Posted: Tue Jul 13, 2021 23:30 Post subject: [SOLVED] Access WAN gateway router through VPN
Hi,
First, thanks to all for this awesome firmware and community!
I have a DD-WRT router R6700v3 running build v3.0-r47033 std (07/08/21). This router is behind my ISP router who uses CGNAT. To get access to my home LAN from the internet, I am using OpenVPN client on the router connected to openvpn.net in a full mesh configuration. This is working great after I disabled CVE-2019-14899 Mitigation. The router OpenVPN client connects to the server fine. To test, I connect via a cellular hotspot and run the OpenVPN client for windows to establish a tunnel to openvpn.net. Then, thanks to the full mesh thing, I can see all of the devices on my LAN subnet (192.0.0.0).
My only issue is that my ISP router that provides the WAN gateway is on a different subnet 192.168.12.0. When going through the tunnel, I can not access this subnet, so I can't login to the ISP router.
I have the OpenVPN client on the router set to NAT and the firewall on the tunnel is off.
I was hoping this description would trigger an idea in someone's mind....
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Jul 14, 2021 6:24 Post subject: Re: Access WAN gateway router through VPN
dbarbour wrote:
Hi,
First, thanks to all for this awesome firmware and community!
I have a DD-WRT router R6700v3 running build v3.0-r47033 std (07/08/21). This router is behind my ISP router who uses CGNAT. To get access to my home LAN from the internet, I am using OpenVPN client on the router connected to openvpn.net in a full mesh configuration. This is working great after I disabled CVE-2019-14899 Mitigation. The router OpenVPN client connects to the server fine. To test, I connect via a cellular hotspot and run the OpenVPN client for windows to establish a tunnel to openvpn.net. Then, thanks to the full mesh thing, I can see all of the devices on my LAN subnet (192.0.0.0).
My only issue is that my ISP router that provides the WAN gateway is on a different subnet 192.168.12.0. When going through the tunnel, I can not access this subnet, so I can't login to the ISP router.
I have the OpenVPN client on the router set to NAT and the firewall on the tunnel is off.
I was hoping this description would trigger an idea in someone's mind....
Not sure what you mean with mesh configuration, OpenVPN documentation is a sticky in this forum, link also in my signature at the bottom.
You might have a look at the OpenVPN Server setup guide especially the paragraph about site-to-site setup.
In your particular case I think the problem is that the OpenVPN subnet is not NATted via the WAN of the client.
So as a quick test telnet/SSH to your router and add the following firewall rule:
This is a rather broad rule and normally you would use:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
replace 10.8.0.0 with your own OpenVPN subnet.
This should work for clients connected to your OpenVPN server which are using NAT on their VPN clients (as you are doing) if you contact from the OpenVPN server itself you also have to add the same rule but with the subnet of the server itself.