Accessing pc on lan remotely


Please I need help with an issue

On my LAN I have a raspberry pi running an appliance called Solar Assistant.

Solar Assistant publishes a MQTT broker on port 1883

I can subscribe to those messages on other computers on my LAN by through the Raspberry pi 's local IP address

Because of the nature of the appliance, there's no way to do any network configuration on the Pi.


My ISP is a CGNAT. I have made a request to have port 1883 opened for my service by the ISP which was refused .

I want to be access that Solar Assistant MQTT on the Internet. Specifically on a VPS.

I have tried setting up a wireguard VPN server on the VPS and a Client on my router. But that's as far as I could go. Couldn't figure out the rest

How do I get to access the MQTT broker on my LAN remotely?

MQTT = - static
Router = - static
ISP router = dynamic

Is your router running openwrt?

Yes it is running openwrt

Good. Iā€™m not an expert on Mqtt, but is the vpn working properly (handshakes and data transfer in general)? This will be the first thing to make sure is working.

Yes the VPN works fine.

Everything on the LAN has the wireguard server public IP when it is enabled

Does your ISP provide an IPv6 address? If so, you can try using IPv6 since all IPv6 are public and valid addresses (so they are immune to CGNAT).

Research a site-to-site setup.
Your openwrt router becomes an 'extension' of your VPS.
So you can connect to your VPS either with another wireguard client e.g. you phone on cellular or port forward from your VPS to your openwrt lan.

The Solar Assistant needs to have a known constant IP on your LAN. If you can't configure the appliance for static IP, you should still be able to give it a DHCP reservation in your home router.

When you have forwarded the whole house to the VPS then forwarding a port backward to the appliance starts with a DNAT rule inside the VPS. Implementing that will depend on the OS running there. If you're using symmetric routing (the VPS is aware of your home LAN and routes directly to it, which is recommended), you don't need to DNAT twice. But you do have to set your OpenWrt home router firewall so that vpn->lan is allowed for the IP and port of the appliance, if you're not allowing all vpn->lan by default.

This deployment will allow anyone on the Internet to hit the port on your Solar Assistant. I assume that is what you want, and it is not a security issue. If you want it for your use only you should do what @egc said and have authorized users make their own VPN connection to the VPS.

1 Like

Thank you.

full disclosure i have no idea how to setup a port forward correctly from my VPS to the LAN.

Well i have tried, but failed. this is what i did.

That is not what I meant and (I think also not what @mk24 meant)

I would first setup your WG client as a site-to-site setup:
Put the WG interface in the LAN zone so that you open up your firewall
Open the Firewall for the WG port (it is just as you are setting up a WG server).
On Allowed IPs of the client set the WG address of the VPS and the subnet of the VPS.
On Allowed IPs of the VPS for this client set the WG address and the subnet of the WG client (=your owrt router)
Basically you should now be able to reach clients on your home network when logged in to the VPS (and the other way around).
(I am doing it off the top of my head so I might have forgotten something)

The only thing you have to do is set a port forward on your VPS to your client on the home LAN as traffic from your VPS has a route to your home LAN.

1 Like

Screenshot from 2023-10-01 14-57-16

[quote="egc, post:10, topic:173144"] On Allowed IPs of the VPS for this client set the WG address and the subnet of the WG client (=your owrt router)

The VPS WG server is

The Openwrt client is is already in the Allowed IPs section of the VPS (WG Server)

I don't know how to do this

You can simply delete the VPN zone and add the WG interface (wg0) to the LAN zone.

For opening port 51820 (/etc/config/firewall):

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

In the WG interface setup make sure to specify 51820 as listen port.

In the WG client(Peer section) specify and the subnet of the the VPS under allowed IPs, make sure to enable route allowed IPs

little explanation not important to read

(By using instead of I make sure that if you have more WG clients attaching to your VPS those can reach owrt router, alternatively and my preferred solution is using /24 as netmask for the wg address)

If it does not work, Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
1 Like

Thank you.

i can now ping the WG client IP from the WG server.

still haven't quite gotten the part where i reach the Solar Assistant Pi

its static local IP is

If you can ping 192.168.101 from the VPS than you have to set a portforward on your VPS to 192.168.101:1883

It depends on you VPS how that have to be setup.