Help with configuration : indentify the need

I'm looking for some help with my installation.

I have the router from my provider that is connected from one of his LAN port to the WAN port of my openwrt (mir3g v1).

For the moment all I have done is creating 2 wifi interfaces and create an OpenVPN thanks to the basic tuto (all via ssh).

I would like to have access to the LAN (and the openwrt itself) of my openwrt from the WAN and from my OpenVPN connection.

Is it "Bridge WAN/LAN"? is there a simple comptaible way to do it ?


Are you running OpenVPN client, or server on your OpenWRT-router?

I'm running it as server.

All the configuration is the original one with thé changes made via the basic tuto.

So do you want to connect to OpenVPN server?

I would like To have access To the LAN of the Openwrt router from openvpn, Now i only have access To thé wan and the Web interface of the openwrt router.

OK, so you are running OpenVPN-client.

On OpenWRT-router you should:

  1. add interface tun0 (or tun1, at your choice) to /etc/config/network
  2. add zone in firewall
  3. add forwarding from tun-zone to lan

OK, do you have the commands or the lines i have to add in the config files ? (i'm completly new to this kind of things).

P.S : here is the tuto i followed for openvpn ( so it's a client install ??

Section 'Basic server' is how to configure server

You are running server on OpenWRT router, and client on device in Internet. I mean device, writing about client.

OK, could you give me SSH-access to router in PM? I'll add, and write you, what I've added.


Never give someone access!!!

Good choice!!!

  • To reach LAN from WAN - Port forwards to devices in WAN (this is generally dangerous and the point of the firewall)
  • To reach from your OpenVPN server - Port Forwards
1 Like

Thanks, that seemed to be the only choice ^^ ,

In fact because my openwrt is behind another router it's not directly exposed to the internet (no DMZ on the first router only one port redirected for OpenVPN), so it's not that dangerous to access LAN from WAN isn't it ? (simple curious question because of redirect for OpenVPN is enough i will only do that one)

How can i do the port forward for the OpenVPN access please ?

You still forwards ports, regardless if it's: single, double, etc. NATing, so I don't understand the perceived added safety of a downstream device.

I'm not that familiar with OpenVPN specifically. I only surmise that you placed the (Layer 3) tunnel in it's own firewall zone. If so, you would Traffic Rule (not Port Forward, since no NAT is involved), allowing access to whatever IP/port as you normally would.

I found this :

uci add firewall rule
uci set firewall.@rule[-1].name='ACCEPT VPN to LAN traffic'
uci set firewall.@rule[-1].src='vpn'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart

I think it will be good but I have to create a "vpn" zone, do you know how to do it, i'm not sure of what i found ?

P.S : the openwrt router is added as a repeter on my bedroom (the principal router is too far away), and it's the only one where i can do what i want (my internet provider isn't providing OpenVPN/adbloker/QOS ect... support)

Adding via LuCI and /etc/config/network - yes. Via UCI, no.

You would simply

  • go to the Interface on the Network > Interfaces page
  • edit the OpenVPN interface
  • click on the Firewall Settings tab
  • create the vpn zone

Unfortunatly it Didn't work.

Do you have another idea ? Or à step by step guide To do it on luci ?

Then help ? But I won't give you access to the router.


You didn't tell us what "didn't work". You can try verifying that the zone was created and that the tunnel was added to it. Then verify your zone configs.


How can i verify that all is done correctly ?

I've added this in /etc/config/network :

config interface 'vpn'
        option ifname 'tun0'
        option proto 'dhcp'

and this to /etc/config/firewall :

config zone 'vpn'
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun0'

config rule 'ovpn_lan'
        option name 'ACCEPT VPN to LAN traffic'
        option src 'vpn'
        option dest 'lan'
        option proto 'all'
        option target 'ACEPT'

And I have removed the list device 'tun0' from the lan zone one the firewall.

After this i was still unable to reach the lan (192.168.1.X) from an openvpn connection (192.168.8.X).

Well, I'm done helping here...I think this is beyond my strong-point (I work with Wireguard more so). I only provided assistance because @ulmwind (who was helping) started requesting remote access and making off-topic comments.

OpenVPN is not my main forte; and I'm starting to get a feeling (from these antics) - that it may be an OpenVPN config that needs work instead.

@anon50098793, @eduperez, @trendy - can you help out @vic1707? ...someone's being "un-nice" to him (and offering quite dangerous things in exchange for assistance).

Thank you for your help.

I found this in some answers from our dangerous friend:
in /etc/config/network turn lan to bridge mode :

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 tun0'

and from bridging.

Ahhhh yes!

If your tunnel is Layer 2, you may have to "put them together".

Again, I feel someone more versed in OpenVPN will reply (who doesn't want remote access in exchange)...very soon.