Site-to-Site OpenVPN w GL-iNet box

Hello friends
please excuse a dumb question from a newbie.

I was asked to connect some home office notebooks to a small company vpn (sophos utm firewall) with a GL-iNet MT300N-v2 box that's supposed to be installed at home office.

I'm trying to get the following setup:

  • Company network
  • Notebooks gets IP when in office assigend per MAC by local DHCP server
  • OpenWRT box get installed at home, auto-connects OpenVPN
  • Notebook connects to box (either LAN or WiFi)
  • Notebook gets fixed IP in 10.1.x.x range
  • Notebook can be reach devices in company network 10.x.x.x at office
  • Notebook is reachable from company network for administration

What i did so far:
Set up OpenWRT-Box with as lan ip, connected notebook with second LAN port on box, on GL-iNet user interface assigend to notebook's MAC. Enabled luci on box, installed OpenVPN with luci, uploaded vpn config, verified that it can connect to sophos utm firewall. As per pool network configuration there it gets

But I can not access any host at company's net 10.1.x.x and cannot ping notebook at from company network.

I suppose there's a misconception somewhere, but as said, I'm pretty new to this so any hint is very much appreciated.

P.S. It would be fine if the notebook get's the same ip at home that it gets at office, but as long as it's reachable from office that's not a requirement.


That is not right, means, so is outside.

To have a better understanding we'd need to see some configurations:

Use ssh to connect to the device.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
uci export openvpn; head -n -0 /etc/openvpn/*.ovpn ; head -n -0 /etc/openvpn/*.conf 
1 Like

That is not right, means, so is outside.
Sorry, typo. It's /16.

Before digging into details:
I suspect I have general misconception here, as both the OpenWRT box and the remote company are in the same network segment with OpenWRT being the default gateway for the home office notebook and the company's gateway is within the same network range. Am I misled here?

Thanks for your help!

That's right, you can't have overlapping networks.

1 Like

I understand.

What would be a working setup to have the openwrt box to connect to the company vpn router, let one or more notebooks at home connect to openwrt box to access company network and also make the notebook reachable from the company network in reverse? I suppose this is a somewhat common situation. Any hints?

Thanks again!

You need separate networks for sure, e.g at home.
Then setup the vpn tunnel and enable site to site.

1 Like

So notebook a at home get, notebook b to get's, both have the default gateway to the openwrt box which in turn does rote 10.1.x.x traffic to the company's network after establishing the vpn tunnel, right?
How would an admin from with company's network 10.1.x.x access the notebooks?

That's right.

If you follow the instructions above, the OpenVPN server will know how to find the network. Then it depends on the company's infrastructure on how it can be propagated to all their routers.

Yes I read that, but since the company's router is a commercial appliance I cannot use the the server side commands and it wouldn't know the network configuration of the OpenWRT box obviously. Is it correct to assume that the OpenVPN client cannot "announce" a required route or similar option?
So I probably need to investigate the respective appliance options.

Thank you for the insights!

Maybe not the same exact commands, but it should be able to accomplish the same function.

Not really, the server needs to know the subnets behind each client and the server can push routes to the clients.
Regardless, you can always port forward on the OpenWrt VPN IP, like you'd do on the internet wan IP.

Typically the server would hold the .1 IP in the tunnel and as clients connect it assigns them .2 .3 etc and if there is a client config directory it installs routes to their LANs.

If the endpoint is a "road warrior" i.e. a single laptop or phone running OpenVPN directly on the laptop or phone, it doesn't strictly need client config though that can be used to give it a known 10.2.0.X IP for office->client originated connections.

If the client is a router it has its own LAN which must be a third subnet range, outside the tunnel and the office LAN. Routing proceeds using the client's tunnel IP as the gateway to the client's LAN. This is handled by OpenVPN with the client config directory.
In other words someone in office 10.1.X.X wants to send to a printer on the client LAN 10.3.X.X it will route out of the office main router tunnel ( through the client's tunnel lP

It is more typical to use /24's for most of this instead of /16. Though you could set aside a whole /16 for the office LAN(s) to subdivide into /24s for different departments or buildings.

