Set up an openvpn server on an access point router

Hello everybody.

I'm new on this forum and hope to be at the right place. I need help please. I'm quiet a newbie in networking ; trying to learn and to win some experience.

My situtation...
I live in Belgium. and my ISP is Proximus (provides a "BBOX" (=router/modem) working with PPPoE). On this BBOX, I did this :

- disabled PPPoE,
- disabled DHCP,
- assigned fix IP on 192.168.50.5,
- wired a Cisco EA6700 on which : 
     - enabled DHCP,
     - assign fix IP on 192.168.50.1
     - setup an openvpn server (on 10.254.50.0) and a DDNS service.

Everything works great until now.

My problem / challenge...
I want to be able to manage the openvpn server (and eventually the DDNS service too if possible), on another router (Cisco EA6900 for example) wired on my network. This openvpn server can be a second one OR the only one (which means the openvpn server on th EA6700 could be canceled). My problem is that I just can't make it working on a router which doesn't manage the public IP. In other words, I can do it just like I explained above on the EA6700 because through the WAN (PPPoE service), it gets the public IP and the DDNS service. This means my openvpn client connects to the public IP (through the DDNS service). In the new config, I just can't reach the openvpn server.

What I tried...
I have no experience with port forwarding, route mapping, ... I thought I just had to forward a port on the EA6700 (which manage the PPPoE) to the EA6900 but it doesn't seem to work. I set it up like this

Protocol : Both
Ext ports : 1194 (for example, can be another one)
Int ports : 80 (also tried with 8080 and 1194)
Int address : 192.168.50.3 (fixed IP of the EA6900)

In the openvpn client...

remote 'DDNS address' 1194

PS : I really need it to work because I have another house with another ISP (Telenet). On their router, it's not possible to disable the WAN/PPPoE. I need to be able to reach an openvpn server on this site. This openvpn server must be on an "access point router". I mean a router without public IP.

If I did something wrong in this post, sorry. First time... Just let me know and I'll correct it ASAP.

Can any skilled buddy help me please?

Thank you in advance, ComboFab.

- disabled PPPoE,
- disabled DHCP,
- assigned fix IP on 192.168.50.5,
- wired a Cisco EA6700 on which : 
     - enabled DHCP,
     - assign fix IP on 192.168.50.1
     - setup an openvpn server (on 10.254.50.0) and a DDNS service.
     - (I forgot...) enabled WAN

Are your Ciscos running OpenWrt? If not, then I'm afraid, this is not the best place to ask.

That said: if your OpenVPN server does not have a public IP, you need to do port-forwarding. Make sure that you forward UDP or TCP depending on your OpenVPN setup.

Also check that your other ISP really assigns a public IP and doesn't do CG-NAT. In the latter case you won't be able to reach your OpenVPN server. At least where I live, ISPs need to assign a public IP at least on request.

Hello andyboeh, First of all, thanks for your time and your answer.

Which firmware...
I tried many firmwares : OpenWRT (if not, I wouldn't ask here...), Tomato by Shibby, Fresh Tomato, Advanced Tomato, DD-WRT. My problem is always the same. I'm pretty sure my problem is I don't do it like I must. Btw, OpenWRT support is very limited on my routers (Linksys EA6700 x 2, Linksys EA6900).

Port forwarding...
For now, like I explained, I'm trying to configure the setup where I'm living. My ISP (Proximus) is providing me a public IP which is supposed to be managed by the router/modem they gave me (called BBOX). I bridged the BBOX (see my original post) and setup one of my EA6700 router to manage everything, the openvpn server included. Everything works well but... If I stop the openvpn server and activate it on a 2nd flashed Linksys router, it doesn't work. I understand (without being a pro) I need to port forwarding 1194 in my main router to the private IP of my second Linksys router. I did it but the openvpn server is still unreachable. I'm asking myself if I'm doing something wrong or if there is a bug somewhere or even if what I want to do is not supported by my routers.

Public IP / CG-NAT...
I don't know nothing about that. I just red some infos on the net. It seems Proximus randomly sets some clients on a CG-NAT and gives the others a public IP. Not sure about that...

Please help...

In case you haven't noticed, this is the OpenWrt forum, so we usually help out with troubles regarding OpenWrt. If your problem is not OpenWrt-related, there are better places to ask.

Your OpenVPN server needs to be reachable by a public IP. Try accessing for instance whatismyip.com and compare the address to the router after your BBOX doing the port-forwarding. If you can't find this address there or in one of the boxes you can manage then you have most probably CG-NAT. If your BBOX has this IP address but not your router then the bridge isn't working as intended.