The reason has been found. The server admin tried to make an IPSEC tunnel through racoon first. Did not work out. Then he switched to OpenVPN. At the same time, despite the absence of an IPSEC tunnel and the killed SPD raccoon process, they remained quite alive and the kernel honestly tried to send the packet to where the sun does not shine. After setkey -FP, the packets flew to the right place, i.e. in tun0.
Many thanks to all who answered (and not only) for human participation.

Probably worth posting the results of the commands
ifconfig
ip r
iptables -nvL
iptables -t nat -nvL
Openvpn configs and logs.
And they will help you faster.
Well, if you are too lazy, then just try to listen to what is happening there, for example like this:
ngrep -W byline -d tun0 host xxx.xxx.xxx.xx and port xxxx
PS And you did not forget to do this
echo "1" > /proc/sys/net/ipv4/ip_forward
Or more globally in the /etc/sysctl file .conf in line
net.ipv4.ip_forward = 1

Can add to the routing table a route to 192.168.3.0 through 128.10.0.5 and tun0?

Show then the iptables rules

you should choose a class C network for openvpn because

whois 128.10.0.5
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 128.10.0.5"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=128.10.0.5?showDetails=true&showARIN=false&e                                                                                             xt=netref2
#

NetRange:       128.10.0.0 - 128.10.255.255
CIDR:           128.10.0.0/16
OriginAS:
NetName:        PURDUE-CS-EN
NetHandle:      NET-128-10-0-0-1
Parent:         NET-128-0-0-0-0
NetType:        Direct Assignment
RegDate:        1984-08-01
Updated:        2009-06-19
Ref:            http://whois.arin.net/rest/net/NET-128-10-0-0-1

OrgName:        Purdue University
OrgId:          PURDUE
Address:        Information Technology
Address:        155 S. Grant Street
City:           West Lafayette
StateProv:      IN
PostalCode:     47907-2114
Country:        US
RegDate:
Updated:        2010-09-20
Ref:            http://whois.arin.net/rest/org/PURDUE

OrgNOCHandle: PNOC-ARIN
OrgNOCName:   Purdue Network Operations Center
OrgNOCPhone:  +1-765-496-6200
OrgNOCEmail:  [email protected]
OrgNOCRef:    http://whois.arin.net/rest/poc/PNOC-ARIN

OrgAbuseHandle: PUISP-ARIN
OrgAbuseName:   Purdue University STEAM-CIRT
OrgAbusePhone:  +1-765-496-1666
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    http://whois.arin.net/rest/poc/PUISP-ARIN

OrgTechHandle: PURDU-ARIN
OrgTechName:   Purdue Hostmaster
OrgTechPhone:  +1-765-496-8320
OrgTechEmail:  [email protected]
OrgTechRef:    http://whois.arin.net/rest/poc/PURDU-ARIN

RTechHandle: DT50-ARIN
RTechName:   Trinkle, Daniel
RTechPhone:  +1-765-494-7844
RTechEmail:  [email protected]
RTechRef:    http://whois.arin.net/rest/poc/DT50-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

The specs for D-link do not state that he can openvpn.

plz output: ip ro on 3.1
route to network B are you transmitting using openvpn?
openvpn server and client configs will not hurt

ip ro output in the comments above
the route (three routes, to be precise) is transmitted by means of openvpn
I can’t show the server config (there is only a web interface), the client config:
client
nobind
remote ZZ.ZZ.ZZ.ZZ 1194
proto udp
resolv-retry infinite
dev tun
log /etc/openvpn/openvpn.log
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/1.crt
key /etc/openvpn/1.key
cipher AES-128- CBC
auth SHA1
verb 7
route-delay 6

I don't see the prerequisites for this, but try

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

then do the opposite.
centos server and dlink client and look

then take another computer that you make a client and test there