OpenVPN+port forward

eQuerry · 2022-02-03T19:36:45.403Z

So for example the GL-iNet VPN Policies tutorial states:

Use VPN for guest network : Turn on/off use VPN for guest network.

Why would that result in the port being closed anyway?

wcs2228 · 2022-02-03T22:02:25.458Z

eQuerry:

I have a opened a port on my FFT box and set up the pass through to the intended device

Can explain in more detail what specific settings you made on both the FTTH and GL-AP1300?

The VPN Policies are for outbound traffic.

eQuerry · 2022-02-04T02:48:43.323Z

The VPN Policies are for outbound traffic.

That explains it all then! How do I then stop using the VPN for this specific device?

Can explain in more detail what specific settings you made on both the FTTH and GL-AP1300?

I just forwarded a port from FTTH box to GL-AP1300, and then GL-AP1300 to forward to the Mesh router, and then Mesh router to the intended device. All the same and with the correct WAN/LAN IPs. On the GL-AP1300 Firewall page, I set up wan as External Zone and lan as Internal Zone

But when I use the alternate set up, the device connects to GL-AP1300’s guest wifi where I thought it was going to bypass all in/outbound traffic

wcs2228 · 2022-02-04T03:00:58.151Z

With the Guest wifi setup, you can try port forwarding from GL-AP1300 directly to the target device, not to the Mesh router.

eQuerry · 2022-02-04T03:14:44.215Z

Done. But that doesn’t work for inbound traffic

alzhao · 2022-02-04T05:00:03.443Z

I used the same setup as you but I used MT1300 to test.

Once I enable vpn policy and do not use vpn for the client (XE300) and I can access XE300 from the WAN IP.

image916×764 29.3 KB

eQuerry · 2022-02-04T05:36:37.256Z

alzhao:

XE300

The only difference is that I’m using the client’s IP rather than the client’s MAC address. Does it make a difference?

Also, does it make a difference if I use the guest network or not? The VPN policy should work anyway, right?

alzhao · 2022-02-04T08:48:53.717Z

You should select “MAC Address” based and select the device with the correct mac address.

You should not select “Domain/IP” based because it is the target IP, not source IP.

Not sure about guest wifi but it should be OK. It just on one guest zone and you should set up port forward correctly.

wcs2228 · 2022-02-04T19:31:58.869Z

I did a successful test on my GL-MV1000W Brume:

Set up a simple web server on a target device connected to Brume on Port 8080

Did not set up Guest wifi

Added VPN Policy to not use VPN for the target device’s MAC address and tested that the target device is not going through VPN

Added Port Forwarding from Brume WAN to the target device LAN over TCP Port 8080

Successfully accessed web server device via URL http://a.b.c.d:8080 where a.b.c.d is the WAN IP of Brume

From the Internet, you would access via the FTTH WAN Public IP, so it should forward to you GL-AP1300, then should forward to the target device.

wcs2228 · 2022-02-04T20:33:18.139Z

You may be doing triple-NAT through FTTH box, GL-AP1300 and Mesh router. Can you bridge the Mesh router?

eQuerry · 2022-02-05T06:15:55.563Z

You may be doing triple-NAT through FTTH box, GL-AP1300 and Mesh router. Can you bridge the Mesh router?
Yes, that’s exactly what I believe is going on

eQuerry · 2022-02-05T06:18:34.550Z

wcs2228:

Added VPN Policy to not use VPN for the target device’s MAC address and tested that the target device is not going through VPN

I think that’s the part not working for me.

Did not set up Guest wifi

I think the issue in my case is that if I set up the “do not use VPN with” policy in the GL-AP1300 with the Mesh router’s MAC address, all devices connected to the Mesh router will not have VPN, which is what I want to avoid (i.e. VPN should not be used exclusively for the intended device where I’m running the webserver

eQuerry · 2022-02-06T05:14:51.442Z

Any advice on how to proceed?

alzhao · 2022-02-06T11:09:27.862Z

Based on your current setup, you cannot do that easily.

You may need to connect the device that you want to port forward directly on AP1300, not your mesh router. Then use vpn policy.

eQuerry · 2022-02-06T11:24:52.424Z

You may need to connect the device that you want to port forward directly on AP1300, not your mesh router. Then use vpn policy.

That’s no problem, but I already tried to do that (see my second post in this thread)? It didn’t seem to work. To clarify, what you’re suggesting is:

set up port forward from FTTH to GL-AP1300 LAN address
Activate guest wifi on GL-AP1300
set up port forward from GL-AP1300 to device LAN address (based on IP assigned in the guest network)
set up VPN exclusion for guest wifi

Is that correct? If so, can you please tell me exactly how to execute 3)? I tried both WAN as well as guest zone but both had the port closed as soon as OpenVPN was activated

Thanks!

wcs2228 · 2022-02-06T16:56:16.610Z

I did a successful test using the Guest wifi:

The Guest wifi subnet defaults to 192.168.9.x, so I added Port Forwarding from the router WAN to the target device LAN IP address 192.168.9.220 over TCP Port 8080.

I set the VPN Policy to not use VPN for the Guest network, which was a bit fiddly until I was sure the target device is not going through VPN.

I was then able to access the simple web server on the target device from the WAN.

eQuerry · 2022-02-07T02:35:38.863Z

The Guest wifi subnet defaults to 192.168.9.x, so I added Port Forwarding from the router WAN to the target device LAN IP address 192.168.9.220 over TCP Port 8080.
I set the VPN Policy to not use VPN for the Guest network, which was a bit fiddly until I was sure the target device is not going through VPN.

Thanks! Like this?

img1580×338 61.6 KB

wcs2228 · 2022-02-07T02:52:17.985Z

Yes, where xxx is the actual IP of the target device, as assigned by the Guest wifi’s DHCP.

eQuerry · 2022-02-07T03:28:26.024Z

Yes, where xxx is the actual IP of the target device, as assigned by the Guest wifi’s DHCP.

Thanks! And are wan and lan attributes correct?

Also, I don’t seem to be able to access GPON on 192.168.9.xxx when I’m connected on my laptop main wifi 192.168.1.xxx. Why would that be?

wcs2228 · 2022-02-07T04:21:43.627Z

Is 192.168.1.xxx on the WAN side of the GL-AP1300?

If so, make sure that the Guest wifi is not going through the VPN as per VPN policy. Connect your laptop to the Guest wifi also and go to whatismyipaddress.com and it should show your ISP’s Public IP, not the OpenVPN server’s Public IP. At the same time, you can ping the target device to make sure it has the correct IP 192.168.9.xxx.

I found this fiddly and then added MAC address exemption to VPN Policy, which worked. Later I removed the MAC address exemption, which still worked. Maybe I could have rebooted after setting VPN Policy that Guest wifi is not to go through VPN.