Question Asus Merlin OpenVPN, need help with port forwarding with Huawei Modem

[93boba]

I'm seeking assistance in setting up my Asus OpenVPN to function outside my local network. Currently, I can only connect to my Asus VPN while on the local network, but I would like to extend its accessibility to devices outside the network. (that's the point)

I have a Huawei HG8247H modem and I believe I need assistance with port forwarding. It would greatly benefit me if someone could guide me through the process, as I'm not very familiar with port forwarding. I am willing to provide any necessary screenshots or information to facilitate this setup.

I want to emphasize that I have administrative privileges for my Huawei modem, which should help streamline the configuration process. Your support in making this work would be greatly appreciated.

 

[Murissokah]

The default port for OpenVPN Server is 1194/UDP, so that's what you would need to forward to your Asus router, unless it was changed from default.

I don't have that router, but according to this there should be a "Forward Rules" under "Device Information". There you should set:

Start External Port: 1194
End External Port: 1194

Start Internal Port: 1194
End Internal Port: 1194

Start External Source Port: (leave empty)
End External Source Port: (leave empty)
Protocol: UDP
External Source IP Address: (leave empty)
Mapping Name: Anything you want (maybe OpenVPN Server?)
Internal Host: (IP Address of your ASUS Router. If you have multiple addresses, it should be the one on the same network as the LAN network on the Huawei.)

This should forward any packets received on the WAN address, port 1194 and protocol UDP to the Asus LAN address, also port 1194/UDP. After this you should be able to connect to openvpn using the public IP on the Huawei.

 

[93boba]

I can setup any port in Asuswrt for OpenVPN server, but I did set default 1194...
Also, I want to mention that I am in a double nat environment. With these settings, I am able to connect to OpenVPN on local network both with PC and cellphone, however outside I get time outs...

@Murissokah

My IP address in Asuswrt is static and both external/internal ports are set to 1194 (don't mind the uploaded photo missing internal port)

 

[Murissokah]

By double NAT, do you mean you have NAT on the Asus and on the Huawei? Or Source / Outbound NAT?

Do you also have firewall rules allowing 1194 on the Asus coming from the Huwaei? And also on the Huawei, it might have firewall enabled, in which case you need to allow 1194/TCP inbound.

 

[Murissokah]

Also, to understand a little better, is your LAN 192.168.100.0/24? Or is this network just between the Routers and you use another LAN on the Asus?

 

[93boba]

By double NAT, do you mean you have NAT on the Asus and on the Huawei? Or Source / Outbound NAT?

Do you also have firewall rules allowing 1194 on the Asus coming from the Huwaei?

Yes, I have NAT on Asus and also Huawei Modem...
I didn't change any firewall settings, only portforwarding. I'll check it now

Also, to understand a little better, is your LAN 192.168.100.0/24? Or is this network just between the Routers and you use another LAN on the Asus?

Huawei modem use 192.168.100.0/24 and Asus uses 192.168.1.0/24

 

[Murissokah]

Yes, I have NAT on Asus and also Huawei Modem...

Huawei modem use 192.168.100.0/24 and Asus uses 192.168.1.0/24

Mmm, then I would check both for firewall rules. Asus should allow 1194/UDP inbound on the interface that has an address in the 192.168.100.0/24 network, and the Huawei needs to allow 1194/UDP inbound on WAN.

 

[93boba]

Mmm, then I would check both for firewall rules. Asus should allow 1194/UDP inbound on the interface that has an address in the 192.168.100.0/24 network, and the Huawei needs to allow 1194/UDP inbound on WAN.

Also, I want to mention that OpenVPN Server IP is equivalent to my Asuswrt WAN IP. ..

 

[Murissokah]

Also, I want to mention that OpenVPN Server IP is equivalent to my Asuswrt WAN IP. ..

Yeah, I imagined it would be the case, that's why I asked if you had different LANs. This means you have a firewall between the two of them and need a rule to allow traffic from the Huawei to the Asus WAN. And since the Huawei also has a firewall on the WAN, that also needs a rule for 1194/UDP inbound.

 

[93boba]

Yeah, I imagined it would be the case, that's why I asked if you had different LANs. This means you have a firewall between the two of them and need a rule to allow traffic from the Huawei to the Asus WAN. And since the Huawei also has a firewall on the WAN, that also needs a rule for 1194/UDP inbound.

Is this correct? I'm sorry, I'm not good in this field.

 

[Murissokah]

Is this correct? I'm sorry, I'm not good in this field.

On the left it should not be "WAN Access Control", it should be on "Firewall Level Configuration". There it should be either "disabled" or "custom", in which case you should be able to create the rule for UDP 1194.

On the right it looks ok, you could limit access to the Huawei by adding its LAN address as "Remote IP/CIDR".

 

[93boba]

On the left it should not be "WAN Access Control", it should be on "Firewall Level Configuration". There it should be either "disabled" or "custom", in which case you should be able to create the rule for UDP 1194.

On the right it looks ok, you could limit access to the Huawei by adding its LAN address as "Remote IP/CIDR".

There is nothing else than this in Firewall Level Configuration...
-disabled
-high
-medium
-low
-user defined

 

[Murissokah]

Mmm... user defined implies the user should be able to define the rules, though I don't see a rule list. Weird. Maybe it auto-allows the ports that are forwarded. Have you tried connecting to OpenVPN with this config?

