VPN config for DVR port forwarding

I set up an OpenVpn Server on DigitalOcean as per https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

(NB: the Vpn didn't work, so I used the script linked in the first comment instead)

Then I set up an OpenVpn Client on my router as per
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

I verified my client public IP-Address has changed.
The router is using my VpnServer Ip so the tunnel seems to work.

But still cannot connect to my DVR to check security cams.
It is not clear to me how the whole stuff should work.

When I'm in my LAN I just point to the dvr ip:port
I thought connecting the router and my mobile phone to the same VPN could make the devices think to be in the same LAN

Am I missing something?

In addition it may require SNAT rule on OpenWrt if you can't change DVR firewall settings to permit access outside of LAN or set up proper routing on it.

You can also post here the configurations as well as the IPs that the phone and the router get from vpnserver. Also check with traceroute if you can access the camera from the phone and where it stops.

Thanks for quick response!
But I didn't understand what to do.

In the Site-to-Site configuration example there are

• 192.168.1.0/24 - server-LAN
• 192.168.2.0/24 - client-LAN
• 192.168.8.0/24 - VPN-network
• 192.168.8.2/24 - VPN-client

where are those coming from?

let my openwrt router be 192.160.2.1
and DVR at be 192.160.2.2:1234
my server is on a DigitalOcean droplet with a private ip (let it be 138.45.64.119)
what are VPN-network and client LAN?

on that link seems that both VPN server and client are on the same machine with openwrt
but on my router with openwrt there is only the openvpn client installed

please help me understand

In your case there is no server-LAN.
VPN network is the private subnet used in the tunnel. Server at DO can have .1 and your Openwrt router the .2 address.
Client LAN is the network on the LAN interface of the Openwrt router.

If you mean this one:

Enable CCD on VPN-server, add client-LAN route, push server-LAN route.

it means that on server side you can configure each client individually which routes will the server accept and which will it push.

cool! I did it!
now adding the SNAT rule I can use the IP of the VPN tunnel instead of the one of the DVT on my LAN to access it

one more question: how can I limit the tunnel to the service I want to access?
I don't want to use the VPN for my normal internet traffic, is it related to "Disable gateway redirect"?

Yes, if you don't push the default gateway to the clients, normal internet traffic will flow through your ISP.

Better avoid creating unnecessary NAT-rules if your routing allows it.

Yep, that's it:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#default_gateway

I'm having issues again with this configuration.
I did a reset on the openwrt router and started from scratch.
I also needed to setup a new DO server with ubuntu 18 because with the previous server with ubuntu 16 there was no handshake with the openwrt client.
Now the VPN connection works on the phone and the on openwrt router.

If my phone is on the openwrt router LAN I can see my DVR
But if I use the VPN connection on the phone (10.8.0.2) result no server responding at the address of the vpn (10.8.0.3 is the ip address of the openwpn client)

How can I debug such situation?

Is it something missing in the Site-to-site configuration?

on the /etc/openvpn/server.conf

route 192.168.1.1 255.255.255.0 10.8.0.3
push "route 10.19.0.6 255.255.255.0"

where 10.19.0.6 is the internal address from the ip addr command

I did not add the SNAT rule as for suggested comment and also because I did not understand how to add it.

Please help! I'm dealing with this since too much time!

Check on the server:

head -v -n -0 /etc/openvpn/ccd/*

This is the response, 10.8.0.3 is the ip of the client on the router, 192.168.1.1 is the router itself

==> /etc/openvpn/ccd/client <==
ifconfig-push 10.8.0.3 255.255.255.0
iroute 192.168.1.1 255.255.255.0

This looks wrong, should be 192.168.1.0 255.255.255.0

shouldn't be this IP the one of the router? my router has IP 192.168.1.1

It should be the client side LAN:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site

Also fix this:

the client is on the router, the router LAN is 192.168.1.1, sounds correct

You can say

route 192.168.1.1 255.255.255.255 10.8.0.3

or

route 192.168.1.0 255.255.255.0 10.8.0.3

The first is only for one device, the second for the whole network.

This is a single host address, but you need to access the network behind it.

I changed the IP using the network address, both on server.conf and in /etc/openvpn/ccd/client (also on the server)

still can't reach the DVR

dunno if is related but looking at logs on the router I see:

Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: TUN/TAP device tun0 opened
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: TUN/TAP TX queue length set to 100
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: /sbin/ifconfig tun0 10.8.0.3 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: /sbin/route add -net 157.220.132.11 netmask 255.255.255.0 gw 10.8.0.1
Wed Sep 18 12:54:28 2019 daemon.warn openvpn(client)[4478]: ERROR: Linux route add command failed: external program exited with error status: 1
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: GID set to nogroup
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: UID set to nobody
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: Initialization Sequence Completed

This doesn't seem right.
Check your VPN server and client configs.

Why doesn't seem right? shouldn't be the server IP? or you refer to the gw IP?

Server conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
#push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_loSaYzbBAqE68lX5.crt
key server_loSaYzbBAqE68lX5.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3
client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0 10.8.0.3
push "route 157.220.132.11 255.255.255.0"

/etc/openvpn/ccd/client

ifconfig-push 10.8.0.3 255.255.255.0
iroute 192.168.1.0 255.255.255.0

on the client

client
proto udp
remote 157.220.132.11 1194
#dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_loSaYzbBAqE68lX5 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>

#user nobody
#group nogroup
#dev
user nobody
group nogroup
dev tun0
#pull-filter ignore redirect-gateway

output of ip route show on the client

default via 192.168.1.254 dev eth0.2  src 192.168.1.198
10.8.0.0/24 dev tun0 scope link  src 10.8.0.3
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.198

output of ip route show on the server

default via 157.220.112.1 dev eth0 proto static
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.6
157.220.112.0/20 dev eth0 proto kernel scope link src 157.220.132.11 
192.168.1.0/24 via 10.8.0.3 dev tun0