VPN config for DVR port forwarding


I set up an OpenVpn Server on DigitalOcean as per https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

(NB: the Vpn didn't work, so I used the script linked in the first comment instead)

Then I set up an OpenVpn Client on my router as per

I verified my client public IP-Address has changed.
The router is using my VpnServer Ip so the tunnel seems to work.

But still cannot connect to my DVR to check security cams.
It is not clear to me how the whole stuff should work.

When I'm in my LAN I just point to the dvr ip:port
I thought connecting the router and my mobile phone to the same VPN could make the devices think to be in the same LAN

Am I missing something?


In addition it may require SNAT rule on OpenWrt if you can't change DVR firewall settings to permit access outside of LAN or set up proper routing on it.


You can also post here the configurations as well as the IPs that the phone and the router get from vpnserver. Also check with traceroute if you can access the camera from the phone and where it stops.


Thanks for quick response!
But I didn't understand what to do.

In the Site-to-Site configuration example there are

  • - server-LAN
  • - client-LAN
  • - VPN-network
  • - VPN-client

where are those coming from?

let my openwrt router be
and DVR at be
my server is on a DigitalOcean droplet with a private ip (let it be
what are VPN-network and client LAN?

on that link seems that both VPN server and client are on the same machine with openwrt
but on my router with openwrt there is only the openvpn client installed

please help me understand


In your case there is no server-LAN.
VPN network is the private subnet used in the tunnel. Server at DO can have .1 and your Openwrt router the .2 address.
Client LAN is the network on the LAN interface of the Openwrt router.

If you mean this one:

Enable CCD on VPN-server, add client-LAN route, push server-LAN route.

it means that on server side you can configure each client individually which routes will the server accept and which will it push.


cool! I did it!
now adding the SNAT rule I can use the IP of the VPN tunnel instead of the one of the DVT on my LAN to access it

one more question: how can I limit the tunnel to the service I want to access?
I don't want to use the VPN for my normal internet traffic, is it related to "Disable gateway redirect"?


Yes, if you don't push the default gateway to the clients, normal internet traffic will flow through your ISP.


Better avoid creating unnecessary NAT-rules if your routing allows it.

Yep, that's it: