[Solved] OpenVPN server not reachable from WAN on TP-Link Archer MR200 v1

Hello everyone,

I am using OpenWrt 22.03.5 on a TP-Link Archer MR200 version 1 hardware.
The targets are:

  1. Connect to OpenVPN server of an ASUS DSL-AC88U (accomplished OK).
  2. Create OpenVPN server on TP-Link Archer MR200 (NOK so far).

Images for below description:

I followed these instructions
[OpenWrt Wiki] OpenVPN server
and created 5 users with tls-crypt-v2 and one user with tls-crypt (v1) for use in the ASUS router client.
Additionally, i created the openVPNserver interface and the relevant firewall zone vpn_server to accept wan.

The problem is that there is no connection from WAN area and the result is the repetition of the DISCONNECTED event, exactly the same from whatever device/ WAN I tried it.
The server's IPV4 address resolves OK (using ddns).

The IPV4 routing table seems to be OK (see image).

The directions for this android modem from [OpenWrt Wiki] TP-Link Archer MR200 v1 do mention:
" If you need to connect to your router through wan or to do wan port forwarding, instead of relying on the LTE modem's internal DHCP server, the router's usb0 IP address must be manually set to 192.168.225.100 (and of course with the default gateway and possibly DNS address of 192.168.225.1). "
When I use static IP address for the usb0 interface by filling everything needed (see above image), then, surprisingly, I do not have DNS working and cannot resolve any address, even if I fill the relevant filed with 8.8.8.8, thus no browsing possible.

Any ideas on how to resolve the above issues and make the OpenVPN server working?
Many thanks in advance for your help.

Are you certain that you are getting a public IP address on the wan of the new router with the LTE modem? Most mobile ISPs do not provide a public IP and rather use NAT/CG-NAT for their subscribers.

Further, if you are using an RFC1918 address (such as 192.168.255.100) to connect to the usb modem, you are already NAT'd and you must setup port forwarding in the modem.

Hello psherman,

Thank you for replying.
If you notice the third image, the IPV4 address is external (149.210.xxx.xxx) and I am not behind a NAT/CG-NAT.
The ISP supports external IPV4 address via given APN and all ports can be used.
I have used this APN with other devices from MIKROTIK and everything is working perfectly.

Regarding the usb modem, it is using android OS (NAT in place) and the directions are to use the IP 192.168.225.100 (see above).

I am wondering what I may do wrong...

Not necessarily. That may be the apparent ip address of the carrier is using cg-nat. The ddns client will still resolve a public ip even if you don’t have a true public ip on your router. (Eventually it must emerge through a public ip, but that may be shared with other customers).

What does openwrt say about your upstream ip address?

You have no public addresses or routes associated with OpenWrt currently, so you need to probably look at thte configuration of your USB modem to see if you can 1) figure out what IP address it has on the upstream/wan, and 2) find out if you can set port forwarding to your OpenWrt device.

I have checked using

  1. Current IP Check (dyndns.com)
  2. The modem's UI

    All addresses do match and are external public IP range.

For usb0 interface the WAN is IPv4: 192.168.225.177/24
that is for sure behind the NAT of the android OS and that's the problem I need to overcome.

Cool... that is promising. Do the IPs match?

Is there a port forwarding option in the modem? Or a bridge mode?

Both IP match.
No port forwarding, neither bridge mode :frowning:

Without port forwarding, there is no way to send the incoming connections on the LTE wan to the OpenWrt's wan.

Sure, because the forwarding should be done from the modem's incoming traffic.
I was wondering if someone else succeeded using IP 192.168.225.100 for the usb0 interface...

This only works if the modem performs port forwarding/DMZ to this IP address.

The wear here is that the DHCP server's IPV4 address start is by default the 192.168.225.100, which is somehow unusual to be used for port forwarding or DMZ and this makes me wondering.
image

It is almost certainly not doing any DMZ or port forwarding, unless it specifically says it is doing that.

But, given that the DHCP server starts at 100, I would not use 100 for your router's WAN (unless there will never be another client to this device), since there is a risk of an address conflict if you use a static IP address that is within the DHCP pool.

There is no other client, the only one is the usb0 interface, thus no risk for IP conflict.
The problem is that if I do not use the modem's DHCP server and make use of the static IP, the whole incoming/outgoing traffic through this interface (usb0 is the LTE modem with android OS) is being jeopardized.
In the next days I will make some more trials on the static IP...

Finally came into the solution after some further checks by wireshark.
I post it here for anyone else that will come into the same issue.

Changes over initial settings posted before for static IPV4 192.168.225.100:

  1. wan IPV4 interface -> Advanced Settings tab: Force link ticked (enabled).
    To note here that carrier sense events do not invoke any hot plug handlers after enabling it.
    For my case this was not crucial.

  2. wan IPV4 interface -> Advanced Settings tab: Use custom DNS servers
    I added the DNS servers with the following series:
    1.1.1.1
    8.8.8.8
    1.0.0.1
    8.8.4.4

  3. Save settings and Restart the wan interface.

  4. Restart the OpenVPN daemon via CLI.

It works !!! :smiley:

P.S.
Many thanks to psherman for his immediate efforts to narrow down the issue and provide me support.

Glad you found a solution.

Does this still use 192.168.225.100 as the wan IP? Did you have to do anything to the modem to get the ports to forward?

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Yes the wan IP for openWRT still be the 192.168.225.100 via the usb0 interface.

No, the traffic from wan is forwarded by default to IP 192.168.225.100.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.