 

[93boba]

Without success still...
⏎[Jun 16, 2023, 22:19:09] Connecting to [192.168.100.2]:1194 (192.168.100.2) via UDPv4
⏎[Jun 16, 2023, 22:19:19] Server poll timeout, trying next remote entry...
⏎[Jun 16, 2023, 22:19:19] EVENT: RECONNECTING ⏎[Jun 16, 2023, 22:19:19] EVENT: RESOLVE ⏎[Jun 16, 2023, 22:19:19] Contacting 192.168.100.2:1194 via UDP
⏎[Jun 16, 2023, 22:19:19] EVENT: WAIT ⏎[Jun 16, 2023, 22:19:19] WinCommandAgent: transmitting bypass route to 192.168.100.2
{
"host" : "192.168.100.2",
"ipv6" : false
}

⏎[Jun 16, 2023, 22:19:19] Connecting to [192.168.100.2]:1194 (192.168.100.2) via UDPv4
⏎[Jun 16, 2023, 22:19:29] Server poll timeout, trying next remote entry...
⏎[Jun 16, 2023, 22:19:29] EVENT: RECONNECTING ⏎[Jun 16, 2023, 22:19:29] EVENT: RESOLVE ⏎[Jun 16, 2023, 22:19:29] Contacting 192.168.100.2:1194 via UDP
⏎[Jun 16, 2023, 22:19:29] EVENT: WAIT ⏎[Jun 16, 2023, 22:19:29] WinCommandAgent: transmitting bypass route to 192.168.100.2
{
"host" : "192.168.100.2",
"ipv6" : false
}

⏎[Jun 16, 2023, 22:19:29] Connecting to [192.168.100.2]:1194 (192.168.100.2) via UDPv4
⏎[Jun 16, 2023, 22:19:39] Server poll timeout, trying next remote entry...
⏎[Jun 16, 2023, 22:19:39] EVENT: RECONNECTING ⏎[Jun 16, 2023, 22:19:39] EVENT: RESOLVE ⏎[Jun 16, 2023, 22:19:39] Contacting 192.168.100.2:1194 via UDP
⏎[Jun 16, 2023, 22:19:39] EVENT: WAIT ⏎[Jun 16, 2023, 22:19:39] WinCommandAgent: transmitting bypass route to 192.168.100.2
{
"host" : "192.168.100.2",
"ipv6" : false
}

⏎[Jun 16, 2023, 22:19:39] Connecting to [192.168.100.2]:1194 (192.168.100.2) via UDPv4
⏎[Jun 16, 2023, 22:19:49] Server poll timeout, trying next remote entry...
⏎[Jun 16, 2023, 22:19:49] EVENT: RECONNECTING ⏎[Jun 16, 2023, 22:19:49] EVENT: RESOLVE ⏎[Jun 16, 2023, 22:19:49] Contacting 192.168.100.2:1194 via UDP
⏎[Jun 16, 2023, 22:19:49] EVENT: WAIT ⏎[Jun 16, 2023, 22:19:49] WinCommandAgent: transmitting bypass route to 192.168.100.2
{
"host" : "192.168.100.2",
"ipv6" : false
}

⏎[Jun 16, 2023, 22:19:49] Connecting to [192.168.100.2]:1194 (192.168.100.2) via UDPv4
⏎[Jun 16, 2023, 22:19:59] EVENT: CONNECTION_TIMEOUT BYTES_OUT : 840
PACKETS_OUT : 60
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
⏎[Jun 16, 2023, 22:19:59] EVENT: DISCONNECTED ⏎

Mmm... user defined implies the user should be able to define the rules, though I don't see a rule list. Weird. Maybe it auto-allows the ports that are forwarded. Have you tried connecting to OpenVPN with this config?

 

[Murissokah]

It's trying to connect using the LAN address, you need to change the OpenVPN config to use the WAN address from your Huawei. Otherwise it really should not connect.

To expand on this a bit, your ASUS Router does not know (and cannot know) it is behind another router. Therefore it's creating an OpenVPN configuration that believes it's WAN address is publically accessible, which is not the case. You will need to find out which is the public IP address associated on the Huawei and edit the config file to use that. It's possible that the OpenVPN Server configuration on the Asus allows you to set an arbitrary IP, which would allow you to download a working configuration from it.

Also keep in mind end user WAN addresses are usually dynamic, meaning they will change with time and you would need to update the config. How often this happens depends on your provider. This can be mitigated using a dynamic dns service, I can elaborate on that if you like,

 

[93boba]

It's trying to connect using the LAN address, you need to change the OpenVPN config to use the WAN address from your Huawei. Otherwise it really should not connect.

To expand on this a bit, your ASUS Router does not know (and cannot know) it is behind another router. Therefore it's creating an OpenVPN configuration that believes it's WAN address is publically accessible, which is not the case. You will need to find out which is the public IP address associated on the Huawei and edit the config file to use that. It's possible that the OpenVPN Server configuration on the Asus allows you to set an arbitrary IP, which would allow you to download a working configuration from it.

Also keep in mind end user WAN addresses are usually dynamic, meaning they will change with time and you would need to update the config. How often this happens depends on your provider. This can be mitigated using a dynamic dns service, I can elaborate on that if you like,

Yes, I forgot to swap the wan ip with public last time. It works now, thank you very much!