OpenVPN (easymode) with double NAT

Hi, I’m trying to understand if it’s possible and where do I need to configure an additional route to allow me to reach within the established tunnel, my Lan subnet.

public IP -> ISP router —> Turris LAN

  • Client config generated was edited to reflect true public IP (instead of prefilled 192…).

Openvpn client is getting the default subnet assigned.

But I guess now I will have to instruct client/server to be able to reach LAN via “ISP subnet”. :thinking:

Any suggestions would be welcome… thanks!

Double NAT? there are always problems with that. I don’t have it tested, but you can try it.

It should be like this:
public IP -> (WAN) ISP router, static IP and forwarding port (LAN) -> (WAN) Turris, OpenVPN server (LAN)

  1. First, you must make a static reservation on the ISP router so that Turis always gets the same IP on the Turis WAN port (
  2. then you will make port forwarding (UDP 1194) from the public IP on the LAN ( in the ISP router.
  3. Configure the OpenVPN server in Turis so that clients can connect in a standard way.
  4. Configure the client to connect to the public IP

I have not tested it, so it may not work for the first time, sorry in advance.

Hi Roman. Thanks for the info.
Yes I exactly did all the steps you listed. the ISP router is reserving always the same DHCP IP to to Omnia (else most of my FW “double” forwarded ports” would not work if this IP would suddenly change).
I accepted all default config for the easymode scripts.

**Current settings**
Device: tun_turris
Port: 1194

I noticed the changes in luci (nw interfaces,rules,etc). They seem fine to me.
I am just not understanding where and how with these default configs, the vpn subnet would be allowed to route to the lan subnet. Found the server vpn config in etc/config/openvpn and it lists this which to me seems fine. It is also added to the client when checking logs:

etc/config/openvpn subnet entry:

  	list push 'route'

client config log:

2019-03-23 13:36:07 NIP: adding IPv4 address to network settings
2019-03-23 13:36:07 NIP: adding (included) IPv4 route
2019-03-23 13:36:07 NIP: adding (included) IPv4 route
2019-03-23 13:36:07 NIP: adding (included) IPv4 route
2019-03-23 13:36:07 Connected via NetworkExtensionTUN
2019-03-23 13:36:07 LZO-ASYM init swap=0 asym=1
2019-03-23 13:36:07 Comp-stub init swap=1
2019-03-23 13:36:07 EVENT: CONNECTED x.x.x.x:1194 (x.x.x.x) via /UDPv4 on     NetworkExtensionTUN/ gw=[/]
2019-03-23 13:36:20 NIP: iOS reported network status unavailable
2019-03-23 13:36:20 OS Event: NET UNAVAILABLE (PAUSE): Internet:NotReachable/-R tc-----
2019-03-23 13:36:20 UDP send exception: SYSTEM/Can't assign requested address
2019-03-23 13:36:20 Transport Error: EADDRNOTAVAIL: Can't assign requested address
2019-03-23 13:36:20 EVENT: TRANSPORT_ERROR EADDRNOTAVAIL: Can't assign requested address [ERR]

I wonder where and why these two smaller subnets are added instead of just the /24 :thinking:
NIP: adding (included) IPv4 route
NIP: adding (included) IPv4 route

FW config:

config zone 'vpn_turris'
option enabled '1'
option name 'vpn_turris'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'vpn_turris'

config rule 'vpn_turris_rule'
option enabled '1'
option name 'vpn_turris_rule'
option target 'ACCEPT'
option proto 'udp'
option src 'wan'
option dest_port '1194'

config forwarding 'vpn_turris_forward_lan_in'
option enabled '1'
option src 'vpn_turris'
option dest 'lan'

config forwarding 'vpn_turris_forward_lan_out'
option enabled '1'
option src 'lan'
option dest 'vpn_turris'

config forwarding 'vpn_turris_forward_wan_out'
option enabled '0'
option src 'vpn_turris'
option dest 'wan'

Is everyone able to “bridge” their ISP router so easily or why isn’t anyone having trouble with double NAT configurations? :slightly_frowning_face:

This is done by a client with iOS (Accessing local LAN through OpenVPN. - OpenVPN Support Forum) - check the client configuration.

So to understand. You get to the VPN server and then it interrupts you? is the VPN connection activity visible in the Turis log?

It connects just fine but then it cannot seem to reach anything else. :frowning:

All i can find as far as logs on the server side is the openvpn-status.log

Updated,Sat Mar 23 18:16:31 2019
Common Name,Real Address,Bytes Received,Bytes Sent,Connected    
iphone,x.x.x.x:60993,2898,4180,Sat Mar 23 18:15:08 2019
Virtual Address,Common Name,Real Address,Last Ref,iphone,x.x.x.x:60993,Sat Mar 23 18:15:10 2019
Max bcast/mcast queue length,0

Okay, so you connect to the server. The error looks at the client side.
Try another version or another client. I will not advise you better, personally I use a Windows client.
Also try asking the OpenVPN Forum (

Here’s what to talk about:

(maybe a problem in UDP, try TCP)