OPENVPN Client and Portforwarding Problem

Hey Iam new and my English is not very well, sorry.

My Setup: Internet -> (Router(Fritzbox) 10.4.4.1) -> (OpenWRT lan 10.4.4.15) -> (OpenWRT VPNClient 10.8.8.100)

Port Porwarding on Router(Fritzbox) with success. The Port is 63015

What i want:
Connect from Public IP over Fritzbox to OpenWRT-Router-Services.

What is the Problem:
Connection success if OpenVPN Client stop.
If the OpenVPN Client is online there is no connection from a public adress available.
This was the standard configuration of the OpenVPN Client because every outgoing connection was routet over the VPN.

So i need a VPN Bypass from incoming connections port 63015.The Problem ist that the incoming IP change and this makes it difficult to make an firewall Roule...

Solution Idea: I tried to mark the incoming Port with this Script in my Firewall User and bypass this traffic out of the vpn:
echo 30 bypass >> /etc/iproute2/rt_tables #=> i do this only one time not in the Firewall user...

#route iptable "bypass" over br-lan und not over vpn
ip route add 10.4.4.0/24 dev br-lan table bypass

#give the table the defoult-route (router fritzbox)
ip route add default via 10.4.4.1 dev br-lan table bypass

#write marked pakets toTable bypass
ip rule add fwmark 1 table bypass

#mark incoming pakets with port 63015
iptables -t mangle -A PREROUTING -p tcp --sport 63015 -j MARK --set-mark 1

=> no sucess with this solution

With my Synology I have no problem, because i can mark in the setup of the vpn-client, that incoming request answered by the same interface. In openwrt i have not found this feature.

Pls answer to me very detail because my linux-skills are like skript-kiddy-skills

best regards and merry christmas

All you need to do is follow the OpenVPN Server Wiki.

  • Since LEDE (you should be running LEDE, not OpenWrt) will not be your WAN facing router, you will need to forward the VPN server port from WAN (Frtizbox) to the LEDE router.

    • Since you're forwarding a WAN side port to your LAN, I highly recommend going with a an extremely high port >55000 for the VPN Server, of which should be a port that is not on this list.

    • You will also need to ensure that the VPN Server port is blocked by a firewall rule on the FritzBox to all other devices on the LAN (except for the LEDE Router).

      • You will create the firewall rule for the "Allow initial VPN connection" on your FritzBox (as well as on the LEDE Router), and you will place your reject rule below this rule on your FritzBox.

Thanks for your answer, but i think that this is not my Problem:

I forward a Port from WAN (Frtizbox) to the openwrt / lede router and it works quite good.
But on this openwrt / lede router was running a openvpn-client and when this client is working, the lede / openwrt router answer the request from outside over the vpn-client tunnel which does not work.

The issue in your first post is you do not have a DDNS configured, which is required if your ISP does not assign you a static IP (most ISPs do not).

In your second post, it seems you're conveying that you want your LEDE router configured as a VPN client, whereas in the first post, you seem to be conveying you want it configured as a VPN server for remote access to your LAN.

  • Are you trying to access your LAN remotely or are you trying to connect to a 3rd party VPN provider to route all LEDE router traffic through (in which case you configure LEDE as a client)?

I have a DDNS and it works well.

I want to make both. On one hand i connect to a 3rd party VPN provider to route all LEDE router traffic through.
On the other hand i want to access one other service on the lede router remotly.
Both worked well but not together, because the other service becomes the request from the public ip (fritzbox) but answer it over the vpn-client gateway.
All i want is that the request bypass the vpn-client gateway and answer it over fritzbox.

I've never done it before, but there shouldn't be any issue with configuring LEDE as both a VPN Server and a VPN Client.

Have you tried configuring the VPN Server on LEDE with a port other than 1194 (which is recommended regardless).

  • Provided they're both on separate ports, their should be no issue. If there is, please post the LEDE VPN Server config and Client config you're using for the LEDE VPN server (not the client config for the 3rd party VPN, but the client config to connect to the LEDE VPN Server)

i think the Problem is "normal" ...