My goal is to have a VPN server setup so I can connect to my network while away from home without opening up any ports on the router. My router is a crappy TPLink Archer AX3000. When configuring the OpenVPN server through the admin UI it prevents the reserved VPN IPs to be on the same subnet as the DHCP IP pool. This means that even though I can connect to my VPN externally it can’t actually talk to the machines on my network.
I’m wondering what I can do here. I have access to a Linux server running some containers and a Synology NAS. Not sure if I should just use a different server software or if there is something simpler that I am missing. I’m a software engineer by trade so this networking stuff is sometimes a bit out of my league.
I appreciate any help or advice.
Edit: screenshot of router OpenVPN UI
Most of the VPN servers that I’ve used are set up this way.
You create firewall / routing rules to allow your (VPN) IP addresses access to whatever IP range you need on your local network.
The OpenVPN server allocates its own IP pool to clients, and that pool can’t overlap with the rest of your network. Done correctly, this will be transparent to your other devices. For example, suppose your network is 10.0.1.0/24, the VPN network is 10.0.2.0/24, your NAS is 10.0.1.5, your router is 10.0.1.1, OpenVPN binds essentially to 10.0.2.1, and the IP given to your phone when remote is 10.0.2.5. Your NAS has a default route to 10.0.1.1, meaning all traffic other than 10.0.1.0/24 will be sent to the router for figuring out. The OpenVPN server needs to know that 10.0.1.0/24 exists and should be a published route, and your router needs to know that 10.0.2.0/24 exists as a static route. That last line might be taken care of for you since it’s built in, but the route (subnet) to push via OpenVPN probably isn’t. You have to tell OpenVPN which subnets you want your clients to know about, so the client will route those subnets over the VPN link. This typically isn’t hard-coded in to your .opvn file, but on the server side for which routes are “pushed” so check that.
I’ve seen where you have to add a static route on the 10.0.1.5 device to explicitly send traffic for 10.0.2.0/24 to 10.0.1.1, but that’s when you get more exotic like having multiple interfaces on the same server and each is on a different subnet.
Look at the OpenVPN logging on the client side, it’ll tell you which routes are pushed so you can confirm if that’s your missing component.
For those following along, I decided to install wireguard VPN on my Linux server and am forwarding all VPN traffic through that. So I had to open a port on the router but it appears to be correctly routing traffic to my machines on my local network now while connected to the wireguard VPN
This means that even though I can connect to my VPN externally it can’t actually talk to the machines on my network.
this is by design. unless you have an L2 WAN, you cannot have devices accross the internet (or another network) on the same broadcast domain. they must be routed at layer 3.
something is preventing it from being routed, possibly a policy on your router.
can you screenshot the OpenVPN setup page?
I don’t know that router, but the OpenVPN on my router has an option to “Advertise DNS to clients” in the Advanced section - that has to be checked “Yes” for your remote client to access machines on your home LAN.
I’ve added a screenshot of the UI. Not very many options
Away from home at the moment so can’t get a screenshot of the page but it’s literally 2 options: Starting IP and subnet mask. So maybe I run OpenVPN on the Linux machine to give me more configurability?
I added a screenshot of the UI for the OpenVPN config. No real useful options to help here.
that doesnt seem right. OpenVPN on tplink routers is really straightforward and easy.
you should see something like this. I took this screenshot of an AX3000 Emulator on the TPLink site.
https://imgur.com/a/vHIPi27
are you sure this is where you are doing it? If you are using PPTP or something else, you may have to manually set some routes.
you can install tailscale on your synology, and the synology also has a VPN server with more options than the TP-Link, but you will have to port forward for the latter to work correctly.
you do not need to port forward for tailscale.
I’ll check out this tailscale. I’ve not heard of it. I’m not opposed to buying a new router as well but not sure what’s a good option that would support all the options I need.
so here is a question…is your tp link exposed to the internet or do you go through another ISP router?
ISP modem is in bridge mode so the router is exposed to the internet.
