I verified my client public IP-Address has changed.
The router is using my VpnServer Ip so the tunnel seems to work.
But still cannot connect to my DVR to check security cams.
It is not clear to me how the whole stuff should work.
When I'm in my LAN I just point to the dvr ip:port
I thought connecting the router and my mobile phone to the same VPN could make the devices think to be in the same LAN
In addition it may require SNAT rule on OpenWrt if you can't change DVR firewall settings to permit access outside of LAN or set up proper routing on it.
You can also post here the configurations as well as the IPs that the phone and the router get from vpnserver. Also check with traceroute if you can access the camera from the phone and where it stops.
Thanks for quick response!
But I didn't understand what to do.
In the Site-to-Site configuration example there are
192.168.1.0/24 - server-LAN
192.168.2.0/24 - client-LAN
192.168.8.0/24 - VPN-network
192.168.8.2/24 - VPN-client
where are those coming from?
let my openwrt router be 192.160.2.1
and DVR at be 192.160.2.2:1234
my server is on a DigitalOcean droplet with a private ip (let it be 138.45.64.119)
what are VPN-network and client LAN?
on that link seems that both VPN server and client are on the same machine with openwrt
but on my router with openwrt there is only the openvpn client installed
In your case there is no server-LAN.
VPN network is the private subnet used in the tunnel. Server at DO can have .1 and your Openwrt router the .2 address.
Client LAN is the network on the LAN interface of the Openwrt router.
If you mean this one:
Enable CCD on VPN-server, add client-LAN route, push server-LAN route.
it means that on server side you can configure each client individually which routes will the server accept and which will it push.
cool! I did it!
now adding the SNAT rule I can use the IP of the VPN tunnel instead of the one of the DVT on my LAN to access it
one more question: how can I limit the tunnel to the service I want to access?
I don't want to use the VPN for my normal internet traffic, is it related to "Disable gateway redirect"?
I'm having issues again with this configuration.
I did a reset on the openwrt router and started from scratch.
I also needed to setup a new DO server with ubuntu 18 because with the previous server with ubuntu 16 there was no handshake with the openwrt client.
Now the VPN connection works on the phone and the on openwrt router.
If my phone is on the openwrt router LAN I can see my DVR
But if I use the VPN connection on the phone (10.8.0.2) result no server responding at the address of the vpn (10.8.0.3 is the ip address of the openwpn client)
How can I debug such situation?
Is it something missing in the Site-to-site configuration?
client
proto udp
remote 157.220.132.11 1194
#dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_loSaYzbBAqE68lX5 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>
#user nobody
#group nogroup
#dev
user nobody
group nogroup
dev tun0
#pull-filter ignore redirect-gateway
output of ip route show on the client
default via 192.168.1.254 dev eth0.2 src 192.168.1.198
10.8.0.0/24 dev tun0 scope link src 10.8.0.3
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.198
output of ip route show on the server
default via 157.220.112.1 dev eth0 proto static
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.6
157.220.112.0/20 dev eth0 proto kernel scope link src 157.220.132.11
192.168.1.0/24 via 10.8.0.3 dev tun0