OpenVPN Tun Accessing NAT Loopback Port Forwards

Good Evening,

Desperately hoping someone can help me with this as I am pulling my hair out.

I've usually had OpenVPN Server setup in TAP mode, but have recently switched this to a TUN configuration as I have replaced my Android Phone the OpenVPN Client I used which supported TAP is no longer maintained and does not function on newer Android versions and I am wanting to avoid buying another client.

I therefore switched to TUN mode and everything is working great except I am unable to access any of the port forwards that I have in place with NAT Loopback enabled, such as my web server. I don't want to start looking at Split DNS etc and just want to keep things simple.

If I try accessing my web server then I appear to be hitting the OpenWRT Web Server as I get the OpenWRT Certificate & the following error: "Forbidden - Rejected request from RFC1918 IP to public server address".

I've got the following OpenVPN configuration, which all seems good:

port 1194
proto udp
dev tun0

#scramble obfuscate ovpnclient

ca '/etc/openvpn/ca.crt'
cert '/etc/openvpn/my-server.crt'
key '/etc/openvpn/my-server.key'
dh '/etc/openvpn/dh2048.pem'

topology subnet

max-clients 254
keepalive 10 120

push "route"
push "route"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN xxx.lan"
push "dhcp-option DOMAIN-SEARCH xxx.lan"
push "dhcp-option DOMAIN-SEARCH xxx.lan"
push "dhcp-option DNS"
push "compress lz4-v2"

cipher AES-256-CBC
auth SHA256

compress lz4-v2
push "compress lz4-v2"

verb 3

I'm currently running OpenWrt 21.02.5 if that is any use. Wondering if this can be worked around with some sort of NAT Rule?


Split DNS is likely more simple, but here's an example:

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip ''
	option name 'REDIRECT_HTTP_VPN'
	option dest_ip ''
	option dest 'vpn'

Reasoning why this works: Cannot see hosted service with external IP and NAT loopback - #6 by lleachii

Thanks so much for this, I will take a look and see if it solves the issue.

Is there any kind of catch all rule for this situation at all then?

To be fair, it's only really http/https port forwards that I want accessible easily over VPN.

Define "all". I assume you could omit the ports. I've never tried that before.

Then simply make a second one for 443/tcp ans yp3ure done!