Internal routing in double NAT'ed environment

Home lab setup is almost complete, thanks in large part to info that ive found on this forum. Many Thanks!

I have an Asus ac68u running OpenWRT sitting on my home network. The ac68u is configured as a site to site VPN to azure via StrongSwan. This config is working perfectly.

home ISP ( <- home router ( <- Asus ac68u (outside =, inside =

Azure Site-to-Site (inside, outside = <-> home ISP ( from above.

The Site to Site VPN is working flawlessly, however, the last step in my quest to be able to route from my mac on the network directly to a host (eg on the inside network of the OpenWRT router. Actually, that is not completely accurate. The goal is route directly to the Azure subnet from my mac located on the If im connected directly to the network, then everything works fine. However, i should be able to route to OpenWRT (outside -> inside) and then (inside -> outside via ipsec) to Azure.

So two questions:

  1. what do i have to configure on OpenWRT to accomplish this? Basically i need to allow inbound traffic from to come in and then be routed back out again over ipsec.

  2. What kind of route do i need to setup on the home router ( I assume is something like:


Please let me know if this is not clear or if there is a simpler way of doing this.

Very best regards and Thanks!