I have done a bit of reasearch before writing this. I have a lot of experience with RUT24X which we use to access devices on the LAN using an OpenVPN client (TUN) on the router and port forwarding. WAN access is usually using Ethernet interface.
However, trying to replicate the same on TRB140 does not work. The VPN works and I can access the TRB remotely but nothing on its LAN. The main difference is that the OpenVPN client on the TRB uses the LAN to access internet (no SIM card installed). I understand it is possible to use routing on the OpenVPN server and the LAN device to push the LAN side of the TRB140 to the VPN but this is more difficult to set up than simply using port forwarding.
LAN: 192.168.1.0/24
VPN: 10.8.0.0/24
Is port forwarding at all possible in this situation?
What about if I use a SIM card on the TRB?
FYI, we are not currently considering using RMS.
Please, could you share your firewall configurations (forwarding) and zones in Network β Firewall? In addition, please share a screenshot of routes in Status β Routes β Static β IPv4 Routes and interfaces in Network β Interfaces.
If you want to use port-forwarding with OpenVPN, then the port-forwarding rules should have OpenVPN zone as the source zone and LAN should be the internal zone, and the internal IP address will be the address of your LAN device that you are trying to reach. You will need to specifiy the protocols and port numbers that you want to port-forward.
However, I would suggest configuring the server with a route to the TRBs LAN network. If you are using OpenVPN with TLS, you can take a look at the forum posts here and here. Keep in mind that, if the server has multiple OpenVPN clients and you want to add routes to them, the LAN networks on your clients should not overlap.
I already have port forwarding rules with openvpn as source and LAN as the internal zone. Like I said in my original post, this is what we already do for all our RUT installations and it works very well. Here, we are using a TRB with no WAN (no SIM card), and it does not work.
Pushing routes from the LAN to the VPN server is not a long term solution as I do not have control of the LAN IP settings. Over time, I am likley to get IP conflicts because the subnets for differnet customers will likely be the same. 192.168.1.0/24 is very common for example.
Please, try enabling masquerading in Network β Firewall for LAN => OpenVPN zone.
If the issue persists, could you check if the router receives pings on the tunnel interface when you ping the LAN devices?
Access the RUT via CLI/SSH (username βrootβ) , install tcpdump and run it on the tunnel interface:
# install tcpdump
opkg update
opkg install tcpdump
# check the name of the tunnel interface
ifconfig
# run tcp dump on that interface (replace tun_clntvp with your interface)
tcpdump -i tun_clntvp icmp
Do you see ICMP packets going into LAN when you ping the device in LAN from the OpenVPN tunnel? Please, share the output.
