New Around Here
How to port forward from one DDNS WAN accessible ASUS MERLIN router through OPENVPN to another ASUS DDWRT router to a specific Static IP?

My setup:
@Home ASUS Merlin with OPENVPN Server with DDNS hosting two LAN police scanner web pages.

@Work ASUS DDWRT connected as "client" to @Home Asus Merlin Router with a UNIDEN SDS200 scanner via Ethernet.

I am able to ping from @WORK "client" network to server network @HOME, as well as back from server network to client network, and have 100% access 24/7 to either network via OPENVPN across either LAN.

Network path I am looking to complete:

*Green is fully functional via LAN, RED is where I believe I am having trouble...

I have added port forwarding to the ASUS Merlin @Home (which it's network is to the VPN'd SDS200 (Police Scanner) with static IP of, I am able to access locally from either VPN'd network, but I can't access it via WAN / DDNS "" which again is hosted @home


Part of the Furniture
Despite the descriptive details given, it's not totally clear what's being attempted here. A diagram (even handwritten) might have helped a lot more.

Best I can tell, you have a site-to-site VPN established and want to remotely access some device on the OpenVPN client side (work) from the WAN of the OpenVPN server side (home).

If I have that right, it's probably NOT working because when the traffic is routed over the OpenVPN tunnel and reaches the work network, given it has a *public* IP, the work network routes the replies over its own WAN rather than back over the tunnel, where it can correctly be routed over the WAN of the home network.

To fix it, you have to force that specific traffic to be routed back over the OpenVPN tunnel by NAT'ing it on the home network (OpenVPN server side). That will force the replies back over the tunnel, where it can finally be routed over the same WAN by which it entered your home network.

iptables -t nat -I POSTROUTING -o tun21 -p tcp -d --dport 5151 -j MASQUERADE

I'm assuming you're using OpenVPN server #1 (tun21).
Last edited:


New Around Here
All you have re-stated is correct site-to-site VPN. The perpose of this is the ASUS DDWRT router at work is connected VIA wl01 5GHZ to an open xfinitywifi in "client" mode to establish WAN / Internet. I will try this code you have so graciously provided either this evening when I get home or tomorrow morning.

Thank you so very much!


Part of the Furniture
P.S. You could modify that rule slightly to generalize it a bit more.

iptables -t nat -I POSTROUTING -o tun2+ ! -s $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j MASQUERADE

IOW, it will ONLY nat the tunnel when the source IP is NOT from the local network (in this case,, regardless of the specific target on the network. And regardless of which OpenVPN server.

It's NOT that the other rule won't work. But it's sometimes better to find a rule that won't need to be changed should something else change (e.g., addition of another target device, the local IP network assigned on the home network, which OpenVPN server, etc.). You set it once and never have to revisit it.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!