VPN config for DVR port forwarding

I set up an OpenVpn Server on DigitalOcean as per https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

(NB: the Vpn didn't work, so I used the script linked in the first comment instead)

Then I set up an OpenVpn Client on my router as per

I verified my client public IP-Address has changed.
The router is using my VpnServer Ip so the tunnel seems to work.

But still cannot connect to my DVR to check security cams.
It is not clear to me how the whole stuff should work.

When I'm in my LAN I just point to the dvr ip:port
I thought connecting the router and my mobile phone to the same VPN could make the devices think to be in the same LAN

Am I missing something?

In addition it may require SNAT rule on OpenWrt if you can't change DVR firewall settings to permit access outside of LAN or set up proper routing on it.


You can also post here the configurations as well as the IPs that the phone and the router get from vpnserver. Also check with traceroute if you can access the camera from the phone and where it stops.


Thanks for quick response!
But I didn't understand what to do.

In the Site-to-Site configuration example there are

  • - server-LAN
  • - client-LAN
  • - VPN-network
  • - VPN-client

where are those coming from?

let my openwrt router be
and DVR at be
my server is on a DigitalOcean droplet with a private ip (let it be
what are VPN-network and client LAN?

on that link seems that both VPN server and client are on the same machine with openwrt
but on my router with openwrt there is only the openvpn client installed

please help me understand

In your case there is no server-LAN.
VPN network is the private subnet used in the tunnel. Server at DO can have .1 and your Openwrt router the .2 address.
Client LAN is the network on the LAN interface of the Openwrt router.

If you mean this one:

Enable CCD on VPN-server, add client-LAN route, push server-LAN route.

it means that on server side you can configure each client individually which routes will the server accept and which will it push.

1 Like

cool! I did it!
now adding the SNAT rule I can use the IP of the VPN tunnel instead of the one of the DVT on my LAN to access it

one more question: how can I limit the tunnel to the service I want to access?
I don't want to use the VPN for my normal internet traffic, is it related to "Disable gateway redirect"?

Yes, if you don't push the default gateway to the clients, normal internet traffic will flow through your ISP.

1 Like

Better avoid creating unnecessary NAT-rules if your routing allows it.

Yep, that's it:

1 Like

I'm having issues again with this configuration.
I did a reset on the openwrt router and started from scratch.
I also needed to setup a new DO server with ubuntu 18 because with the previous server with ubuntu 16 there was no handshake with the openwrt client.
Now the VPN connection works on the phone and the on openwrt router.

If my phone is on the openwrt router LAN I can see my DVR
But if I use the VPN connection on the phone ( result no server responding at the address of the vpn ( is the ip address of the openwpn client)

How can I debug such situation?

Is it something missing in the Site-to-site configuration?

on the /etc/openvpn/server.conf

push "route"

where is the internal address from the ip addr command

I did not add the SNAT rule as for suggested comment and also because I did not understand how to add it.

Please help! I'm dealing with this since too much time!

Check on the server:

head -v -n -0 /etc/openvpn/ccd/*

This is the response, is the ip of the client on the router, is the router itself

==> /etc/openvpn/ccd/client <==

This looks wrong, should be

1 Like

shouldn't be this IP the one of the router? my router has IP

It should be the client side LAN:

Also fix this:

the client is on the router, the router LAN is, sounds correct

You can say




The first is only for one device, the second for the whole network.

1 Like

This is a single host address, but you need to access the network behind it.

1 Like

I changed the IP using the network address, both on server.conf and in /etc/openvpn/ccd/client (also on the server)

still can't reach the DVR

dunno if is related but looking at logs on the router I see:

Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: TUN/TAP device tun0 opened
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: TUN/TAP TX queue length set to 100
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: /sbin/ifconfig tun0 netmask mtu 1500 broadcast
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: /sbin/route add -net netmask gw
Wed Sep 18 12:54:28 2019 daemon.warn openvpn(client)[4478]: ERROR: Linux route add command failed: external program exited with error status: 1
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: GID set to nogroup
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: UID set to nobody
Wed Sep 18 12:54:28 2019 daemon.notice openvpn(client)[4478]: Initialization Sequence Completed

This doesn't seem right.
Check your VPN server and client configs.

Why doesn't seem right? shouldn't be the server IP? or you refer to the gw IP?

Server conf

port 1194
proto udp
dev tun
user nobody
group nogroup
keepalive 10 120
topology subnet
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS"
push "dhcp-option DNS"
#push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_loSaYzbBAqE68lX5.crt
key server_loSaYzbBAqE68lX5.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-version-min 1.2
status /var/log/openvpn/status.log
verb 3
client-config-dir /etc/openvpn/ccd
push "route"



on the client

proto udp
remote 1194
#dev tun
resolv-retry infinite
remote-cert-tls server
verify-x509-name server_loSaYzbBAqE68lX5 name
auth SHA256
cipher AES-128-GCM
tls-version-min 1.2
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

#user nobody
#group nogroup
user nobody
group nogroup
dev tun0
#pull-filter ignore redirect-gateway

output of ip route show on the client

default via dev eth0.2  src dev tun0 scope link  src dev br-lan scope link  src dev eth0.2 scope link  src

output of ip route show on the server

default via dev eth0 proto static dev tun0 proto kernel scope link src dev eth0 proto kernel scope link src dev eth0 proto kernel scope link src via dev tun0