Help port forwarding with Raspberry Pi OpenVPN PiVPN

Hi all,

I’m very new to networking and I’m playing around as a hobby.

I recently got a raspberry pi and I loaded PiVPN (an install of OpenVPN) onto it. I’m trying to connect to the VPN from my home laptop through my Mikrotik router. In other words, both the raspberry pi running OpenVPN and the laptop are connected to the router and the router is connected to the internet. Unfortunately, I’m not able to connect to the VPN on the raspberry pi, I keep getting timed out. I have no trouble accessing the internet through the router, and I’ve been able to successfully install PiHole (a DNS ad blocking software) on my raspberry pi.

Here is my firewall filter export:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward dst-address=192.168.88.250 dst-port=11913 in-interface=ether1 protocol=udp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

This is the default firewall filter that came with router.

I’ve tried to do this with the NAT:

/ip firewall nat  
add action=dst-nat chain=dstnat dst-address=<public-IP> dst-port=1194 protocol=udp to-addresses=<internal-RaspberryPi-IP> to-ports=1194

This doesn’t work. Where am I going wrong?

Thanks for your time and help!

That dstnat rule is fine for connecting from outside. If you want it to work also when client and server are in same LAN, you need hairpin NAT. But it probably doesn’t make much sense for VPN. If the final goal is to have VPN server to allow you to access LAN from elsewhere, then you probably won’t be able to test much, when you’re already in same LAN. You’ll be able to see that VPN server is alive and test authentication, but routing is likely going to be screwed up.

I see! The penny just dropped–thank you. It does work outside of the LAN on my phone, but I couldn’t get it to work while connected to the LAN.

My old TP-Link router let me connect to the VPN while LAN. Is there any reason why I shouldn’t set up a hairpin NAT to try? Is it completely pointless to connect to a VPN while connected to the LAN?

Thanks again for your help!

Try as much as you want and have fun. It’s just that if VPN is supposed to give you access to LAN, you probably won’t get much useful results when you’re already in same LAN.

I got it to work flawlessly! Thank you!