I use Starlink and therefore sit behind a CGNAT without a public IP address.
I have a subscription to PureVPN with a fixed IP via PPTP and port forwarding (all ports are open here).
I use a gl.inet GL-MT300N-V2 / Mango as VPN router.
I managed to set up the VPN connection in OpenWRT with these instructions here https://www.youtube.com/watch?v=-TvsuDtBnBQ. However, from "outside" I can only reach the GUI of the VPN router but not my other servers in my network although I have created port forwarding rules for them in OpenWRT.
Pptp is no longer considered safe to use on the modern internet. You should see if your provider supports wireguard, and if so, change to a new, much more secure vpn protocol.
Regarding the specific issue you have asked about, let’s see the config files:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I know about the security issue. I use a SSL connection in addition. PureVPN only supports PPTP, L2TP, SSTP an IPSec with deicated IP. They do not support OpenVPN with fixed IP.
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '**:/48'
config switch
option name 'switch0'
option reset '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '***'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '***'
config interface 'PureVPN'
option proto 'pptp'
option server 'de-ded-11.pointtoserver.com'
option username '<user>'
option password '<password>'
option ipv6 '0'
config interface 'LAN_DHCP'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'LAN'
option ifname 'eth0.2'
option proto 'dhcp'
option hostname 'VPN_Router'
option delegate '0'
# I have added this in the hope that he will route to the server
config route
option target '192.168.2.56'
option gateway '192.168.2.1'
option interface 'LAN'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config zone 'LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'LAN'
list network 'LAN'
list network 'LAN_DHCP'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
config rule
option target 'ACCEPT'
option src 'VPN'
option dest 'LAN'
option family 'ipv4'
option enabled '0'
option name 'Allow VPN'
list proto 'all'
config zone 'WAN'
option masq '1'
option output 'ACCEPT'
option name 'VPN'
list network 'PureVPN'
option input 'ACCEPT'
option forward 'ACCEPT'
config redirect
option src 'VPN'
option name 'NAS - DSM'
option target 'DNAT'
option dest 'LAN'
list proto 'tcp'
option dest_port '1001'
option dest_ip '192.168.2.56'
option src_dport '1001'
You appear to be using the gl-inet provided firmware. This is based on openwrt, but it is distinctly different due to the extensive customization they have done.
You have two options:
use an official openwrt version (22.03.0 was just released) and try again. You can then get relevant help on this forum.
continue using the stock firmware and ask for help from the gl-inet support or community forum. They will know the nuances of configuring and troubleshooting that specific firmware.
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'PureVPN'
option masq '1'
config zone
option name 'LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'LAN'
list network 'LAN_DHCP'
config forwarding
option src 'LAN'
option dest 'VPN'
config redirect
option target 'DNAT'
option name 'NAS - DSM'
list proto 'tcp'
option src 'VPN'
option src_dport '1001'
option dest_ip '192.168.2.56'
option dest_port '1001'
option dest 'LAN'
For now it seems that the VPN router itself is exposed and its web gui directly reachable via the external IP on port 443, but not my rule using the port 1001
You should connect to your vpn provider over ipv6 so that you avoid tunneling through the cgn. If the vpn provider doesn't do ipv6, then you should consider switching to a vpn provider that does. Tunneling through a cgn will make your vpn service brittle.
Starlink itself only works with IPv4 for now.
I hope the tunnel will stay stable. But the routing problem is still not solved for me. I can't reach my own server.
A quick search shows that starlink does indeed do v6. Any isp that uses a cgn will have v6 deployed to reduce the demand on the cgn. Only isps in dirt poor countries run cgn without v6 because they can't afford to replace their outdated v4 only equipment. I suggest you get v6 working so that you can get the best of service from starlink.
As for your routing problem, I'm not sure. The vpn zone should have option input set to REJECT or DROP so that the router itself isn't exposed. The redirect rule looks ok to me, so I don't know why it isn't working. Maybe you need to restart the firewall, or maybe someone else can offer some insight.
Assign a static address to this interface and configure 192.168.2.56 to use the assigned address as default gateway or enable masquerading on the LAN zone.
PureVPN is a known MTU black hole (source: I am a customer, and also have a static-ip account). In the firewall settings, could you please confirm that you enable MSS clamping on the zone that has the PPtP interface?