1     <1 ms     <1 ms     <1 ms  _gateway-name [10.90.86.1]
2     21 ms     21 ms     21 ms  www.xxx.yyy.zzz
3     ...

I also manually increased the metric of the default route so that it was above the metric of the VPN connection, but as expected that didn't change anything. (After all, it may not...)

"ipconfig" returns (it is german, but I think you will be able to understand it)

Ethernet-Adapter OpenVPN:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9
Physische Adresse . . . . . . . . : 00-FF-BB-F1-38-3A
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
IPv4-Adresse  . . . . . . . . . . : 1.0.0.200 (Bevorzugt)
Subnetzmaske  . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Samstag, 19. Januar 2019 23:00:45
Lease läuft ab. . . . . . . . . . : Sonntag, 19. Januar 2020 23:00:45
Standardgateway . . . . . . . . . :
DHCP-Server . . . . . . . . . . . : 1.0.0.0
NetBIOS über TCP/IP . . . . . . . : Aktiviert

Ethernet-Adapter Ethernet:                                                        

Verbindungsspezifisches DNS-Suffix: some.suffix                                  
Beschreibung. . . . . . . . . . . : Gigabit-Netzwerkverbindung Intel(R) 82577LM
Physische Adresse . . . . . . . . : AA-BB-CC-DD-EE-FF                          
DHCP aktiviert. . . . . . . . . . : Ja                                         
Autokonfiguration aktiviert . . . : Ja                                         
IPv4-Adresse  . . . . . . . . . . : 10.90.86.45(Bevorzugt)                     
Subnetzmaske  . . . . . . . . . . : 255.255.255.0                              
Lease erhalten. . . . . . . . . . : Samstag, 19. Januar 2019 22:57:36          
Lease läuft ab. . . . . . . . . . : Dienstag, 29. Januar 2019 22:57:33         
Standardgateway . . . . . . . . . : 10.90.86.1                                 
DHCP-Server . . . . . . . . . . . : 10.90.86.1                                 
DNS-Server  . . . . . . . . . . . : 10.90.86.1                                 
NetBIOS über TCP/IP . . . . . . . : Aktiviert                                  

And concerning the OpenVPN server config, I removed all "push route..." directives for the moment and tried setting them manually via "route add...". IP address allocation is done by the OpenVPN server itself (using the server-bridge directive).

Can anybody tell me what I am doing wrong on Windows? As I said before I've got absolutely no problem on my linux systems...