Accessing LAN from VPN client when using GL-MT2500A as VPN server sitting below an external router

I currently have the following configuration:
PC (VPN client) → internet → Ubiquiti USG GW → GL-MT2500A (as OpenVPN Server)
The VPN Server is set up using TUN with WAN port connected to USG GW assigned address 192.168.3.100 and LAN port connected to USG GW assigned address 192.168.2.2. Port forwarding is set up on the USG GW to route port 1194 traffic to 192.168.3.100. VPN tunnel address is left at 10.8.0.0 (this subnet is not used anywhere else in the network).
Currently, I am able to establish a VPN connection and has access to internet. However, all access to LAN addresses fail. I am able to ping all USG GW subnet addresses (e.g. 192.168.1.1, 192.168.3.1), Is there some configuration changes I need to make to the VPN server (MT2500A) configuration or the USG GW to enable LAN access to work from the VPN client. Any insight will be high appreciated.

If I’m comprehending this correctly that your LAN devices are on the 192.168.2.x network, then I think the Ubiquiti USG GW LAN gateway on 192.168.2.x network doesn’t know it needs to send traffic for the 10.8.0.0 network to the LAN IP on the MT2500 so it would just default sending responses out it’s WAN address on the 192.168.3.x network.

If you can add routes to the Ubiquiti USG GW, then I would think that adding a route on the Ubiquiti USG GW for the 10.8.0.0/24 network to go to the MT2500 LAN address 192.168.2.2 could resolve it since that is the device on the LAN hosting that network.

Thanks for the reply. I played around with the configuration a bit more and it seems I can gain access to remote LAN if I allow the 192.168.3.x subnet through the USG GW firewall. Traceroute shows:
10.8.0.1 → 192.168.3.1 (WAN i/f of MT2500) → 10.0.1.89 (one of my VLANs)
whereas previously it was blocked at 192.168.3.1.
So my question is why aren’t packets being routed through the LAN i/f of MT2500 (192.168.2.2) by the VPN server?

As for the MT2500 VPN clients, their traffic to 192.168.2.x is going directly to the 192.168.2.x network since the MT2500 has a physical connection to that network. But if the devices in that network are not using the MT2500’s 192.168.2.2 as their gateway, then that’s why. If they are using Ubiquiti USG GW LAN gateway, say 192.168.2.1, it doesn’t know to sent the VPN network 10.8.0.0 to the 192.168.2.2 interface on the MT2500 to get to the VPN clients network, so it sends the traffic out it’s default gateway through it’s WAN port instead.

Ahh. Thanks again for the reply. So, if I understand correctly, in order to route VPN client packets through the LAN interface, I would need to advertise 192.168.2.1 as the gateway within the MT2500A configuration. Unfortunately, I’m not quite sure how to do that, any suggestions? Do I need to mess with the VPN server config file in the MT2500A?

Have you looked at using the MT2500 as a drop in gateway? I’ve never done this, but reading the documentation it does allow all the MT2500 application features, like AdGuard, to be used by all the devices on the LAN which is interesting. However, it looks like drop in gateway mode requires being able to disable the main routers DHCP server which is why I never used it since my main router is a wireless access point.

In my setup, I connected the MT2500 WAN port to my main routers LAN. I enabled the MT2500 features to allow HTTPS and SSH remote access access so I could access the MT2500 GUI and SSH services using the main routers LAN IP address assigned to the MT2500 WAN port. I left the MT2500 LAN in it’s default configuration since I didn’t need to use it except for its initial configuration. I then setup port forwarding on my main router to allow the external VPN client port to access the MT2500 WAN IP address on its VPN server port. The good thing is that the DDNS feature of the MT2500 is still able to get and register the main router’s external internet IP address. So this setup allows my VPN client to access all of my LAN devices nativity through the MT2500’s WAN IP address. However, it doesn’t allow the LAN devices to start (initiate) any connections to the VPN client, but I don’t need to do that.

I have the basically the exactly same configuration as you have, the MT2500 LAN port is basically unused as you pointed out. All except that I had to disable LAN port DHCP. I’m wondering though whether if the VPN traffic was routed through to the LAN port that there may be a higher throughput advantage. My ISP WAN speed is 1G down and 150M up. With OpenVPN using the MT2500, I get about 100M down and 50M up. This is still way better than running a native VPN server in the Ubiquiti USG’s where I only get about 10-20Mbps both direction (probably because it doesn’t use HW acceleration).

Maybe you should just enable this option - “Remote Access LAN”.

Already did from the very beginning. Still needed to open firewall on my main router for traffic from the MT2500A WAN port to other LAN subnets in order for this to work. Oh as stated in previous posts all VPN traffic (both WAN and LAN traffic) goes through MT2500A WAN port as opposed to its LAN port.

Well if your main router has firewall e.g. isolating the clients devices, you need to change firewall settings.

Well I was expecting the MT2500A would route VPN traffic through to the LAN which it doesn’t. If it did, then I wouldn’t have had to open up the WAN side port to all LAN subnets.

Can you check if you met this issue in firmware 4.5?

@ ipaq2210
Maybe I can help youI have a laptop or cell phone or tablet connected to the internet via OpenVPN →

On my network page :Fritzbox port forwarding to the USG->
USG → Port forwarding to my MV1000 where ONLY the Wan port is plugged in
the IP range of the VPN must not be in the IP range of the USG
then set the check mark Allow remote access to the LAN and it works
I have access to my LAN

I was using firmware 4.5 rel 8.

When you have you MT2500 LAN port connected to your 192.168.0/24 LAN, can all of the devices on the 192.168.2.0/24 LAN network ping the MT2500’s 192.168.2.2 LAN address?

If so, then you’ll need to have a static route on the Ubiquiti USG GW. Otherwise how would the Ubiquiti USG GW clients know that the 10.8.0.0/24 VPN clients are accessable via the 192.168.2.2 address on the 192.168.2.0/24 network.

If you can add next hop static route on the Ubiquiti USG GW, then by using a ‘next hop’ static route for the VPN client network subnet 10.8.0.0/24 to go to the ‘next hop’ address 192.168.2.2 of the MT2500’s LAN interface, then all of your 192.168.2.0/24 LAN subnet devices will be routed to the MT2500’s LAN IP 192.168.2.2 so they can access the MT2500’s VPN client network 10.8.0.0/24.

BTW, if you have any other network IP subnets on the LAN side of the Ubiquiti USG GW other than the 192.168.2.0/24 subnet, then you’ll have to add those LAN subnets (example 192.168.1.0/24) as static routes on the MT2500 to use the LAN interface gateway address on the Ubiquiti USG GW which I assume is 192.168.2.1 as the next hop to access any other LAN networks on the Ubiquiti USG GW.