Port forward from OVPN to LAN

I have a remote OVPN server and my Flint has an OVPN Client configured on it. Flint is running 4.1.0 release6 (latest stable).

The OVPN client on Flint has an IP of My LAN where Flint is the router is 192.168.0.x
Allow Remote Access LAN turned ON.
I have a VPN policy to allow only one single device’s MAC address to use the VPN client connection to communicate with the outside world.

From the VPN server I want to reach one of my cameras on my LAN. I have port forwarding turned on like this:

So if on the VPN server ( I connect to I should be forwarded to but it won’t happen for some reason.

Interestingly if I forward port 80 from openvpn to the router’s LAN ip I can access the router’s web page from openvpn server by going to, however I cannot access when forwarding the ports to devices on the LAN.

This solution worked correctly on one of my other Flint’s with the older firmware 3.x.

In Luci I have not added any custom FW rules.

If I try to do an nc -v 47000 it just hangs and in couple of minutes it returns connection timed out but if I try to nc to a random port which is definitely not open it immediately returns connection refused.

Here is a simple drawing what works and what not:

Wondering if anyone could help on what could be the issue here?

This is the firewall on the openvpn server kicking in, I think. You need the server to allow access to the LAN.

Your sentence is not in-line what the problem description says.

The OVPN server in this case is a random remote PC. The LAN is the LAN behind my Flint router which is acting as an OVPN client.

There is no issue with the firewall on the remote OVPN server as I mentioned that if I forward a port (on my Flint) from OVPN network to the Flint’s LAN IP, that works, I can connect to Flint’s port from the ovpn server by connecting to the Flint’s OVPN IP/port.

What does not work is if I forward a port (on the Flint) from OVPN network to some other device on the LAN. However this scenario works with a different Flint with older 3.x firmware.

Updated my original post with a drawing.

Yes, I misunderstood the direction. The diagram helped. Stepping out of it since I don’t have a Flint client.

When I want to reach a device on the client’s LAN I add a route on the server to the LAN, no port forwarding at all. I thought that is what the “allow remote” button did, push a route and change the client firewall. Maybe not.

What I have noticed the “Allow remote” sets the ovpnclient firewall zone’s input to Accept. But looks like there is some problems or something else is still needed.

The feature of the “Allow Remote Access LAN” button is to accept packets from ovpnclient → lan in the firewall. If it is enabled, there is no need to set up port forwarding on the router. Just add the route or to the OpenVPN server and the server will be able to access the camera directly via

This port forwarding does not work looks like a bug, have you tried changing 47000 to a different port?

Hi, I believe I figured out why this is not working. I have an OVPN policy where I configured one of my other devices to use the VPN client to go out to the internet. This is not the device I want to reach with the port forwarding, just a random other device.

If that is configured, the port forwarding to any other device is not working from OVPN. What I had to do is I had to add the camera I want to reach via port forwarding to the OVPN policy so this device will use the VPN, and also reachable this way from the OVPN network via port forwarding. So I am not sure if this is a bug or this is how it supposed to work when we have that policy.

I did not want to do this actually but it is working. The other question will be if I also have a Wireguard server on this router and I connect to it from a remote location will I be able to reach my camera on the LAN from the WG network. I will try this out during the week.

1 Like