VPN works for OUTSIDE clients but not for inside

Installing and Using OpenWrt Network and Wireless Configuration
1

I followed standard guide for setting up vpn. And VPN works for my clients connecting from outside.

However for debugging purposes it is nice to be able to connect to that vpn from "inside" is that possible?

i.e. from my mobile if I am on 4G I can connect to the vpn. However if very same phone is on the wifi it cannot connect to VPN, timeout all the time. Maybe I am missing some setting somewhere?

2

I believe if you delete the firewall rule you've created while following the guide, you should be able to access your VPN server from the wifi:

uci -q delete firewall.ovpn
uci commit firewall
/etc/init.d/firewall restart
3

It ain't the firewall rule that is the problem (the client is on lan and that has input=accept), this question has been up earlier in the forum in the form of using it as a wifi encryption but I cant find the answer.

If my memory is right you need to make a port forward reflection or something like that from inside the firewall to the outside to get inside again with the wan IP?

It should be possible to use localhost also in some way?

4

Even if you could get it to work testing from the inside is not very useful.

What you describe is NAT Reflection aka hairpinning.

But the problem when using OpenVPN with this is that the data channel could take another route than the control channel which is a no-go.

Basically the mantra with VPN testing is "Always test from outside" :slight_smile:

1 Like
5

@flygarn12 Indeed you are right! The port forwarding made it possible to connect from a local lan to vpn server running on the router. Basically port forward from lan to device.

I set it in UI and it looks like this

image
image948×95 6.7 KB

or in text form

firewall.@redirect[9]=redirect
firewall.@redirect[9].dest_port='my_vpn_port_number'
firewall.@redirect[9].src='my_lan_name'
firewall.@redirect[9].name='internal vpn test'
firewall.@redirect[9].src_dport='my_vpn_port_number'
firewall.@redirect[9].target='DNAT'

There got to be a more elegant way of doing this. Since in this solution I am not able to use this port for connecting to anything outside. But It works for now

1 Like
6

Fantastic! It maybe isn’t the perfect right way to do it but it works for testing basic functionality of the server.

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.