I can’t tell if I have a routing problem, or a firewall problem.
Hello, Kilroy!
Could you explain your question in more detail, please?
Regards, Mikhail.
trust me, you don’t want the detail
I’m trying to port forward from the Internet to a server on the DMZ, but I’m guessing the default route set by the openvpn client tunnel is interfering. I’ve tried dns translation, masquerade, firewall rules, everything I can think of, but nothing works.
The server on the DMZ sees the requests, and replies, but the replies are not going back out the Internet interface they came in on.
If I bring down the openvpn tunnel, it all works. Pretty sure it’s a routing problem caused by the default gateway set by openvpn on the router. I need both the vpn and remote access to DMZ.
set firewall all-ping 'disable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name NORD-IN default-action 'accept'
set firewall name NORD-LOCAL default-action 'accept'
set firewall name NORD-OUT default-action 'accept'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-IN rule 20 action 'accept'
set firewall name OUTSIDE-IN rule 20 description 'Allow access to Emby Server from the Internet'
set firewall name OUTSIDE-IN rule 20 destination port '80,443,8920'
set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
set firewall name OUTSIDE-IN rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL enable-default-log
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 description 'Allow access to Emby Server from the Internet'
set firewall name OUTSIDE-LOCAL rule 20 destination port '8920'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-OUT default-action 'accept'
set firewall name WLAN-IN default-action 'accept'
set firewall name WLAN-LOCAL default-action 'accept'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
set interfaces ethernet eth0 firewall out name 'OUTSIDE-OUT'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:db'
set interfaces ethernet eth1 address 'xxx.xxx.0.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:dc'
set interfaces ethernet eth2 address 'xxx.xxx.100.1/24'
set interfaces ethernet eth2 description 'DMZ'
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:dd'
set interfaces ethernet eth3 address 'xxx.xxx.200.1/24'
set interfaces ethernet eth3 description 'LAB'
set interfaces ethernet eth3 hw-id 'XX:XX:XX:XX:XX:de'
set interfaces loopback lo
set interfaces openvpn vtun0 authentication password xxxxxx
set interfaces openvpn vtun0 authentication username xxxxxx
set interfaces openvpn vtun0 description 'NORDVPN'
set interfaces openvpn vtun0 device-type 'tun'
set interfaces openvpn vtun0 disable
set interfaces openvpn vtun0 encryption cipher 'aes256gcm'
set interfaces openvpn vtun0 firewall in name 'NORD-IN'
set interfaces openvpn vtun0 firewall local name 'NORD-LOCAL'
set interfaces openvpn vtun0 firewall out name 'NORD-OUT'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 ipv6 disable-forwarding
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option '--config /config/auth/nord/included_config.conf'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'xxx.xxx.200.195'
set interfaces openvpn vtun0 remote-port '1194'
set interfaces openvpn vtun0 tls ca-cert-file xxxxxx
set interfaces wireless wlan0 address 'xxx.xxx.250.1/24'
set interfaces wireless wlan0 capabilities ht channel-set-width 'ht40+'
set interfaces wireless wlan0 channel '1'
set interfaces wireless wlan0 country-code xxxxxx
set interfaces wireless wlan0 description 'WLAN'
set interfaces wireless wlan0 disable
set interfaces wireless wlan0 firewall in name 'WLAN-IN'
set interfaces wireless wlan0 firewall local name 'WLAN-LOCAL'
set interfaces wireless wlan0 hw-id 'XX:XX:XX:XX:XX:e5'
set interfaces wireless wlan0 mode 'n'
set interfaces wireless wlan0 physical-device 'phy0'
set interfaces wireless wlan0 security wpa cipher 'CCMP'
set interfaces wireless wlan0 security wpa mode 'wpa2'
set interfaces wireless wlan0 security wpa passphrase 'letmeinplease'
set interfaces wireless wlan0 ssid 'skywalker'
set interfaces wireless wlan0 type 'access-point'
set nat destination rule 100 description 'DNAT: OUTSIDE-IN to emby-server'
set nat destination rule 100 destination address 'xxx.xxx.133.19'
set nat destination rule 100 destination port '80,443,8920'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address 'xxx.xxx.100.11'
set nat destination rule 110 description 'DNAT Reflection: LAN to emby-server'
set nat destination rule 110 destination port '8920'
set nat destination rule 110 inbound-interface 'eth1'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address 'xxx.xxx.100.11'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.0.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 outbound-interface 'eth0'
set nat source rule 200 source address 'xxx.xxx.100.0/24'
set nat source rule 200 translation address 'masquerade'
set nat source rule 210 description 'SNAT Reflection: emby-server to LAN'
set nat source rule 210 destination address 'xxx.xxx.0.0/24'
set nat source rule 210 outbound-interface 'eth1'
set nat source rule 210 protocol 'tcp'
set nat source rule 210 source address 'xxx.xxx.100.0/24'
set nat source rule 210 translation address 'masquerade'
set nat source rule 300 outbound-interface 'eth0'
set nat source rule 300 source address 'xxx.xxx.200.0/24'
set nat source rule 300 translation address 'masquerade'
set nat source rule 400 outbound-interface 'eth0'
set nat source rule 400 source address 'xxx.xxx.250.0/24'
set nat source rule 400 translation address 'masquerade'
set nat source rule 500 outbound-interface 'vtun0'
set nat source rule 500 source address 'xxx.xxx.0.0/16'
