LAN access OpenVPN server side without NAT?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


Occasional Visitor
Hi All.

I want to use pi-hole + OpenVPN running on GCP from my RT-AC86U. After config OpenVPN server and install OpenVPN client on my RT-AC86U, everything works. However, from pi-hole side, all request come from same IP address (OpenVPN client IP). I know this caused by OpenVPN client created a NAT tunnel, when LAN access OpenVPN server, it all from same IP.

So, I tried to disable "Create NAT on tunnel" on this OpenVPN client. Now, from LAN I can reach OpenVPN client IP address, but cannot reach OpenVPN server IP address.

From router, command `route -n` shows: U 0 0 0 tun11 is OpenVPN subnet, tun11 is OpenVPN interface.

I'm wondering what I missed in order to let router forward subnet to OpenVPN server side?

Thanks for your help


Very Senior Member
Not sure I completely understand this config, but I *think* what you're saying is that your pihole is remotely accessible (perhaps on a VPS) via the OpenVPN client on the router, and OpenVPN server on the VPS. But because you've NAT the OpenVPN client, the pihole only sees the OpenVPN client's IP on the tunnel, rather than the LAN ip of the devices on the local network which are accessing the pihole.

Disabling NAT will work *provided* you configure the OpenVPN client/server as site-to-site. IOW, you have to tell the OpenVPN server about the local IP network used by your LAN in order for it to know to route it back over the tunnel!



Occasional Visitor
GCP means Google Cloud Platform. And yes, you are right. This is exactly what I want: site-to-site OpenVPN.

Guess I mess up with client-config-dir. I should put command `iroute <lan subnet>` in ccd/<vpnclient>, but accidentally put `route <lan subnet>`. Now it works.


Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!