OpenVPN - now connection from server to client

randomuser · May 23, 2025, 9:26am

I have installed OpenWRT + OpenVPN on two routers - Site A (Server) and Site B (Client).
Site A has static IPv4 and Site B is behind CGNAT.

I can access all devices in LAN Site A from Site B but can not do it in reverse way - from LAN Site A to LAN devices in Site B.

OpenVPN config

config openvpn 'SiteA'
        option proto 'udp'
        option cipher 'AES-256-GCM'
        option client_to_client '1'
        option comp_lzo 'no'
        option dev 'tunrw'
        option duplicate_cn '1'
        option enabled '1'
        option keepalive '10 120'
        option mode 'server'
        option mssfix '1450'
        option persist_key '1'
        option persist_tun '1'
        option port '16005'
        option remote_cert_tls 'client'
        option reneg_sec '0'
        option server '10.48.0.0 255.255.255.0'
        option topology 'subnet'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/Server.crt'
        option dh '/etc/openvpn/dh.pem'
        option key '/etc/openvpn/Server.key'
        list push 'comp-lzo no'
        list push 'route 192.168.48.0 255.255.255.0'

Network Site A config

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd0:be6f:f9c2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.48.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '***.***.***.***'
        option netmask '255.255.252.0'
        option gateway '***.***.***.***'
        list dns '***.***.***.***'
        list dns '***.***.***.***'

config device
        option name 'tunrw'
        option rpfilter 'strict'
        option acceptlocal '1'

I'm pretty new to th OpenWRT and networking so please let me know what else I should check

egc · May 23, 2025, 4:44pm

Using WireGuard is much simpler and much faster.

But if you insist then read on my notes maybe they are helpful:

Site-to-site
In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options such as a DNS server to a particular client or to temporarily disable a client altogether.
This option is also vital if you want to route a subnet from the server side to the client side.

Add to the OpenVPN servers config file:
#set option for CCD dir in openvpn config:
client-config-dir /etc/openvpn/ccd

This example has the LAN subnet of the server to be 192.168.6.0/24, the LAN subnet of the client is 172.18.18.0/24
Push server side LAN subnet to clients by adding redirect default gateway or
push "route 192.168.6.0 255.255.255.0 vpn_gateway"

Instruct server to add a route to the client-side LAN for all local server side clients:
route 172.18.18.0 255.255.255.0 vpn_gateway

From Command line:
#Make ccd directory
mkdir /etc/openvpn/ccd

#Make DEFAULT file which is used if no named file is used so only suitable if there is just one VPN client, If the server serves multiple clients, certificate authentication must be used with a unique certificate for each client. The CN of the certificate matches the file name for that client in the ccd.
touch /etc/openvpn/ccd/DEFAULT

#Add iroute to DEFAULT ccd file
echo "iroute 172.18.118.0 255.255.255.0" > /etc/openvpn/ccd/DEFAULT

Firewall
The firewall on the Client side must be setup as if it is a OpenVPN Server, so with ACCEPT on INPUT and FORWARD and no Masquerading.

randomuser · May 26, 2025, 7:54am

Thank you @egc - I don't know that WireGuard will work when only one side has public IP and second one is behind CGNAT. Pls send me instructions so I will try.

egc · May 26, 2025, 8:58am

It should work fine if one side has a public IP.

See my notes, the WireGuard server setup guide has instructions for a site-to-site setup between two routers

Start with setting up site A as a genuine server . it has a public IP address so that all other clients (routers phones etc) can connect to it even if they are behind CGNAT