I have a VPN server running on OpenWrt 24 (router's ip address: 192.168.1.1). I hosted it by a raspberry pi 4. I can VPN to my network normally.
Also, I have another subnet, which is the Google nest wifi, running at 192.168.86.1. Inside this subnet, I have a homeserver, running docker and serving services at 192.168.86.26.
Although I can VPN to my network normally, I can't access the services running on my homeserver. I searched and I think I need to create a static route (for both in and out) and then configuring the firewall. I'm really not sure this is the way to go and how to do it.
Thanks for reading! Please help me out! I'm very noob so please provide a step by step guide.
Thanks again!
Sounds like the issue's the Google Nest wifi, not openwrt.
We will need to see a few things:
- a topology diagram of the network (how is everything connected together)
- The client config file
- The pi config files.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Thanks guys for quick reply!
I don't think that's an issue from the Google nest. Might just need some config. But yeah, actually I don't like the google nest. I have to use its subnet, which is very annoying.
Topology:
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.5",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.1.111'
config interface 'wan'
option proto 'pppoe'
option device 'eth1'
option username 'xxxxxxxx'
option password 'xxxxxxxx'
option ipv6 'auto'
option peerdns '0'
list dns '192.168.1.111'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
root@OpenWrt:~# cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option name 'docker'
list network 'docker'
config redirect
option dest 'docker'
option target 'DNAT'
option name 'PDF Stirling'
list proto 'tcp'
option src 'lan'
option src_dport '2025'
option dest_port '2025'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nginx'
option family 'ipv4'
option src 'wan'
option src_dport '80'
option dest_port '80'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
192.168.86.x is the Nest's LAN subnet, and it got an 192.168.1.x IP on the WAN port, right ?
you need to make a hole in the Nest's firewall, for the access from the Openwrt LAN to work, or if you can reconfigure it to run as APs instead of router mode.
another option is to have the home server VPN into the PI too.
yet another option is to move the server away from the Nest's subnet.
@frollic You are right. The Nest's IP is 192.168.1.169
you need to make a hole in the Nest's firewall, for the access from the Openwrt LAN to work
Could you be more specific on this please? I can't change the nest to AP because I have two Nest wifi devices and I'm using its Mesh service. Google nest only allow one device to be in bridge mode. I was so stupid when I bought the Google nest.
that would be a firewall question for Google, but they might not have the ability to do it.
Thanks, I created a port inside the google nest config. But I still can't connect to it.
Do you think I need to do anything with the OpenWrt? any config?
no, this is all Nest.
to remove some additional sources of error, don't do this via your VPN, connect directly to your openwrt 192.168.1.x LAN subnet.
I assume the IP you're trying is 192.168.1.169:8080 ?
Hmm, I just reset the router and did not see the 192.168.1.169 coming up anymore. In the setting of the google nest, it shown 192.168.1.169. However, I can't ping that address in main router's ssh.
your Nest assumes it's internet facing, not all routers will reply to pings from internet, unless instructed to.
You are right!
But I still cannot connect to the service at 192.168.86.26:8080 by using 192.168.1.196:8080. Even with port forwarding in the Google nest.
can't help you there, it's a Google Nest question.
you can probably find some info about it on Google (pun intended) 
might want to check the restrictions on the port 8080 host's firewall.
I know of applications by default only allowing connections from the local subnet.
Kodi does/did this.
No worries man, Thank you so much! It worked after I restart the whole nest network!
You are also right about the Google's stuffs. I regret buying from them.
Thank you very much and have a nice day!
