OpenVPN not working in 2 Router setup

First and foremost i want to mention that I'm fairly new to OpenWRT and networking in general. I've had a lot of fun building my current setup but right now i seem to have hit a wall.

What is my goal?
I'm unfortunately forced to use a cellular data router. At first that doesn't seem to be a problem. The router is quite good and UP/DOWN is pretty good too. All good and dandy if it wasn't for one small problem, my ISP doesn't issue public IP addresses to these kinds of connections. So my goal is to use my OpenWRT router (connected to LTE router) as gateway for machines/services that require a puplic ip and/or port forwarding.

What does my setup look like?
LTE Router as Gateway ( connected through LAN (not PPPoE) to my OpenWrt router ( The only interface that i currently use on my OpenWrt router is "LAN" using a static IP address.

What problems do i encounter?
After installing OpenVPN and importing my profile nothing seems to happen. I can enable the profile and it's seemingly working. A quick ip lookup and traceroute unfortunately reveals that my LTE router still shows up as gateway.

My explanation of my problem probably reveals that I'm pretty inexperienced with that sort of stuff.

Thanks in advance for anyone trying to help.

Follow the OpenWrt wiki to configure the VPN connection properly.
Check the system/connection log for troubleshooting.

1 Like

Thanks for the fast reply (:

I followed the instructions on the wiki for both general VPN client setups and OpenVPN. My remote OpenVPN server is working fine with other devices.

Dunno if it's worth mentioning, but traceroute now returns a "bad adress" output regardless of what address i use.

1 Like

Collect the diagnostics and post to redacting the private parts:

/etc/init.d/log restart; /etc/init.d/openvpn restart; \
sleep 10; logread -e openvpn; uci show network; uci show firewall; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Assuming the VPN started up properly.... that can be checked by looking through the log for "Initialization Sequence Complete." OpenVPN puts a lot of messages in the log which usually make it clear where a problem is.

SO if the VPN is up, and on the VPN client router (.2) you can ping the other side of the tunnel, and traceroute to Internet sites shows it is going through the tunnel, next you need some more routing since the VPN client is not the network's main router.

The other LAN devices are unaware of your VPN client, so they don't route through it. They just go out through the main router as normal.

Anything incoming on the VPN is lost unless you set the VPN client to forward it to the proper machine and that machine has a route back through the VPN so a reply is possible.

There are different ways to do this. If you want all the Internet usage to go via VPN, set DHCP option 3 in the main router to advertise the VPN client router as the network's default gateway. It could also be done machine by machine with a local configuration on the endpoint machine.

1 Like

Shouldn't contain any sensitive information

1 Like

That is going to be a major obstacle to overcome. You're dealing with something called "carrier-grade NAT". You can configure your own equipment until the proverbial cows come home, but the actual Internet-facing router is outside your control; it's somewhere in one of your ISP's datacentres. Without the involvement of your ISP, inbound port forwarding is unlikely to be possible.

There are ways around it, though. One possible approach involves having access to a separate computer somewhere else entirely on the Internet, which has its own public IP address. For example, renting a VPS from Amazon, or Digital Ocean, or Hetzner, or other similar providers, and configuring a VPN connection outbound from your local equipment to that VPS.

Can you please elaborate on what you mean by DHCP option 3? The web interface of my router is extremely basic and doesn't offer any way to manually change the default gateway.

I can change the connection type between the two routers on my main router to something other than the current basic lan connection. I unfortunately lose any web connectivity when doing so.

Sorry if that wasn't clear from the original post, but i do own a remote OpenVPN server with a public ip address.

1 Like

Is it possible to turn off the DHCP server in the main router? Then you can run the network's DHCP server from the OpenWrt router.

The other option is to route through OpenWrt, setting it up as a conventional LAN to WAN, in other words it is the network's main router. The 4G router would then become only a connection to the Internet, for the VPN client process.

Since it's already a CG-NAT situation, an additional stage of NAT would not be a problem at all.


That was original idea. But after fighting with the terrible web interface of my main router, I decided to go the easy route. I think it's worth mentioning that both routers need to maintain their Access Point capabilities.

uci -q delete firewall.@redirect[0]
uci commit firewall
/etc/init.d/firewall restart
uci set network.lan.gateway=""
uci commit network
/etc/init.d/network restart
sleep 10
/etc/init.d/openvpn restart

Sorry, but this doesn't seem to help me with my problem. The problem still persists.

You should now have the default gateway configured and can collect the proper connection log.

1 Like