OpenVPN tunnel connection timeout

Hi all,

I have followed the instructions published here

to configure OpenVPN server (Router W826-T2 - OpenWrt version 5.4.154).

I use for DDNS.
LuCi shows correct public IP.
From a another device connected to internet with 4G, the DDNS domain is resolved correctly.

The issue is: OpenVPN client (on Android) cannot establish connection to my server (timeout).

tpcdump on the server does not show any packet the from remote client.
Nothing in logs either.

Any idea?
It would be great if someone ca help me to dig more...


Are you actually trying to connect from the wan side and not from lan side?

Does it work without DDNS?

What does client log say?

from Android connected to internet through 4G

DDNS info is embedded in client.ovpn, do you mean I regenerate another client without DDNS?

here sceenshots of client log

Yea, DDNS is a complicated addon that can screw things up.

And we doesn’t even know if the config works to begin with.

But your log is pretty clear, there is no internet connection established to the router. So it is either trying to connec to the wrong IP address or your firewall is closed.

Can you ping the router ip from the phone through 4G?

Thank you for helping!
The ping from internet does not work.

Some info to complete:

My server is connected through 4G/LTE.
In LuCi I see 3 interfaces:

LTE (wwan0)
Protocol: QMI Cellular

LTE_4 (wwan0)
Protocol: Virtual dynamic interface (DHCP client)
Uptime: 10h 42m 49s
IPv4: 10.23.XX.YY/30

LAN (br-lan)
** (...)

I beleive that IP address 10.23.XX.YY/30 is provided by my ISP.

Public address by is 94.184.ZZ.ZZ
It is also the ip address shown by DDNS in LuCi.

Ping 94.184.ZZ.ZZ does not work.


If you turn off the DDNS can you ping the 10.23.xx.xx address then?

There is another possibility that you actually ping the 4G ISP server and they have a firewall that protects their customers that live inside their private network. 10.xx.xx.xx isn’t a public IP but a private IP address.

The 94.xx.xx.xx is a public internet address.
This is the same as DNS Masq the OpenWRT firewall have between wan and lan interface.

This is an RFC1918 address and is not a public IP. It is common for cellular providers to provide CG-NAT or RFC1918 addresses.

This provides further confirmation that your ISP issued IP does not match the apparent public IP, and therefore means that you are behind a carrier-based NAT system.

Your VPN will not work due to the fact that your carrier is not issuing you a public IP.
You can investigate these two things to see if there is a path forward:

  • ask the ISP if they can give you a public IP (they may charge extra for this)
  • find out if you have an IPv6 based IP -- if so, you can theoretically connect via IPv6.

Failing those, there is no simple path to getting your OpenVPN server to function. You will either need to look at complex solutions involving a VPS to act as an intermediary, or you can look at changing ISPs. Otherwise, it is game over here.

1 Like

I used the same SIM card in another router, with the same 4G/LTE module, but under another OS: OpenVPN worked fine. I am migrating to OpenWRT because my old server was died.

The ip address in /30 subnet is used for back-to-back connection between my router and next hop on ISP side, for sure. By definition it is not possible to ping b2b ip addesses (for security reasons). In addition 10.x.x.x/8 range is not used for public ip addresses.

What I can do is to ping the 2 adesses of /30 but I beleive it will lead nowhere, pingable or not pingable.

I will search if my ISP did some changes during last couple of weeks to block pings... and indivudual OpenVPNs.


Was that a cloud based OS? Like Linksys for example that requires internet connection to be able to log in to the router?
OpenWRT has a tendency to make things stop working in a good way because it has no backdoors and s..t buildt in.

Compare the WAN IP on the old router (assuming it is still functional) with the WAN IP that you see on the new one.

Fundamentally, if you don't have the exclusive use of an IPv4 public IP, you cannot setup a server that will be accessible on the general internet without other (complex) solutions.

I think you are right about FW on carrier side.
Because of ipv4 lack, carriers use carrier-grade NAT (CGN), by this 1 ipv4 is shared, that's why I cannot ping my router from internet.
I will try to use only ipv6 and see...
Thanks to flygarm12.

The firewall here usually isn't about "protecting" the users. NAT (be it CG-NAT or standard RFC1918 NAT) is a means of conserving IPv4 addresses. Just like on your home network, a single IPv4 address can provide internet access for dozens if not hundreds of devices.