Short version:
What settings do I need on OpenVPN Access Server, and for clients, in order to configure a "reverse VPN" set-up? That is, client on LAN connects to OpenVPN Access Server on WAN, and also provides gateway to LAN. I assume this is a fairly mainstream thing to do, but I'm not finding docs or examples on how to do it. Related forum questions seem to have no answers.
In particular, I'm not sure what to do with the various AS and client settings relating to subnets and routing.
(For what it's worth, I do have OpenVPN Access Server installed on Digital Ocean with basic configuration, and can connect to it from an OpenVPN client.)
Longer version:
I understand I can set up OpenVPN (and Access Server) like this diagram:
The salient points:
1. The Premises are connected to ISP via LTE modem. However for LTE the ISP provides only a private IP address, so incoming connections are not possible.
2. So we would use a machine (svr1) on The Premises LAN to initiate and maintain a continuous VPN connection to the external OpenVPN Access Server.
3. Also, svr1 would provide a gateway from VPN to the LAN.
4. We are NOT interested in routing all traffic in general from The Premises LAN via the VPN, nor for LAN clients (other than svr1) to be able to initiate a connection to the VPN or its clients.
With 2 and 3 in place, external users would be able to connect to the Open VPN Access Server, and see The Premises LAN.
Not clear to me:
----------------
In general, I'm not sure what I need to set for what I want to achieve, mostly because I don't understand the relationship between the "private networks" mentioned in the settings, and the LAN that I want to arrange access to.
Referring to the OpenVPN Access Server web UI:
VPN Settings:
--------------
VPN IP Network:
This asks us to configure "virtual networks" for Dynamic IP, Static IP and Group Default IP.
Routing: Should VPN clients have access to private subnets?
Choices: No, Yes using NAT, Yes using Routing
... and if you select the latter, "Specify the private subnets to which all clients should be given access".
DNS settings -- we'll cross that bridge later.
User Permissions
----------------
I assume I configure a user for the LAN machine svr1 that performs OpenVPN <--> gateway to LAN. For that machine:
Select IP addressing: Presumably Static?
Access Control: Use NAT or Use Routing?
Allow Access To these Networks: ?????
Allow Access From:
[ ] all server-side private subnets (what does that mean?)
[ ] all other VPN clients (pretty sure this is yes)
VPN Gateway
I am hoping that selecting 'Yes' here is what enables the gateway from VPN to The Premises LAN?
So along with all these settings that I don't know how to set, I also don't see where it's determine how The Premises LAN IP addresses will appear to external clients. Will they show up as the same 192.168.xxx.xxx addresses as they are on the LAN, or do they get mapped somehow?
Any insight, or pointers to pages where this is spelled out, would be greatly appreciated!