OpenVPN+port forward

eQuerry · 2022-02-04T03:14:44.215Z

Done. But that doesn’t work for inbound traffic

alzhao · 2022-02-04T05:00:03.443Z

I used the same setup as you but I used MT1300 to test.

Once I enable vpn policy and do not use vpn for the client (XE300) and I can access XE300 from the WAN IP.

image916×764 29.3 KB

eQuerry · 2022-02-04T05:36:37.256Z

alzhao:

XE300

The only difference is that I’m using the client’s IP rather than the client’s MAC address. Does it make a difference?

Also, does it make a difference if I use the guest network or not? The VPN policy should work anyway, right?

alzhao · 2022-02-04T08:48:53.717Z

You should select “MAC Address” based and select the device with the correct mac address.

You should not select “Domain/IP” based because it is the target IP, not source IP.

Not sure about guest wifi but it should be OK. It just on one guest zone and you should set up port forward correctly.

wcs2228 · 2022-02-04T19:31:58.869Z

I did a successful test on my GL-MV1000W Brume:

Set up a simple web server on a target device connected to Brume on Port 8080

Did not set up Guest wifi

Added VPN Policy to not use VPN for the target device’s MAC address and tested that the target device is not going through VPN

Added Port Forwarding from Brume WAN to the target device LAN over TCP Port 8080

Successfully accessed web server device via URL http://a.b.c.d:8080 where a.b.c.d is the WAN IP of Brume

From the Internet, you would access via the FTTH WAN Public IP, so it should forward to you GL-AP1300, then should forward to the target device.

wcs2228 · 2022-02-04T20:33:18.139Z

You may be doing triple-NAT through FTTH box, GL-AP1300 and Mesh router. Can you bridge the Mesh router?

eQuerry · 2022-02-05T06:15:55.563Z

You may be doing triple-NAT through FTTH box, GL-AP1300 and Mesh router. Can you bridge the Mesh router?
Yes, that’s exactly what I believe is going on

eQuerry · 2022-02-05T06:18:34.550Z

wcs2228:

Added VPN Policy to not use VPN for the target device’s MAC address and tested that the target device is not going through VPN

I think that’s the part not working for me.

Did not set up Guest wifi

I think the issue in my case is that if I set up the “do not use VPN with” policy in the GL-AP1300 with the Mesh router’s MAC address, all devices connected to the Mesh router will not have VPN, which is what I want to avoid (i.e. VPN should not be used exclusively for the intended device where I’m running the webserver

eQuerry · 2022-02-06T05:14:51.442Z

Any advice on how to proceed?

alzhao · 2022-02-06T11:09:27.862Z

Based on your current setup, you cannot do that easily.

You may need to connect the device that you want to port forward directly on AP1300, not your mesh router. Then use vpn policy.

eQuerry · 2022-02-06T11:24:52.424Z

You may need to connect the device that you want to port forward directly on AP1300, not your mesh router. Then use vpn policy.

That’s no problem, but I already tried to do that (see my second post in this thread)? It didn’t seem to work. To clarify, what you’re suggesting is:

set up port forward from FTTH to GL-AP1300 LAN address
Activate guest wifi on GL-AP1300
set up port forward from GL-AP1300 to device LAN address (based on IP assigned in the guest network)
set up VPN exclusion for guest wifi

Is that correct? If so, can you please tell me exactly how to execute 3)? I tried both WAN as well as guest zone but both had the port closed as soon as OpenVPN was activated

Thanks!

wcs2228 · 2022-02-06T16:56:16.610Z

I did a successful test using the Guest wifi:

The Guest wifi subnet defaults to 192.168.9.x, so I added Port Forwarding from the router WAN to the target device LAN IP address 192.168.9.220 over TCP Port 8080.

I set the VPN Policy to not use VPN for the Guest network, which was a bit fiddly until I was sure the target device is not going through VPN.

I was then able to access the simple web server on the target device from the WAN.

eQuerry · 2022-02-07T02:35:38.863Z

The Guest wifi subnet defaults to 192.168.9.x, so I added Port Forwarding from the router WAN to the target device LAN IP address 192.168.9.220 over TCP Port 8080.
I set the VPN Policy to not use VPN for the Guest network, which was a bit fiddly until I was sure the target device is not going through VPN.

Thanks! Like this?

img1580×338 61.6 KB

wcs2228 · 2022-02-07T02:52:17.985Z

Yes, where xxx is the actual IP of the target device, as assigned by the Guest wifi’s DHCP.

eQuerry · 2022-02-07T03:28:26.024Z

Yes, where xxx is the actual IP of the target device, as assigned by the Guest wifi’s DHCP.

Thanks! And are wan and lan attributes correct?

Also, I don’t seem to be able to access GPON on 192.168.9.xxx when I’m connected on my laptop main wifi 192.168.1.xxx. Why would that be?

wcs2228 · 2022-02-07T04:21:43.627Z

Is 192.168.1.xxx on the WAN side of the GL-AP1300?

If so, make sure that the Guest wifi is not going through the VPN as per VPN policy. Connect your laptop to the Guest wifi also and go to whatismyipaddress.com and it should show your ISP’s Public IP, not the OpenVPN server’s Public IP. At the same time, you can ping the target device to make sure it has the correct IP 192.168.9.xxx.

I found this fiddly and then added MAC address exemption to VPN Policy, which worked. Later I removed the MAC address exemption, which still worked. Maybe I could have rebooted after setting VPN Policy that Guest wifi is not to go through VPN.

eQuerry · 2022-02-07T07:49:17.810Z

Is 192.168.1.xxx on the WAN side of the GL-AP1300?

Yes

Connect your laptop to the Guest wifi also and go to whatismyipaddress.com and it should show your ISP’s Public IP, not the OpenVPN server’s Public IP.

Done, works as you suggested

At the same time, you can ping the target device to make sure it has the correct IP 192.168.9.xxx.

This only works when my laptop is connected to the guest wifi (i.e. with an 192.168.9.xxx IP). When my laptop is connected to the main wifi (i.e. with an 192.168.1.xxx IP) I cannot connect to the target device. Why would that be the case?

wcs2228 · 2022-02-07T15:12:03.631Z

You should be able to access the target device (192.168.9.xxx) from your laptop (192.168.1.yyy) via the router’s WAN port IP 192.168.1.zzz over Port 2680.

192.168.1.zzz is the actual IP of the router’s WAN port, as assigned by the FTTH box. The router then then port forwards the traffic to the target device. This worked for me.

eQuerry · 2022-02-07T15:25:34.117Z

Thanks a lot for your help! But, sorry, I don’t understand this bit:

via the router’s WAN port IP 192.168.1.zzz over Port 2680

What do you mean by via? I’m just using a browser and typing 192.168.9.xxx which is the target’s device IP, as assigned by the guest wifi

wcs2228 · 2022-02-07T16:22:18.557Z

You have to use the WAN port IP address like:

http://192.168.1.zzz:2680

where 192.168.1.zzz is the actual IP of the router’s WAN port, not 192.168.9.xxx.

Your port forwarding screenshot has Port 2680. If the target device has a standard web UI, then you have to change port forwarding to Port 80 and do not need “:2680” in the URL.