OpenWRT + OpenVPN client + NAT

I configured the OpenVPN client on my OpenWRT router with LuCI, but the new interface did not appear in the Interfaces tab.
I need to configure NAT on this VPN interface for accessing my home devices from OpenVPN server.
Help plz.

1 Like

It doesn’t need to show up in the interfaces, provided that you have added the tun device to the firewall.

You do need to enable masquerading on the firewall zone that contains your OpenVPN device.

1 Like

I created the following section in /etc/config/firewall

config redirect
       option target          DNAT
       option src             wan
       option dest            lan
       option proto           tcp
       option src_dport       3389
       option dest_ip         192.168.1.20
       option dest_port       3389

But here all incoming packets to my wan on port 3389 will be redirected to 192.168.1.20:3389.

How can I make sure that only packets incoming from OpenVPN tun0 are sent to 192.168.1.20:3389?
Thnx!

Re-assign the VPN device to a separate firewall zone.

How to do it?

I added a VPN zone for tun0

The following section appeared in the /etc/config/firewall

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'OpenVPN'

What rules should we now create so that incoming packets to the OpenVPN interface on port 3389 are redirected to 192.168.1.20:3389?

  • Specify your VPN zone as source on the above redirect.
  • Enable forwarding from the LAN zone to the VPN zone.
  • Enable masquerading and MTU fix on the VPN zone.

The current situation is

config zone
        option name 'VPN'
        list network 'OpenVPN'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config redirect
        option target 'DNAT'
        option src 'vpn'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '3389'
        option dest_ip '192.168.1.20'
        option dest_port '3389'

config forwarding
        option src 'VPN'
        option dest 'lan'

The OpenVPN client received the address 10.1.1.7
Connection to 10.1.1.7:3389 does not work.
Firewall on 192.168.1.20 is disabled.
What's wrong?

uci set firewall.@zone[-1].name="vpn"
uci set firewall.@zone[-1].output="ACCEPT"
uci set firewall.@zone[-1].forward="REJECT"
uci add_list firewall.@zone[-1].device="tun+"
uci set firewall.@forwarding[-1].src="vpn"
uci commit firewall
/etc/init.d/firewall restart
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.