RBR50 VPN Setup with OpenVPN Client on Mac

No port forwarding rules are required to make an OpenVPN connection between a device on the internet and the Orbi RBR50 router.

One key is that the .ovpn file must contain a URL that resolves to the public IP address of the router.

One part of configuring OpenVPN is to create an entry in one of three Dynamic DNS services that will track the public IP address of the router whenever the ISP changes it.

client
dev tun
proto udp
remote xxxxxx.mynetgear.com  12973
resolv-retry infinite
nobind
persist-key
persist-tun
verb 5
<ca>

i.e. xxxxx.mynetgear.com should resolve to the router public IP address.  I set verbosity ('verb') to 5 so that the OpenVPN log file will contain more information.

Of course, this all assumes that the router actually HAS a public IP address.  (it is not 'hidden' behind an ISP router.)

You are testing OpenVPN the same way I do.

• Disconnect phone from home network.
• Enable WiFi Hot Spot on phone.
• Connect test device to the Hot Spot.
• Activate OpenVPN on the test device.

This is correct and we await a response to the inquiry:

CrimpOn wrote:

this all assumes that the router actually HAS a public IP address. (it is not 'hidden' behind an ISP router.)

If the RBR50 is connected to an ISP 'router' and thus does not have a public IP address, then port forwarding will be required on the ISP router to reach the OpenVPN ports on the RBR50.  No port forwarding is required on the RBR50.  Since the Original Poster remarked

rckingsley wrote:

FYI, I do have port forwarding rules in place for several servers in my home network.

it may be safe to assume that the RBR50 does in fact have a public IP address.

The router indeed does have an external IP address (assigned via DHCP from my ISP).  I am using DDNS to tell the external service what my external IP address is, and I have used that ‘domain’ name associated with the external IP address to get to my router from anywhere.  Currently I get to some of my home LAN devices via that domain.device name, but would rather use a VPN for security reasons.  That external custom domain address is part of the .OPVN configuration (based on the login identification that shows on the OpenVPN Mac client).  However, I have not yet looked at the contents of the .opvn file to get specifics.

No double-routing, and (depending how this VPN solution develops, I will likely remove some of those port forwarding rules in the future.

Thanks for following up.  The OpenVPN log file may provide critical information about what is not working correctly.

In general, Port Forwarding and OpenVPN serve two different purposes.

• Port Forwarding is generic.  Any device can connect and it is up to the target server to handle security issues.  i.e. user name/password or source IP address.  If the goal is to provide files to multiple users in multiple locations, Port Forwarding seems to be appropriate.
• VPN connection provides access to everything on the LAN, just as if the internet device was physically connected to the system.  Probably not the sort of access that would be given to random people.

Please take a look at the detailed OpenVPN log file and remark on "where it seems to fail".

To verify, my router indeed has an external IP address, and I verified that my DDNS hostname does indeed resolve to the external IP of my RBR50. I also verified that when I use an app <on my smartphone> that specifies <my DDNS host name> when I am away from home (and just using my cell phone cellular signal), it access a server on my home network without any issues.  Obviously I am not using a VPN on my cellphone to get to my house - hence this effort to fix that.

I looked at the .ovpn file, and it shows the correct DDNS hostname, port 12973 (see below).  The only difference between my .opvn file and the recommendation from CrimpON (above - thanks for that) is that I don't have the "verb 5" entry as part of the entries at the top - which is expected.  I will add that and try it again.

• FYI, I did test this by (as was also suggested above) using my cellphone as a hotspot (and making sure my cellphone was not connected to anything via WiFi), then connecting my Mac to the cellphone hotspot.

client

dev tun

proto udp

remote <my DDNS host name> 12973

resolv-retry infinite

nobind

persist-key

persist-tun

<ca>

... plus a whole ton of additional stuff related to certificates and a Private key, and finally

cipher AES-128-CBC

comp-lzo

verb 5

Earlier when I said it 'worked' (my apologies), I should have said that the Mac OpenVPN client actually launched (after importing the .ovpn file meant for a smartphone), and I was able to view things on the Internet.  However, the OpenVPN client failed to connect.

Not being an expert on this stuff, I am not sure what entries in the log file are pertinent, but here are some that 'might' be important:  (Note: I can export that file and [after modifying some things to protect the guilty] attach it to another reply to this conversation thread if someone feels it is helpful)

• NOTE:  This configuration contains options that were not used
• Unsupported option (ignored)
• Connecting to [my hostname]:12973 (<my external IP address>) via UDP
• Server poll timeout, trying next remote entry...
• ... entries on reconnecting, including transmitting bypass route to /var/run/agent_ovpnconnect.sock
• Contacting <my external IP address> via UDP
• ... several repetitions similar to above
• ...eventually there is a message showing connection timeout after 5 attempts to reconnect.

It appears to me that (for whatever reason) the OpenVPN client either just cannot get to my RBR50, or the RBR50 won't allow the OpenVPN client on my Mac to connect.

To all that have replied, I truly appreciate the suggestions and ideas.  If anyone else has something to post, I will definitely pursue it.  Thanks!

Another bit of info:  I used that same .ovpn file on the OpenVPN app on my iPhone, and it appears to have connected fine.

What is weird is "how do I test it to see if iPhone apps can get to devices on my home network"?

The apps on my iPhone already get to my home devices - going directly to my RBR50 without a VPN.  Should I disable the appropriate external ports on the RBR50 so that those apps cannot get there directly (or even do a more "global" closure of ports on the RBR50)?  Once that is determined (and assuming I have OpenVPN connected to my RBR50) do I direct the iPhone apps to go to the home network IP address of the appropriate device?

I know that this sounds like a goofy request, because (years ago) I would use a corporate VPN to get into company servers - but I never paid attention to the configuration of those laptop apps to know how they got to the appropriate server..

iPhones are a mystery to me. For Android there are numerous networking tools, such as

• Fing
• Net Analyzer
• HE Network Tools

They provide tools to do things such as 'ping' specific IP addresses, scan an IP subnet for devices, etc.

The router Attached Devices page will display a device connected through the VPN with "vpn" in the connection type column.