TP-LINK Archer MR200 v1 | OpenWrt FW | How to connect to remote VPN

Hi there,

Have a working 4G / LTE router TP-LINK Archer MR200 v1 running on OpenWrt FW.

Have a computer with Win10 connected to the router with access to internet through the router.

Have a remote NAS server running also a VPN server service which I can access from this computer via Win10 VPN client feature (using a PPTP VPN type). It works well when I use mobile phone hotspot feature or similar.

However when I try to connect to VPN server from behind this OpenWrt router, I am first requested to provide credentials (so the communication starts OK), but once I enter them, I get the following ...

I guess, some port forwarding, masquerade or source NAT might be needed, but I am not sure what exactly should I configure and where in the options.

Thanks for support.

Probably some kind of CGNAT in mobile network. What are first two numbers of "public" IP address on the router?

Just change PPTP to something modern and NAT friendly.
I guess it requires ALG to work behind NAT, that's why it doesn't work.

kmod-nf-nathelper-extra - 5.15.167-1 - Extra Netfilter (IPv4) Conntrack and NAT helpers Includes: - amanda - h323 - irc - mms - pptp - proto_gre - sip - snmp_basic - tftp - broadcast

Thanks.

I will try to install it and will test afterwards.
I'll then provide feedback.

I'd recommend not even trying to fix this... PPTP is not secure. It is trivially easy to crack.

Instead, use Wireguard which is modern and secure.

On the server side, I have these three options:

PPTP
OpenVPN
L2TP/IPSec

If PPTP is not secure enough, is any of the other 2 options better?

You can try L2TP with IPSec, it should be less complicated than OpenVPN, but if you have OpenWrt on the server side you can setup Wireguard server on the router.

On the server side there is different router / switch.
NAS is sitting behind it and VPN server is running on NAS.

OpenWrt is router on the client side, client being a Win10 desktop sitting on OpenWrt LAN.

Install ALG and let it be, firewall traversal has nothing to do with encrypted vs unencrypted VPN

Of these choices, OpenVPN is the most robust to the client being behind one or more layers of NAT. You can also set up the server on TCP port 443 to get through less sophisticated firewalls that might be found at hotels, etc.

I agree with @mk24 that OpenVPN is the best of the options, and it is usually less complex than L2TP/IPSec to configure.

But, since it sounds like you're not setting up the server or client to run on OpenWrt, you'll need to consult NAS's documentation for how to enable and configure the server and generate the client config + keys. On the PC side, you'll usually just import the configuration.

If you want to run a VPN server or client on OpenWrt, we can help you with that; otherwise OpenWrt really doesn't play a role in your issue.

So, I have enabled / configured OpenVPN server on the NAS side. The server provided me with VPNConfig.ovpn file, which was useful later.
Also created dstnat rule for UDP / Port 1194 on the router firewall there to enable OpenVPN client to reach to OpenVPN sever.

Then I have installed OpenVPN client on my Win10 desktop from this source:

https://openvpn.net/client/client-connect-vpn-for-windows/

I have imported the VPNConfig.ovpn file to create connection profile.
Then I have attempted to connect for the first time and the result was ...

SUCCESS ... It works.

So as you guys predicted, OpenVPN works without any issues for OpenVPN client connecting to internet through this TP-LINK 4G router running on OpenWrt firmware.

Thank you all for your valuable support.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.