RT-AC66U can't access OpenVPN network from WAN

[fundorin]

Hi. I have a windows pc at home, which is connected to AC66u. The router is running Merlin LTS Fork (374.43).
What I want is to be able to access the PCs HDD from my Laptop, when I'm not home.

What I did:
A registered a DDNS name for the router (both asuscomm.com and ddns.net are working)
I set up an OpenVPN server on the router (port 1194) and exported the configuration.
The configuration was successfully imported into the OpenVPN client on the laptop.

The thing is that I only can connect to the OPVN server from my home network.
The DDNS name is resolving to an actual IP (tested with online services), but the router doesn't respond to ping and it seems like the port/any ports is closed when trying to access it from outside.

On the router VPN tab I can see that OVPN server is running and when I connect to it from home, I can see client1 successfully connected.

VPN server is set to TUN, UDP, 1194 (tried other ports, same thing)

In VPN details firewall is set to auto.
Authorization - TLS
Username/Password authentification is enabled.
Push LAN - yes
Direct clients to redirect internet traffic - yes
Respond to DNS - yes
Advertise DNS - yes

On the firewall tab:
Firewall - yes
DoS - no
Respond to ping from WAN - yes

Online nsloolup services are able to resolve my ddns names to the actual IP, but, as I mentioned, online port checkers are saying that both 1194 and common ports are open/filtered. Some services just saying that they are filtered.

How can I set up the router to be able to connect to its OVPN from outside? Thanks in advance.

 

[GSpock]

Hi,
what is happening exactly when you try to connect to the OpenVPN Server with your laptop (the one where you installed openvpn client software and copied the opvpn.ovpn file) from outside your LAN (presumably your laptop is then connected to a mobile 4G network).
What does the log of openvpn client software indicates ?

Doing this test (from outside your LAN) is indeed the only way to make sure your configs are OK

 

[fundorin]

I'm currently on my local network, but I have logs from when I was trying to connect from outside. It's basically these several lines all the time:

[Aug 21, 2022, 13:00:51] Connecting to [myname.ddns.net]:1194 (100.122.*.*) via UDPv4
[Aug 21, 2022, 13:01:01] Server poll timeout, trying next remote entry...
[Aug 21, 2022, 13:01:01] EVENT: RECONNECTING
[Aug 21, 2022, 13:01:01] EVENT: RESOLVE
[Aug 21, 2022, 13:01:01] Contacting 100.122.*.*:1194 via UDP
[Aug 21, 2022, 13:01:01] EVENT: WAIT
[Aug 21, 2022, 13:01:01] WinCommandAgent: transmitting bypass route to 100.122.*.*
{
    "host" : "100.122.*.*",
    "ipv6" : false
}

 

[fundorin]

When connecting from LAN, everything's fine. I can access both internet and local shares.

[Aug 26, 2022, 11:34:30] Connected via TUN_WIN

 

[GSpock]

what software do you use on your laptop to connect ? what is the OS of your laptop ?

 

[fundorin]

I'm using OpenVPN Connect on Win 10 x64.

 

[GSpock]

ouuppsss ... it seems that you have a private IP as your WAN ==> in your log the address 100.122. is a private one
In order to be able to access from outside, you must have a public IP as WAN .... that is the problem

 

[fundorin]

Yep. You're right. This might be the reason. Thank you.

 

[Dedel66]

Yep. You're right. This might be the reason. Thank you.

Can you get an ipv6 from your ISP?

 

[fundorin]

Unfortunately, no. There are some providers in the area who has this option, but I've been with mine for 20 years and don't want to switch, to be honest. There's a paid "white ip" option, though, which I'm considering to enable.

 

[Dedel66]

So you only get a private ipv4 from your ISP? That´s really bad!

 

[eibgrad]

If you can't get/purchase a static public IP from your ISP, then you might want to consider a VPS and running your own OpenVPN server there. You would have your OpenVPN client on the home router connect to it in a site-to-site-site configuration. When on the road, you would then connect to that same OpenVPN server (non site-to-site) and get routed back to your home network.

Another option would be to use a commercial OpenVPN provider that supports port forwarding on their end of the tunnel (AirVPN, Mullvad, etc.). This relieves you from managing the VPS and OpenVPN server, but it means you're exposed from the client to the VPN provider unless you first establish an OpenVPN client connection to that same VPN provider. Given so many ppl are already paying for a VPN provider, this may be more cost effective (i.e., kill two birds w/ one stone).

Of course, having access to a public IP simplifies matters dramatically and may be worth the cost.