Put router as client for openvpn server

[ppjo30]

Hello,

If I am not in the correct forum, excuse me !
Also about my worst english !

I want to access to my cameras which are on a local lan at home by vpn
I install an open-vpn server outside my lan
I can use it for 4 clients (each has a different certificat) and no problem to navigate on internet.
The cameras are behind a modem-routeur 4G (192.168.1.3)
I can access to the cameras by domain name (http://mydom:8027 for example)
I wish access to the cameras by the vpn from outside (like http://10.10.0.27 )

I install open-vpn client on the router, so the router can connect to the vpn server:
On this router, i write a script:

Code: Select all

#!/bin/sh
STARTUP=iptables -t nat -D PREROUTING -d '10.10.0.0/24' -i tun0 -j NETMAP --to '192.168.1.0/24'
STARTUP=iptables -t nat -I PREROUTING -d '10.10.0.0/24' -i tun0 -j NETMAP --to '192.168.1.0/24'
STARTUP=iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o tun0 -j NETMAP --to '10.10.0.0/24'
STARTUP=iptables -t nat -I POSTROUTING -s '192.168.1.0/24' -o tun0 -j NETMAP --to '10.10.0.0/24'
STARTUP=iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
STARTUP=iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

On the vpn server the configuration is:

dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/srvcert.crt
key /etc/openvpn/easy-rsa/keys/srvcert.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# In ipp.txt: Serveur VPN,10.10.0.4

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# In file /cdd/routeur I put
# iroute 192.168.1.3 255.255.255.0
client-config-dir ccd
route 192.168.1.3 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 213.186.33.99"
push "dhcp-option DNS 208.67.222.222"
client-to-client
push "route 192.168.1.3 255.255.255.0"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 4

In file /etc/iptables/rules.V4

Code: Select all

:PREROUTING ACCEPT [15:508]
:INPUT ACCEPT [15:508]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
COMMIT
:INPUT ACCEPT [3135:246937]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2590:321468]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
COMMIT

But it is not OK.
When I try via a client connect to the vpn to access a camera by http://10.10.0.76 (for exemple), I cannot
Can tell me where I made a mistake.
Thanks for your help

[ppjo30]

Nobody to help me ?
Thanks for your help

[TinCanTech]

Your camera is not at 10.10.0.76 it is on the LAN 192.168.1.x

[ppjo30]

Yes I know that.

But I know that it is possible via a vpnserver to have a client who can connect to a camera connected at a router which is also connected at the vpnserver.
Example:
- router on lan 192.168.1.3 connected to the vpnserver and have 10.0.3.0 from the vpnserver,
- camera on lan 192.168.1.20 connected to the router 192.168.1.3
- client connect to the vpnserver and have 10.0.5.0 from the vpnserver
- and when the client is connected, he has access to the camera with http://10.0.5.20
How to do this
Thanks for answer