Need help testing a peculiar configuration

[Patrick9876]

This thread is based on, and references, a couple other threads.
In the thread here I ask how set up sort of a WiFi extender containing an OpenVPN client so that the Ethernet-attached can see only the VPN, not the internet. And have this usable (with minor setup) with whatever WiFi network is available. The suggested (possible) solution was to try implementing it on a little GL.iNet portable router. Well, I'm trying, but have found I cannot even begin testing it. The problem is that the OpenVPN server is on my router - ASUS AX86U running Medlin - and so is my wireless access point.

In a thread asking about a similar testing problem here I was told (in post #3) why the configuration

a device connected to a guest network on my router and directing the OpenVPN connection to my DDNS url​

can't work ... and that's the only config readily available to me (that I can think of) that would emulate target environment.

I freely admit that I know nothing about DNAT so maybe the comment

I suspect the reason you can't establish the connection w/ #3 is because there is no DNAT rule in the nat table of the firewall to allow routing from the WAN's network interface to the LAN. That would normally be there *if* the OpenVPN server was located elsewhere inside the LAN. You would have had to establish a port forwarding for that purpose, which creates the DNAT rule in the PREROUTING chain of the nat table. Then forwarding is allowed by the "cstate DNAT" rule in the FORWARD chain of the filter table.

I suppose you could add a DNAT rule for these purposes

may actually give the the solution. Maybe it would be helpful if someone explained (or pointed me to dox explaining) how to set that up in Merlin.

Update:
From a little reading it sound like the DNAT table is created from port forwarding definitions. If That is true I have no idea what I would do to create the correct entry. The OpenVPN port is already exposed to WAN. Would I use the routers internal (LAN) IP address and the OpenVPN port? That doesn't feel useful to me.

My gut feeling (which is often wrong when it comes to routers) is that the packets requesting access to the OpenVPN port are probably not coming from the WAN; they're coming from the guest network's subnet ... which doesn't have access to my LAN.

 

[sfx2000]

Going back to the original use-case....

Sometimes this is not a technical issue - it a management issue with that particular user...

I have a simple VPN setup: OpenVPN server on a NAS; open port on a router; DDSN. Works fine for accessing a share on the NAS remotely from computers running the OpenVPN client. But one of the users needing access has difficult configuration:

1. The user has a laptop running an unsupported version of Windows that cannot (safely) be connected to the internet.
2. The user needs to connect from multiple locations using whatever wireless network is available.
3. The user is not a technical wizard. I will have to provide a black-box solution - hardware and/or software.

Tell them to update their computer or access is going to be killed off due to security reasons...

 

[Patrick9876]

Tell them to update their computer or access is going to be killed off due to security reasons...

Not an option. This a non-profit org that was given two old laptops - one running Win7 (that absolutely will not be connected to the internet) and one running Win10 (that soon should not be connected to the internet). I'm trying to provide them service that they don't actually need but would be handy - handy for me so I can remotely update some files rather than physically accessing the laptops every few weeks.

They couldn't care less that I have to occasionally borrow their laptops, and they certainly aren't going to buy newer equipment just to make my life easier.