That might help, nice idea.

Currently a notebook connects to the OpenVPN on the company's firewall from home with Windows' build in VPN stuff and gets assigned a dedicated IP inside the company's LAN 10.1.x.x Apart from the terrible Windows VPN implementation is works so far. But as soon as one person tries to connect more than 1 device it obiously fails. A proper router at home sounded like a way better solution. Love to see OpenWRT on the company's firewall but that is not going to happen any soon.

Thank's everyone for suggestions, I will investigate further in a site-to-site setup and correct routing.

That would happen with a layer 2 VPN (TAP mode). It is basically an Ethernet bridge. This sounds like a simple workable idea, but it really is not a good practice. The major problem is that all broadcast packets going around the company LAN will also be broadcast into the limited bandwidth of the VPN tunnel.

Continuing with that though, if Windows works properly you could set up a connection sharing with bridge mode on the VPN interface and connect additional devices to the laptop Ethernet port.

I whish nowadays Laptops would even have ethernet ports...

Windows uses L2TP iirc. and yes, all traffic goes throgh VPN once connected, but that's acceptable or even required for security reasons.

OpenWrt supports L2TP as well.
The problem is convincing your company administrators to allow such a thing. Any sane admin would not let any device connect to the corporate network, let alone setting up a S2S with the home of an employee.

Just used by now as Windows built-in options are limited. OpenVPN is prefered.

Heard rumours that's a thing called homeoffice.

A company's notebook connected to an at-home OpenWRT box set up by the company's admin is probably way more secure than an employee sitting in the cafe next door connecting to company's wifi from there.

Technically speaking homeoffice is the room in your house used as an office. Other than that, to perform teleworking, the employer is supposed to provide you the equipment needed to connect from home, which usually is company owned and managed.

Maybe I misunderstood something here. Are you the admin of the company?
Apart from that, does the, provided from the company, OpenWrt router limit the access to company resources only to company owned equipment, or you can connect with your personal computer as well, since it is connected on the OpenWrt? That would be a security violation in my company. Maybe in other companies with loose security policies it is still fine, till the next incident that will cost them money/reputation.
I am not sure what you mean with the

but sure sounds like whataboutism.

Which is what the initial question was about: how to set up an OpenWRT-Box to be used as the access-device at homeoffice^w teleworking place at the employee's home. Never mentioned anything about employees are to set up their own VPN.

Well, in case it really helps with the initial question I could elaborate further on the organisational structure on the project, but to keep things on track: certainly the OpenWRT box is going to be provided by the company once a working soultion has been found which I could present to the admin in charge. And yes, finally it will be locked down to only allow company owned device in step 2. The idea is: prepare a box plus notebook plus PC etc. for a particular employee, hand it out, let her plug it in to her exisitng private internet uplink router and have her up and running. Spared you any further steps to be done after the initial question to keep it the question as straight as possible.

Thank you more insting on maximum security and employer's obligations. I'm certainly in tune with you here. Often enough these things get ignored. In this case this has been considered. VPN-connection for road warriors (sorry for probaly using a wrong term again) have been established long ago in the particular company, and yes, after discussing security issues beforehand. We are just trying to simplify things with an OpenWrt box, and possibly enhance security as well.

OpenWrt does have support for L2TP, but it is more complicated than OpenVPN. Migrating to OpenVPN at layer 3 makes sense especially since (outside the scope of this forum) it looks like UTM can prepare .ovpn files to assist with client configuration. The first step would be to set up the server on the company firewall box.

If you're testing the client at the company facility it probably won't work to connect it to the company LAN, it needs an independent Internet connection (such as a smartphone) to connect from the WAN side as would occur in actual use.