openVPN and GoodCloud on GL-AR750S

I’m using GoodCloud to connect two networks with GL-AR750S routers (router 1 and route 2). This works fine.
Additionally I want to connect one external PC via openVPN. Therefore I have setup an openVPN server on router 1. I can connect the PC via openVPN to the network of router 1, but I can’t communicate from the PC with devices connected on router 2.
Please can you advice me how to configure the routers? Thanks a lot.

How does route1 connect to route2?
What is their topological relationship?

Router 1 and Router 2 are connected via GoodCloud. Router1 can be accessed from internet, while Router2 can’t be accessed from internet directly.

Can you draw your network topology map?

It looks like this. Objective is, that PC can directly communicate with devices connected to Router2.

1 Like

You can open the “Access Local Network” and try it out.

This is already activated. With this I can access the local network of Router 1, but not Router 2.

You need to ssh to the router1, modify the file “/etc/init.d/vpn-service”, add a line “iptables -I FORWARD -i tun-SERVER -j ACCEPT” , as follows:

Then restart the openvpn server, the PC openvpn client reconnects. You can try.

You need to do a port forwarding on router1’s VPN server to access the devices below router2.
Assuming that your VPN server address is 10.0.0.1 and the device address under router2 is 192.168.8.153, you may need to add the following rules

iptables -t nat -I PREROUTING -s 10.0.0.0/24 -p tcp --dport 655  -j DNAT --to 192.168.8.153

Your PC can access router2 devices through 10.0.0.1:655
It’s just my idea, not proven

This doesn’t help on it’s own. One additional point is needed:.

It seems that all forward traffic is accepted already in iptables: I had to add access to the VPN subnet in the site-2-site configuration of the Router1. Then all other site-2-site peers will automatically adapt their routing tables accordingly.

image

Some background infos: In fact, it’s not a firewalling issue but rather a routing issue. The root cause is, that the ip packets are routed from router1 to router2, but router2 didn’t have the correct routing information for the response. This is a pit fall of the site-2-site connection: You don’t have a strict tree hierarchy for routing, and therefore the default gateway will not help one to answer the requests sent from the PC (i.e. vpn client). This will be solved by the site-2-site configuration as explained above.

@luochongjun, @dzwghx: Thanks a lot for your support.