Client(172.17.17.6)<->Router+Firewall<->OVPN Srv(WAN:197.174.211.77)<->Subnet A 197.174.211.0/255.255.255.224 AND Subnet B 197.174.211.64/255.255.255.224
So your OpenVPN server locates in Subnet B. I assume your servers in Subnet A can route to Subnet B.
route 197.174.211.0 255.255.255.224 <---- You don't need this, remove it
route 197.174.211.64 255.255.255.224 <---- You don't need this, remove it
push "route 197.174.211.0 255.255.255.224"
push "route 197.174.211.64 255.255.255.224"
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.17.2 * 255.255.255.255 UH 0 0 0 tun0
197.174.211.64 172.17.17.2 255.255.255.224 UG 0 0 0 tun0 <-- Bad
197.174.211.64 * 255.255.255.224 U 0 0 0 eth0
172.17.17.0 172.17.17.2 255.255.255.0 UG 0 0 0 tun0
default 197.174.211.65 0.0.0.0 UG 0 0 0 eth0
Now 197.174.211.65 is your default router. You need to configure it for routing 172.17.17.0/24 to 197.174.211.77. You also need to configure router in Subnet A for this.
Another solution (with iptables installed):
iptables -t nat -A POSTROUTING -s 172.17.17.0/24 -o eth0 -j MASQUERADE
Decision about routing or bridging are functional more than technical; there are pros and cons and its a choice. I prefer routing if I have only one interface, because this way let me having a single point of control (the HN) and on it, I can put some iptables or extra-protection for container which are not by default accessible from the Internet. If you prefer routing, you need to make sure the value of net.ipv4.conf.all.forwarding = 1 (run the command sysctl -a | grep forward). If not, echo 1 > /proc/sys/net/ipv4/ip_forward; (but won't survive a reboot) or add the line
net.ipv4.conf.all.forwarding = 1
in /etc/sysctl.conf and run sysctl -P after.
Usually, one route instead of bridging because it allows NAT, which helps when lacking of IP4 addresses, but this is not your case, you have at least two of them.
On the other hand, bridging puts your HN and your VPS equal to equal. You can do this directly on the Internet because you seems to have enough IP addresses. You may need then extra protection on each container (iptables on each container and on host for instance).
To come back to your (routing) problem, if setting ip_forward to 1 does not help; try arp -an (sees if it resolves at this point) from both HN and VPS and tcpdump to get more details, when the packets are lost? at layer 2 or 3?
About IPv6, I really don't know :/
Best Answer
Just solved this problem with iptables NAT rule like this: