remote access via VPN fails at firewall of XR500

[astraub]

I managed to setup the VPN server in the XR500 and can connect through OpenVPN using my mobile devices.

The VPN connection is also showing up in the logs of the XR500.

 

Looking at the mobile device settings I can see that I end up at IP address 192.168.1.2 - which is my WAN port

address of the XR500. My local LAN is however in the subnet 192.168.0.x - which means to me that the access

point of the VPN is not after the firewall, but directly in front of it. I can punch port forwards in the firewall, but this

would completely defeat the purpose of the VPN connection.

 

How can this happen? I would expect that the VPN connection would end up in the LAN subnet?

 

Could I for example use an additional line in the OpenVPN config file:

      route 192.168.0.1 255.255.255.0

 

 

 

[Netduma Fraser]

Are you saying the mobile gets that IP or that is the gateway IP it shows? 

[astraub]

Yes, it gets the IP of the WAN port - which is in a different subnet than the LAN I want to reach. Currently I am experimenting with "route" and "iroute" in the client script ....

[Netduma Fraser]

Unless I've misunderstood I think that is fine as a tunnel has been created, are you having an issue of the VPN not changing your public IP address?

[astraub]

No, I can only ping the WAN / client address (192.168.1.2). I can neither connect to the first router at 192.168.1.3(!) and also not to the target LAN at 192.168.0.x. I have tried pinging all possible addresses.

 

Using routes in the client config did not change anything. What about fixed routes in the XR500?

 

[Netduma Fraser]

Ahh I see, could you use TUN instead of TAP please and see if that resolves the issue. iOS doesn't seem to support TAP Protocols.

[astraub]

Yes, I was aware of this limitation. Potentially this is also the reason why the bridging between the two subnets does not work.

The default configuration only uses tun:

client
dev tun
proto udp
remote  xxxxxxxx 12973
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>

....

 

[Netduma Fraser]

Are you using the VPN Hybrid or the VPN Service in the Netgear Settings? Is this config on the phone itself?

[astraub]

I am using the VPN Server (not the Hybrid VPN). And yes, this is the config file generated by the server and which is being imported in the client application. I only change the Server IP to the DynDNS hostname (xxxxxx).

[Netduma Fraser]

What is your actual physical setup and how is your XR500 connected - via DMZ, modem mode? 

[astraub]

The Problem is the double NAT. I decided to get a separate modem to get around this problem. So you can close this request.

[Netduma Fraser]

Yeah I figured from your last comment that could be the issue. If it doesn't work feel free to open another topic. Though you should be able to put the XR500 in the DMZ of your ISP Hub and that should work.