One-to-one NAT on the TL-R600VPN
I have a local server on my network, call it 192.168.0.2. This Linux server has an OpenVPN client running that connects it to a cloud VPS (call it 1.2.3.4). The VPS is configured to forward traffic down the tunnel so that, even outside the network, the server can be accessed at 1.2.3.4. (I know that I could port forward on the router, but I cannot do this in practice for a number of reasons). However, this server has SSL certificates that match public domains (call it example.com), so accessing this server by it's IP is not possible, especially on devices such as phones that may not always be on the WiFi.
Traffic could just go through the DSL to 1.2.3.4 then back down to the Linux box, but this would be about 4 orders of magnitude slower than just connecting directly. On computers where I can edit /etc/hosts, this isn't a problem because I just alias example.com to 192.168.0.2, but for phones, it becomes a problem. There are two possible solutions: The first is to change the DNS servers. This is insecure, so I don't want to do it. The second is to do some really easy one-to-one NAT. It takes about 30 seconds in iptables.
Only problem is, this router does not seem to support the kind of one-to-one NAT I'm looking for. The interface selection option in the one-to-one NAT section gives me no options with just one WAN. So far, I have tried the following:
- Placing the server on WAN2 (currently, I have only 1 WAN). The problem with this is that the server cannot access the internet.
- Using routing tables to route 1.2.3.4 via 192.168.0.2 and having the Linux box take both those IPs on the LAN. The router seems to ignore the static route and sends the packets on to the 1.2.3.4 VPS.
- Plugging a dummy device into a second WAN port, then using port forwarding to forward 192.168.255.1 (the fake WAN2 IP) to 192.168.0.2, then using the one-to-one NAT to map 1.2.3.4 to 192.168.255.1. This just doesn't work.
- I haven't really tried VLANs yet because I can't seem to figure out how they work on this particular device... I may switch the server's switch port to be tagged and then give the server access to the WAN2 port via the tagged VLAN and use one-to-one NAT, but I haven't tried this yet.
Any ideas for how to make this work on this router?