I have a MODEM/Router (with SIM-card) based on OpenWRT and it connects succesfuly via its OpenVPN client to our office ipfire (v194) appliance.
My question is:
While port forwarding from our office to the OpenVPN Roadwarrior’s PC works, is it possible to get direct access to the connected Roadwarrior’s LAN ?
I couldn’t figure out yet and I tried several things without success with this setup:
IPFire GREEN network: 192.168.64.0/24
IPFire OpenVPN static pool: 192.168.55.0/24 => after OpenVPN connection the MODEM has IP: 192.168.55.6
Roadwarrior’s OpenWRT MODEM/Router LAN network: 192.168.88.0/24 so one connected PC on this LAN has IP: 192.168.88.3 (other will be connected later).
On the Roadwarrior’s OpenWRT router I’ve setup:
a new “OpenVPN” tun0 zone in the Firewall stup
allowed Portforwarding Src:Port 222 to Roadwarrior’s PC Dest:Port 22 of the connected PC IP: 192.168.88.3.
just for Testing: allowed all Incoming/Outgoing and Forwarding for every zone (MODEM, LAN, OpenVPN)
On the office ipfire appliance:
Services > OpenVPN > For the “OpenVPN Client” Routing:
IPFire has access to these networks on the client's site: 192.168.88.0/255.255.255.0
Client has access to these networks on IPFire's site: GREEN
Network > Static Routes: Host IP address / Network: 192.168.88.0/24 connect to Gateway: 192.168.55.5 (the connected OpenWRT router)
Firewall rules with S-NAT from GREEN to 192.168.88.0/24 network
However I can’t connect directly from our office to the Roadwarrior’s client LAN 192.168.88.0/24.
I’m sure I’m doing something wrong here, so any help is greatly appreciated.
You should not normally be able to connect to the roadwarrior LAN. For that you would need a subnet <> subnet connection, and, if the roadwarrior is truly a roadwarrior, it would need to masquerade incoming OpenVPN traffic in to the roadwarrior LAN IP in the roadwarrior or you will not get any return packets unless you can find a way to change the routing table on the roadwarrior LAN gateway.
yes it can be done if the mobile device router uses NAT and has
an appropriate firewall. However, a word of warning! prior to .194
I had this exact setup working flawlessly for 3 or 4 years. since 194 the only way I can make this work is for my road warrior connection to become a point to point VPN
you need to add a static route for the directly connected subnet into the openvpn config page so it comes up at startup
if you have a second subnet, LAN side (i had an ethernet WAN port I was using as a DMZ) this will need to be added into the main menu static routes page.
the gateway IP will need to be the TUNNEL ENDPOINT IP at the client end.
.194 has been behaving like a firewall breached / posessed and I have had to rebuild it with the pre 193 config to attain stability.
if you try to convert the road warrior as a point to point the openvpn config by default does not pass the blue or orange routes - you will need to add them into the client openVPN config file manually. in my case I also had to delete the user / group nobody as my router had no concept of those users.
I will shortly be uploading a “howto” on the Teltonika community forum
which I am currently writing to detail this. But a few “life things” got in the way
