VPN client with customer Access

Hi Guys , I have a custom home setup that I would like to work to be able to access my computer/server VMs thru openvpn . The not helping part is that my carrier uses CGnat so that is why I actually decided to do this in the first place.the openvpn client on the LEDE is causing me some issues that i think is related to routing , but before that I would like you to take a look and advise if you think what am trying to acheive is doable. I am using an EC2 AWS machine as the openvpn server.

It's almost the same, just use routed mode.
Push OpenWrt client-LAN route with increased metric for all VPN-clients.

This is very possible, but consider if using wireguard is possible, it's substantially easier and faster


thanks @vgaetera . I will review this config and advise. Currently with my config , i have the tunnel up but i cannot ping the server(gateway) , while from another vpn client i can pnig the gateway fine. I think i have to focus again on using the details iroute/route/push route. I will check and post any problem later this evening. Thanks

Reading good stuff about wireguard. Any docos for server config ubuntu linux , client on led

Did you open the firewall?


Just follow the same manual for both.

opkg update
opkg install kmod-udptunnel4 kmod-udptunnel6 kmod-wireguard wireguard-tools wireguard luci-proto-wireguard luci-app-wireguard

Thanks I will try it out . But since I started with openvpn . I thought id see where it goes. I can ping client to client , but i cannot ping subnets behind the openvpn client "" ,, below is my config:
thats under server ```
root@ip-172-31-31-96:/etc/openvpn/ccd# cat openwrt



relevant part from the server.conf is :slight_smile:
client-config-dir ccd
client-config-dir ccd

am confused as i cannot see a route for on the linux machine , havent added that . is that the problem

default via dev eth0 proto dhcp src metric 100 via dev tun0 dev tun0 proto kernel scope link src via dev tun0 dev eth0 proto kernel scope link src dev eth0 proto dhcp scope link src metric 100

Use network mask instead of peer address.

Utilize topology subnet on VPN-server.

Remove duplicates.
Specify full path to CCD-directory.

Make sure your client certificate CN is openwrt.

its confusing. I can ping from ( machine after openwrt client) to ( another opevpn client)
but i cannot ping from the to

server.conf :slight_smile:

client-config-dir /etc/openvpn/ccd
topology subnet 

for LEDE:

root@LEDE:/etc/openvpn# ls -l
-rw-------    1 root     root          5023 Mar  6 12:01 openwrt.conf

for ccd directory:

ubuntu@ip-172-31-31-96:/etc/openvpn/ccd$ cat openwrt 


i added the last route to the linux machine but no luck too :

ubuntu@ip-172-31-31-96:/etc/openvpn/ccd$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    100    0        0 eth0   U     0      0        0 tun0 UG    0      0        0 tun0   U     0      0        0 eth0 UH    100    0        0 eth0   UG    0      0        0 tun0

Looks like a firewall issue. Can you verify that flows are open for the return traffic and that no NAT is applied?

1 Like

Also make sure you have done this:

so I should create another ccd file for the other client ? can you please give an example ?
shouldnt "


in the server.conf do the needful ?

cat << EOF >> /etc/openvpn/vpnserver.conf
push "route 2048"

Or ensure that other VPN-clients use redirect-gateway def1.

the route is already in the server.conf

If VPN-clients don't use redirect-gateway def1, they don't know about that route.

Can I push it with ccd file , because i dont want all the traffic goes thru the tunnel. But its confusing, if the client doesnt know the route , then I wouldnt be able to ping from to ( the other openvpn client) , but i cannot do the opposite .

the sysmptom is firewall as you said, but the return traffic is opened and no NAT applied. I can ping from the lan behind the client to the other client. But i cannot ping from the client to the LAN behind the openwrt client.

You can also add the route to VPN-client profile.

Anyway, use traceroute/tracepath and tcpdump for troubleshooting.

You can post here the firewall configurations for both openwrt and ubuntu to check if you have missed something.

I am not sure why it was not pushed by the server to the other host . looks like i need ccd for the other client too. I edited the ovpn file and added " route" and the route solved the issue.

Thanks alot for all the support.