OpenVPN WAN License: Client to Client connectivity through AWS OpenVPN Server?

Hi-

I have a Surf Soho and have purchased an OpenVPN WAN License.

I’m trying to set up remote access to security cameras behind a Verizon 4G data modem going through the Pepwave.

I’ve got an OpenVPN Server running on AWS (Amazon Web Services) and have both my Pepwave Router and computer connected to the OpenVPN server as clients.

I believe I have all the OpenVPN Server settings correct for enabling client to client connectivity but I can’t access anything on the 4G Pepwave network.

I’m attaching screenshots of my settings both on the OpenVPN Server and on the Surf Soho. (I’ve never posted before so I hope they come through.)

Has anybody out there done this successfully and/or does anybody have an idea as what I’m doing wrong?

Thanks,

-Reid

AWS OpenVPN Settings:

OpenVPN Client Settings for Pepwave:

Pepwave OpenVPN Client Settings:

Hi! Welcome to the forum.

First question is why use OpenVPN? Was it a pre-existing system?
If its just access to devices behind the SOHO that you need it would be far easier to use a hosted Fusionhub and PepVPN to the SOHO with L2TP/IPSEC client vpn to the Fusionhub.

That said. Looking at your config:

  1. Your SOHO has a green light on the OpenVPN saying its connected. Its OpenVPN IP is xxx.27.224.2. You have port forwarded TCP 86 from that to a LAN IP of 192.168.0.253. Can you ping your remote computer ip (xxx.27.224.3) from the LAN of SOHO over OpenVPN? What about the other way? Can the remote PC ping (xxx.27.224.2)?

  2. In OpenVPN server ‘VPN Settings’ under VPN IP Network you have Dynamic IP assignment set to offer an IP in a xxx.28.224.0/20 subnet to connecting devices. This is a massive Subnet. Was that intentional? I would typically expect to see is a /24.

  3. The private Subnets here are meant to be on the LAN of the OpenVPN server so you wouldn’t have the IPs of the remote devices here. xxx.27.224.2

Same comment here:

This is the thing to check. That both OpenVPN clients can ping each other.

Also. I assume this (xxx.27.224.2) is a private IP range right? So it starts with a 10.? Am confused why you are obscuring it here as your private internal VPN ranges won’t be accessible to anyone without first building a VPN to your OpenVPN server of course.

Martin-

Thanks for the quick reply. I’m an end user not a network guy so I’m just feeling my way through this thing.

What I’m trying to do is access security cameras at a remote site where the only internet available is cellular. I’ve had a Verizon 3G modem with a public IP address for years that used to work perfectly but Verizon has been shutting down its 3G towers and now the internet connection is spotty at best.

4G Verizon only gives you a private IP address unless you pay $500 for a static address so I’m trying to set up a tunnel from the remote location to a cloud openVPN server so that I can then connect to the remote location through the OpenVPN server from either my phone or computer from anywhere using the OpenVPN client application. I don’t want to buy and carry around extra gear to set up a tunnel directly between the remote location and myself.

From what I read I think what I’m trying to do should be possible but I can’t get it to work. Do you know if I’m trying to do something that is not actually possible?

Anyway, as far as your queries go these are what I’ve got:

  1. I can ping from the 4G Pepwave (remote site) to my computer …224.2 to …224.3 but not the other way around.

  2. I left the Dynamic IP assignment settings at the default values in the OpenVPN configuration. As far as I understand it it shouldn’t even matter since I set up static IP addresses for the 2 OpenVPN clients.

  3. Like I said I’m not a network guy but here I thought I was configuring it so those 2 subnets (Pepwave and Computer) could communicate with each other. I will try deleting the subnets from those settings.

Let me know if you think what I’m trying to do is possible and if you have any suggestions on how I should tweak the settings either on the OpenVPN server or on the Pepwave.

Thanks,

-Reid

I guess I didn’t need to obscure the beginning of the IP addresses. They start with 172

Update:

I think the problem is in my Pepwave settings. I switched the Verizon 4G data modem to my computer and the Surf Soho to my Comcast internet and left all settings the same. Now I can ping the computer sitting behind the modem (so I’m getting through Verizon’s NAT) but still can’t ping the Pepwave which is on a public IP address.

Any ideas?

-Reid

This is really hard to fault find in the forum like this. Maybe @TK_Liew can help us.

The only way I can help more efficiently would be to get full remote access to your AWS OpenVPN server, and your SOHO. Happy to take a look if you like (send me a private message with details if you do).

I still recommend Fusionhub over OpenVPN. Its much easier to setup.

I checked out your FusionHub video and am going to try doing that. I’ll let you know how it works out.

Thanks for your help!

1 Like

Hey Martin-

I followed your excellent video and set up a FusionHub on Vultr and have it connected to my Surf Soho. The manual setup didn’t work for me but the automatic setup was super easy.

The Surf Soho WAN is through a cellular modem and everything works as demonstrated in your video. I can do a “What is my IP address” from the Surf Soho network and it comes back as the FusionHub public IP address.

However I still can’t figure out how to reach a Surf Soho LAN IP address (an IP Cam) from a remote location.

I’ve tried Port Forwarding on both the FusionHub & Surf Soho and then using the FusionHub IP:port number but neither gets me through.

What am I doing wrong?

Thanks,

-Reid

Nevermind, I figured it out.

I think this is going to work great for accessing security cameras and other devices behind a cellular modem.

Thanks

1 Like

Glad you got it working!

YOu now have two options - you can either port forward from the WAN IP of the Fusionhub to the LAN IP of the camera on the LAN of the SOHO.

OR

You can set up remote client VPN so you connect with a VPN client to the Fusionhub and then you can route to all your IPs on the LAN of the SOHO.

My preference is the 2nd (client VPN) so that you don’t have ports exposed on the public internet, but if you keep the camera firmware upto date and use complex passwords you will likely be fine doing the first approach (port forwarding).

Hi Martin, I watched your video and it’s great. I’m wondering what you mean by “route to all your IPs on the LAN of the SOHO.”

Thanks

How did you figure it out? I’m at the same point you were able to vpn to the Fusion Hub but not get to the LAN

If you use a software VPN on your laptop and dial in to the Fusionhub that can act as a VPN server (OpenVPN or L2TP/IPSEC). When you are connected to the fusionhub you can access any IP of the LAN of the remote router over the PepVPN tunnel.

Thanks Martin I did just that and it worked without problem. I have one device on my network that I cannot open the web gui too but I imagine that is a different issue. I’ve tried turning off encryption but no change. I’m wondering if the device may be asleep. The device is in Haiti and I am in NH so I can’t easily check it.