B20X openvpn remote user access - android


Hoping for some help please.
I read this guide to setup remote user access Configure Remote User Access using OpenVPN and chose a vlan which has my NAS

I have an android phone (grapheneos) and installed OpenVPN for Android (by Arne Schwabe), imported both full and split profiles from the B20X (latest firmware)

I can connect the tunnel with either full or split profile. In the router page connected clients, I can see my phone has connected and has been assigned a correct IP for that VLAN, but I can’t connect the phone to anything.
There is also a pi on this vlan (connected locally) and that can connect to the NAS and ping it, so local routing is fine. But the pi cannot ping the phone.
The phone has the app termux giving me a command prompt and I cannot ping from the phone to the nas or pi.

There is limited outbound connectivity on this vlan (some specific ports are allowed for the NAS like time. The pi which I use to administer the NAS has no internet connectivity).
I was hoping to have this vlan for the purpose to VPN in and use the NAS for music, synching files etc but have no outbound - hopefully making this a safe (ish) way to get access to my NAS.

I’ve searched through the forum and some posts have come close to a solution

There’s no port forwarding setup (I previously port forwarded 443 and used a reverse proxy in combination with different sub domains for different services from the NAS like movies.mydomain.com and files.mydomain.com, but with a VPN I hoped to not need to forward any ports)
The firewall rules are not restrictive within the vlan.
I have a block all rule within “Inbound Firewall Rules” & “Local Service Firewall Rules” both set to log events and nothing is showing as being blocked when I try to ping from the phone or connect to the nas with a browser.

I think it all points to a routing problem of some kind but I’m at a loss if this is a fix that is applied on the router side or app on the phone.
If I make changes in the router, do I need to regenerate the OpenVPN profiles?
Within the LAN settings for this VLAN, I have DNS servers assisned automatically, but my pi which has no actual access to the internet so cannot see those DNS servers can access the NAS just fine.

Any help or pointers will be greatly received :slight_smile:

Just adding a bit more info.
On the main network page Network Tab > Network Settings
DNS proxy is enabled
I have the NAS added in “Local DNS Records”
DNS Resolvers - WAN connection - I have an OpenVPN DNS server for ProtonVPN as all my other VLANs are set to outbound using my protonvpn connection.
But my NAS VLAN has not been set to use protonvpn in “Outbound Policy”

Little update
There was an option within the phone app “no local binding”

With this selected, I can ping the vlan gateway of the router - so the vpn connects, username and password check, dhcp assigns correct IP and it registers presence in “connected devices” on router status page, but I am still unable to ping the NAS or raspberry pi on that vlan (they have their own firewalls off for test)
I’m just trying things at random right now hoping I get the right setting.

Anyone know a setting that causes this? my phones connected to the vlan, i can ping the router, but not the rest of the lan.

Started all over. Not changed anything in any configs and I can ping the router from the phone but no access to the lan.

I imported the profile from the peplink and it wouldn’t fully import into the app

Then this is the generated config file within the app

That’s unmodified from my B20X.
Should that route for VPN gateway be all 0s?
Shouldnt the config file from the router contain the routes its pushing? And as I specified the vlan for the client to access in remote user access, that route should be there?

I’m doing so many searches to get the solution.

By reading these, am I at least looking in the right area? (Although these aren’t peplink specific)


Someone with a peplink must have tried this before :slight_smile: any help or pointers would be so welcome. I have raised a ticket and will be sure to include screenshots for other folks that may want to do this and aren’t a network guru which im clearly not.

Arne Schwab’s open VPN client on android > mydomain.com > noip.com ddns > balance 20x openvpn server > vlan access to NAS

It works!! Hooray!!

Thanks Rokas

So it was an internal firewall rule. But there is a weird thing (weird to my level of understanding anyhow) because the pi wasn’t affected by this rule

VLAN Gateway

I had two internal network firewall rules to isolate this vlan from all the other vlans

Protocol Source Destination Action
Any Any block
Any Any block

With these rules in place, my pi could ping and login to the NAS. They could talk just fine.
But these stopped the phone (connecting through openVPN as from any communication with other devices on this vlan.

So added a rule and it works

Protocol Source Destination Action
Any allow
Any Any block
Any Any block

But I am not clear on why this internal firewall rule was needed for the phone, but not the pi.