NAT-Routing question


I'm looking a while for the configuration sample of a network between my house and my parents over openvpn. I'm not familiar with routing and NAT.
I configured two openwrt routers and installe/configured openvpn. Openvpn conection is working and I can access LuCI at my parents from my house.
My problem is to get access to the ISPs modem and the notebook of my father using remote access. I have tried a lot but with no success. Can someone help me?
The structure of both sub-nets are:
My-notebook LAN-WRT1 VPN-WRT1 VPN-WRT2 LAN-WRT2 Fathers-notebook

A need to access port 3389 (remote access) from My-notebook to fathers-notebook.
I know this is a routing configuration from my subnet thru VPN-subnet reaching parents-subnet. I think I have to route from my-subnet to VPN-subnet and then from VPN-subnet to parents-subnet to reach his notebook. What configurations I have to do to do this?

The other thing I would like to do is to reach my parents ISP-modem on port 80 from my notebook. The WAN-IP of both modems is the same (my ISPs and parents-ISP use At my home I can access my modem with I think that I have to use NAT for access my parents modem. For sample I cand use on my network and translate it to on my parents modem. Is this right? How to do it?

Thanks in advance,

To add the route automatically upon connection, you can go to Services-Openvpn-Edit-Switch to advanced configuration-Networking Scroll to the bottom to find the Additional Field drop down list and select there route and Add. Then go to the new option and add the network of your parents' router ( on your side and vice versa. Also make sure the firewall is allowing the vpn2lan forwarding.

Regarding the access to the ISP-modem, I would make a port forwarding on your parents' router openvpn interface on port 8080 to redirect to modem IP port 80.

Thanks trendy for your help.
I never thought to create the route in OpenVPN configuration. That helped a lot.

For the other case (modems with same IP addres the problem is not a port forwarding problem. The problem are the two devices with same IP address.

If I try to acces, who responds is obviously the modem in my home, independent of the port.

What I'm trying to do is a NAT. My idea is to define an pseudo-IP for the modem at my parents home, like So, when I type at my notebook it is forearded to the VPN and at my parents openwrt I define a NAT from to Can this be done? Has that sense for you?

Best regards,

Yes this is absolutely possible. On your parents openwrt you can set this up, I think in Luci you need to set it up under network>firewall>port forwards, you don't actually alter the port but forward the IP instead. If Luci GUI can't handle it I'm sure you can do it directly in the network config file, it's a DNAT rule basically.

@gdc I have a similar set-up with a wireguard tunnel to a relative's house. I had been ssh port-forwarding to get access to the remote modem/ISP equipment due to the same issue you have. Your idea seemed like such a good one that I in fact set it up myself, and sure enough, it works great. I assigned a regular lan ip for virtual use by the modem, and then forward that lan ip to the ip actually in use by the modem, which prevents the problem with two devices having the same IP from my computer's perspective.

Using Luci I just added a forwarding rule, and then configured it properly from the full details screen.

Why complicate it like that? I think that forwarding the 8080 port on your parents' router vpn interface to forward to port 80 is much simpler.

config redirect
	option target 'DNAT'
	option src 'vpn'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '8080'
	option dest_ip ''
	option dest_port '80'
	option name 'Modem management'

You only need to point your browser to

it's much more intuitive to say http://parentmodem.lan and have that be in the /etc/hosts file pointing at say and then forward all traffic for to on the remote openwrt and requires no more complication at all.

config redirect
	option enabled '1'
	option target 'DNAT'
	option src 'VPN'
	option dest 'VPN'
	option proto 'tcp udp'
	option name 'modemforward'
	option src_dip ''
	option dest_ip ''

adjust based on your firewall zone names etc.

Thanks Diakelan and Trendy.

That are good ideas too. I will try them.


Hi Diakelan.
I'm working on openwrt for some time to have a very simple solution for support my parents without having to need her help or change the configuration of their ISP modem opening ports for me.
I have configured openwrt to make a reverse connection. The only thing I need to do is to connect a little router (I use DIR-505) to an outlet. The rest occurs automaticly. The only thing I have to preconfigure is SSID and password. Once in openwrt boots, it connects to the SSID I preconfigured, loads openvpn client and connects to my home openvpn server. Now it is only a forwarding problem to do what I need.
Thanks for your message.
Best regards,

I just use an openwrt for all the routing at the remote site, it keeps the VPN tunnel up at all times. If I feel the need to break the internet at my mother's house, at a moment's notice I can connect! :joy:

1 Like

That's seems evil!