[Csali]

Hi,

I have 2 sites (Site A and B) with ddwrt routers. On the second site (Site B) the ISP gives only a NAT-ted internet access, so port forward on the router is not working. As a workaround I want to crate a VPN between the sites (routed openvpn) . The ISP on Site A gives a proper public IP address, and port forward is working into Site A's local subnet.

Is it possible to create a port forward rule on Site A's router to forward incoming packets on port XXX trough the VPN tunel to an IP in Site B????

Thanks in advance!

Steve

[phuzi0n]

Yes it's possible as long as you set up your tunnel and routing correctly. The key thing is that the tunnel will have to be NAT'd (I think it is by default if done through the GUI) so that router B will return the responses through the tunnel instead of trying to route out its own WAN with the wrong source IP.

[Csali]

Thnaks for pointing me into direction.

After implementig VPN based on gui instructions I had to add

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

to the firewall script on site B (Client site with no true public IP)

Now clients from Site A and Site B can reach each other from both Sites.

On the router on Site A I created a port forward rule to the IP on Site B, but it is not working from the internet. The problem seems to be that you mention, that the router on site B send the reply packets to the internet and not into the tunel.

How could I tell the router to send the reply messeage for the packets that came trough the tunnel back via the tunel??

[phuzi0n]

Add this to your firewall script on router A to do NAT for any traffic going through the tunnel.

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

[Csali]

Thanks, its working perfectly!