Thank you!

 

>> As far as I know, NAT is enabled by default and cannot be turned off.
That is bad news. I was looking for a bit more versatile router,.

 

>> You are using R605 as OpenVPN Server, right?  

Yes.

(The goal is: I have a LAN 192.168.0.0/24 behind a DSL NAT Router. I need to make a couple of hosts (12 surveillance cameras in that LAN) accessible from the outside. So the OVPN-Server should be accessible from outside (by forwarding a port to 1194 of the TP-Link-router) and give access to the OVPN-client from there)

=> so the OVPN remote client finally needs to be routed or bridged into the same LAN, the WAN port is part of )

 

>> Did you add any other parameters when you exported the openvpn configuration file?

Yes: two lines with  remote and port

>> Did the tunnel build successfully?

Yes.

In both setups: a) coming from the outer LAN and b) coming from the Internet through a portforward onto the TP-Link-router 1194.

>> Can you try pinging the local IP shown on the tunnel to see if you can get through?

Yes. See terminal  "log":

 

tschloss@Mac-mini % ifconfig

....

utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
    inet 192.168.2.38 --> 192.168.2.38 netmask 0xffffffff
 

tschloss@Mac-mini % ping 192.168.2.38
PING 192.168.2.38 (192.168.2.38): 56 data bytes
64 bytes from 192.168.2.38: icmp_seq=0 ttl=64 time=46.462 ms
64 bytes from 192.168.2.38: icmp_seq=1 ttl=64 time=3.335 ms
64 bytes from 192.168.2.38: icmp_seq=2 ttl=64 time=3.330 ms

  @tschloss 

What kind of server are you trying to access? Is that some kind of server that you are able to use IP to log in like the shared folders?

I am using the 606 in server mode and want to be accessed from outside the DSL NAT router. I will post an update separately.

Thank you for contributing.

 

I tweaked it to work more or less like expected.

 

The key finding was that the built-in OpenVPN-server runs in bridged mode!

 

As soon as I defined the VPN target network identical with the LAN definition of the router itself I had access to the hosts in this network. The tun endpoint no longer hangs in the air.

 

So this is the working setup:

605/router (NAT forced by TPL): 

- WAN = 192.168.100.204 (/24)  [this is because the DSL router's LAN is 192.168.100.0/24 and I need a portforward]

- LAN = 192.168.0.0/24 GW:.1

605/OVPN-server (bridged forced by TPL):

- target = 192.168.0.0/24 GW per definition .1

- pool = 192.168.0.32/28

Upstream context:

DSL-NAT Router:

- WAN = DHCP (with DyDNS)

- LAN = 192.168.100.0/24

- Portforward UDP/11194 >> 192.168.100.204:1194

 

I would have preferred a routed solution (expecting the 605 can be configured as a router - not only a NAT router) but I can live with this limited setup.

 

I also added two lines to the ovpn-client-config:

route-nopull

route 192.168.0.0/24

 

This enables split-tunneling to make sure only this traffic (and not all traffic) is sent into the tunnel.

Caveat: if the client lives in a 192.168.0.0 network this will not work. 

 

So I can access the inner hosts behind a NAT Internet router through a DynDNS IP, forwarded to the OpenVPN-server in the inside of the LAN, bridging remote clients into the LAN.