VPN server behind NAT

I have a router at my home with latest version of OpenWRT installed in it.
The router is behind a NAT by the ISP. i.e. no direct access from the internet.

What I want to achieve is, to setup a VPN on the server, so that when I'm outside home, I can connect to this VPN, and use internet on my phone/laptop as if I were connecting from home.

I know basics of linux.
I can install and configure openVPN or wireguard or shadowsocks in any linux server and connect my phone/laptop to it.
Problem is, if I setup the VPN server in the openwrt router, then how would I access it from outside?

What's the best approach to achieve this?

I have used reverse SSH tunnel to connect to the router via a third server/VPS.
But not sure how would I use this to the browse the internet on my phone/laptop.

Please suggest what is the best approach.


To be sure I understand your problem, the ISP router does not have a Public IPv4 or IPv6 address?

If so you need a man in the middle.

I have Mullvad as VPN proivider which until recently allowed port forwarding via the VPN client (WireGuard) which was an excellent way to overcom this situation however they recently stopped with that.

There might be other VPN providers which still support port forwarding via the VPN, you might look into that.

Other things to research: ngrok/zerotier/tailscale

Also a viable option make a WG server on a VPS in the cloud which act as the hub to connect clients attached (e.g. your router and phone on cellular etc)

1 Like

yes, the router does not have any public IPv4 or IPv6

Like I mentioned, I do have vps servers that I can use as a Man in the Middle.
But I'm not sure how to configure this.

Step one: install wiregurad on the VPS.
Step two: connect phone to the wireguard.
This part works.

Now, how do I connect the openwrt router to the wireguard server? I don't want all the traffic from the router to go through the wireguard.
if I simply setup the opewrt as client, then it'll send all traffic to the wiregurad.
I don't want that.

Try this in the allowed IPs of the router replace with the wg subnet and with the vps subnet.
Make sure to enable route allowed IPs
This should only send traffic for wg or for the vps via the tunnel.
Furthermore you have to put the WG interface in the lan zone and allow the port of the firewall

You can enhance your setup by researching site-to-site setup.
Basically that disables masquerading on the wg interface of the routers and adds the routers subnet on the VPS in the peer of the router.


I'm not sure I understood all of that.
I'll set up what I understood, and will get back with the config/results.

I am away for the rest if the day but I am sure someone else will chime in

1 Like

no problem.

Try tailscale, no need port forward, no need VPS and NAT friendly.

1 Like

Using a VPS, both the phone and the home router would originate Wireguard connections to the VPS as separate peers on the same Wireguard interface on the VPS. For example the VPS itself could be in the tunnel, the home router, and the phone Then the phone can use as its default route and all Internet usage on the phone will be routed through the home.

The problem here is that there are two VPN hops to reach the Internet, so ping time will be increased. For applications like web browsing and TV, this is not a big problem.

I use Zerotier for this scenario. In most (though not all), Zerotier will find a way for the phone to send packets backward through the hole in the home ISP NAT and reduce the VPN to a single hop. The other "cloud VPN" services mentioned also do this.

1 Like

The advice here is valid, but it is worth a few questions/clarifications:

It sounds like the op is putting an openwrt router (as a vpn endpoint) behind the isp router - is that correct?

If so, the openwrt router itself would therefore not have a public ip address. However, can the OP confirm that the ISP router itself also does not have a public ip on its wan? If the isp provides nat/cg-nat to the customer and does not provide a public ip, obviously an option like a vps or zerotier would be required. But if the isp does give a public ip, it should be possible to port forward to the openwrt router and then use wireguard directly.

Or SlackHQ's nebula.

1 Like

Thanks to everyone.
I tried tailscale first. thanks to @alphamatic and @egc
And it just worked!
this is great!
Also I like the some other nifty features like sending files between nodes.

However, this has one problem.
The tailscale binary for opewrt is huge. 3.42MB and 5.88MB for tailscaled
it isn't a problem for the home router, but I intend to use another cheaper router.
I guess I'll need a router with at least 16MB total flash memory, to install it, right?

As an alternative I want to try out with wireguard like @mk24 suggested.
because, I think it can be installed on a router with 8MB flash?
I'll report back if I succeed.

To answer @psherman

I have no separate ISP router. fiber cable connects directly to my router via an ONU.
My router connects to the ISP via PPPoE.
so, no port forwarding is possible.

Can someone please confirm me, how much free space I'll have on a router with 8MB flash after installing OpenWRT?

There will be 1 or 1.5 MB free. 8MB routers are on the verge of becoming unsupported for this reason.

None of the cloud VPNs are small enough. About all you can do with 8 MB flash is a raw Wireguard interface, which does not have central control and NAT hole punching capability.

I'll recommend to use minimum 64MB flash, or use x86 (intel minipc)

More computing power more better.

I've try to install on 16MB flash, but turn out that the speed is slow when I use it as exit node.

Now I'm using x86 64 bit mini pc (Intel atom processor).


This secondary router is not for an exit node.
It'll act as an access point for a few device to connect.
All traffic of the connected devices will go through the exit node on my home.

Do I still need more than 8MB? Cause I wanted to get as cheap as possible.

wow. openwrt used to be 4MB. now 8MB routers are going to become unsupported too? didn't know that.
Couldn't they keep a minimal set of features for these routers?

Like all other things in tech... requirements do increase over time alongside the increases in capabilities of the host devices. A lot of it is based on the kernel itself (which is an upstream development). Also new features and technologies are introduced... think about how 802.11ax (wifi6) and WPA3 have been added to the wireless system -- those take up space, too.

OpenWrt does a really good job of supporting extremely modest systems (the fact that we're talking about 8/64MB or even16/128MB and not gigabytes like a mobile or desktop system should be an indication about how hard the dev team works to extend the useful life of older hardware).


If you want to try another vpn, consider tinc vpn (use the 1.1 pre version). Install it on your own router, you pc and the vps. Read the documentation from https://www.tinc-vpn.org/ tinc can establish connection directly between your pc and the router, even if they both are behind NAT by using the vps to when initiating the conneciton

If you haven't buy the router, I recommend just buy a second hand wifi router with 16/64 flash.
If you already have 8MB flash router, you can search for flash upgrade service in your country and upgrade it to 16/64 like what I do. I have old router TP-Link MR3420 (release on 2011) with 4/32 flash. Then I upgrade it to 16/64. Now it run as dumb AP, FT wifi roaming capable and it's running the latest OpenWRT firmware. Still have 50% free space.

If you still want to use 8MB flash, you can make custom firmware or make a dumb AP. Remove unnecessary package to save space, remove IPv6, firewall, dnsmasq, etc. There is a project for small flash router on this forum that remove packages to fit it on a small size router, you can search for it. Tailscale is based on wireguard, it need at least 5.10 kernel as I remember. So, can't go back to old version firmware.

Another option on 8MB flash, you can use exroot. Give it a try.

1 Like

No, I haven't bought it yet.
The choice of modern is very limited here.
Mostly totolink and mercusys brands are available which I don't see on the supported list.
However, I found xiaomi mi4c is available and it is cheap and seems to be 16/64.

Flash upgrade is not available.