Openvpn client allow access to WAN

I have a GL-MT300N-V2 acting as an openvpn client. Works fine - but…
I need to allow my openvpn server to reach clients on the WAN interface (which is in the private range
A traceroute from the server reports that packets arrive at the router via the tunnel - but no reply from the device I need to contact on the network.

I’ve had this working before, but I can’t remember what I did - I guess it needs some kind of NAT config so the packets hitting my end device appear to come from the WAN address of the router.
This has got to be something simple - but I can’t work it out :frowning:
Any help please??

Turn on this option

Thanks - I have already tried that but it still doesn’t allow traffic arriving via the Openvpn to access the device on the WAN interface. I suspect that the traffic is not being Natted to appear to originate from the WAN IP of the router, so the end device doesn’t know to send the reply back via the router.

I have another working setup, so I will attempt to load up the backup of the working config and see if I have any settings I have missed.

Thanks for taking the time to reply :slight_smile:

Regards Dave

1 Like

OK - I’m still stumped!

My GL-MT300N-V2 is an OpenVPN client and the WAN interface is on a private subnet It gets it’s address by DHCP from the internet router on that subnet. VPN client connects ok to my server.

Server can ping the tunnel endpoint
Server can ping the assigned WAN interface

But server can’t ping the WAN gateway of the subnet or any devices on the subnet.

I have no access to the default gateway of the subnet to add a static route.

There must be a way of adding (masquerade ?) a rule which makes all the traffic coming down the VPN destined for devices on the subnet to appear to originate from the WAN IP of the GL-MT300N-V2 to avoid the need for setting up a route back to the VPN on the subnet gateway router?

Any advice appreciated!
Thanks Dave

Set firewall rule for ovpn zone in luci, like the following picture:

I really appreciate your help - this is driving me mad - I still can’t get this to work!

My VPN server has a tunnel address of
My GL-iNet OpenVPN client connects ok with tunnel address
I have several other clients also connected to the VPN OK

From the server I can ping
From other connected clients I can ping
From other connected clients I can log on via browser to GL-iNet via address

The server and other connected clients all can see a route to via

From other connected clients I can log on via browser and also ping to GL-iNet via its WAN address which confirms routing is working OK

From luci on the GL-iNet I can directly ping the wan gateway

From luci on the GL-Inet I can directly ping the device I am trying to remotely connect to:

From any connected client, if I Traceroute to I get as far as
Here are my firewall rules:

I have enabled access to local network

It feels like the GL-iNet is not forwarding and masquerading the traffic from the VPN to the target device

I know this must work as I have had it working in the past - I’m really stuck!

Thanks for trying to help :slight_smile: Dave

I don’t know where it block the traffic, you can try to change all “reject” and “drop” option to “accept” for a moment.
Also disable masquerading of ovpn zone.

Just for ask you… can you try the new beta firmware v4.3.2 i saw that you have more option if you use gl-inet interface to create a open vpn server.

Did you ever get this working? I’m having the same issue.

Yes - worked fine after the firmware upgrade


Got this working. Had the subnet wrong in the openvpn config - all good now!

For anyone else looking, I stupidly had instead of in my openvpn server settings. I changed this to the correct way and it is now working as expected.