Can't Port Forward from Internet via Bi-directional OpenVPN Tunnel to Client

[bnhf]

The short version of the story is that I have an OpenVPN client/server setup where the client is on cellular Internet (private IP) and the server has a public IP.

I want to port forward from the OpenVPN server router using it's public IP to the client. The setup seems solid in that I can ping destinations on either side of the tunnel from the other side of the tunnel. I can also access my destination webpage on the client side from the server side LAN.

The problem comes when I try to utilize a port forward from the Internet. I've tried to forward my desired port to a variety of destination IP addresses including the IP of the computer on the client side running the webserver, the router on the client side running the OpenVPN client (with port forwarding to the webserver in place) and even to the IP of the OpenVPN gateway.

All of them are timing out. I know the DDNS I'm using is working because I have another webserver running with port forwarding and its getting to the computer running it on the server side. Looks like I'm missing a required route or iroute to get from the from the Public IP side of the server router, back through the VPN tunnel to the client side router running the OpenVPN client.

The server side router is an Asus RT-AC68U running AsusWRT-Merlin and the client side is a Raspberry Pi 3B running the ROOter build of OpenWRT.

 

[Pila]

the client is on cellular Internet (private IP) and the server has a public IP.

Device which has private WAN IP address will not be able to receive incoming VPN and ssh connections (initiated from outside). Its outgoing connections will work perfectly fine. Only something with the "middleman" like TeamViewer will work.

You would neeed a port forward on the provider computer to make it work. Or you can ask the provider to not assign private IP addresses to that mobile phone (device).

 

[bnhf]

Device which has private WAN IP address will not be able to receive incoming VPN and ssh connections (initiated from outside). Its outgoing connections will work perfectly fine. Only something with the "middleman" like TeamViewer will work.

You would need a port forward on the provider computer to make it work. Or you can ask the provider to not assign private IP addresses to that mobile phone (device).

Actually, since I wrote this post last month, I have figured out how to do this. As you said outgoing connections work fine, and that's the basis of my original post and my solution. Probably the best way to describe this is as a "Reverse VPN", where a router-based OpenVPN client on a cellular network (Private NAT'd IP), makes a connection to a router-based OpenVPN server with a public IP. To get to that OpenVPN client network, I'm making a second OpenVPN client connection to the OpenVPN server configured to allow the two clients to communicate.

Here's the write-up (which doesn't yet include a tutorial about OpenVPN certificate generation for a second unique client, but I'll post that at some point) using a ROOter-based router client and a Merlin-based router server. ROOter, if you're not familar is a fork of OpenWRT targeted at cellular Internet users:

http://whrl.pl/Rfc6ex