set nat source rule 500 translation address 'masquerade'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.100.0/24 default-router 'xxx.xxx.100.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.100.0/24 dns-server 'xxx.xxx.100.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.100.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.100.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.100.0/24 range 0 start 'xxx.xxx.100.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.100.0/24 range 0 stop 'xxx.xxx.100.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.200.0/24 default-router 'xxx.xxx.200.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.200.0/24 dns-server 'xxx.xxx.200.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.200.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.200.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.200.0/24 range 0 start 'xxx.xxx.200.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.200.0/24 range 0 stop 'xxx.xxx.200.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 default-router 'xxx.xxx.0.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 dns-server 'xxx.xxx.0.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 domain-search xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 range 0 start 'xxx.xxx.0.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 range 0 stop 'xxx.xxx.0.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.250.0/24 default-router 'xxx.xxx.250.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.250.0/24 dns-server 'xxx.xxx.250.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.250.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.250.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.250.0/24 range 0 start 'xxx.xxx.250.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.250.0/24 range 0 stop 'xxx.xxx.250.254'
set service dns forwarding allow-from 'xxx.xxx.0.1/32'
set service dns forwarding allow-from 'xxx.xxx.0.0/24'
set service dns forwarding allow-from 'xxx.xxx.100.0/24'
set service dns forwarding allow-from 'xxx.xxx.200.0/24'
set service dns forwarding allow-from 'xxx.xxx.250.0/24'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.0.1'
set service dns forwarding listen-address 'xxx.xxx.0.1'
set service dns forwarding listen-address 'xxx.xxx.100.1'
set service dns forwarding listen-address 'xxx.xxx.200.1'
set service dns forwarding listen-address 'xxx.xxx.250.1'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.11'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.100.11'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.10'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.200.9'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.32'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.13'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.1.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.200.195'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.12'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.120.190'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.133.19'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.9'
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
If I make a 2nd router, to split the tasks, it will work. I’ll have to buy more hardware though.
First router: internet, dmz
Second router: internal lan behind openvpn tunnel
Was hoping to do it all on one router though. There’s gotta be a way. Thanks for reading.
For disabling firewall, you have to delete firewall config on desired interface. For example, for eth0:
del interface ethernet eth0 firewall
Can you share your routing table twice:
- When Openvpn is connected.
- When Openvpn is not connected.
Hi, thanks for the help, I really appreciate it.
Pretty sure I tried deleting the firewall before, can’t delete while the firewall is in use. Not sure why I didn’t think to disable eth0 to delete first, I’ll try that.
Here is routing table openvpn up vs. down.
OPENVPN UP:
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
S>* 0.0.0.0/0 [210/0] via xxx.xxx.xxx.1, eth0, weight 1, 2d19h52m
K>* 0.0.0.0/1 [0/0] via 10.8.1.1, vtun0, 18:10:47
C>* 10.8.1.0/24 is directly connected, vtun0, 18:10:47
C>* xxx.xxx.xxx.0/19 is directly connected, eth0, 2d19h52m
K>* 128.0.0.0/1 [0/0] via 10.8.1.1, vtun0, 18:10:47
K>* 185.236.200.195/32 [0/0] via xxx.xxx.xxx.1, eth0, 2d19h27m
C>* 192.168.0.0/24 is directly connected, eth1, 2d19h53m
C>* 192.168.100.0/24 is directly connected, eth2, 17:59:42
C>* 192.168.200.0/24 is directly connected, eth3, 03:14:08
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 xxx.xxx.xxx.19/19 u/u OUTSIDE
eth1 192.168.0.1/24 u/u LAN
eth2 192.168.100.1/24 u/u DMZ
eth3 192.168.200.1/24 u/u LAB
lo 127.0.0.1/8 u/u
::1/128
vtun0 10.8.1.2/24 u/u NORDVPN
wlan0 192.168.250.1/24 A/D WLAN
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ show ip route kernel
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
K>* 0.0.0.0/1 [0/0] via 10.8.1.1, vtun0, 18:11:05
K>* 128.0.0.0/1 [0/0] via 10.8.1.1, vtun0, 18:11:05
K>* 185.236.200.195/32 [0/0] via xxx.xxx.xxx.1, eth0, 2d19h27m
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 vtun0
default xxx.xxx.xxx.xxx 0.0.0.0 UG 20 0 0 eth0
10.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vtun0
xxx.xxx.xxx.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
128.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 vtun0
nordvpn-5727 xxx.xxx.xxx.xxx 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
vyos@vyos:~$
OPENVPN DOWN:
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
S>* 0.0.0.0/0 [210/0] via xxx.xxx.xxx.1, eth0, weight 1, 2d19h55m
C>* xxx.xxx.xxx.0/19 is directly connected, eth0, 2d19h55m
K>* 185.236.200.195/32 [0/0] via xxx.xxx.xxx.1, eth0, 2d19h29m
C>* 192.168.0.0/24 is directly connected, eth1, 2d19h55m
C>* 192.168.100.0/24 is directly connected, eth2, 18:02:00
C>* 192.168.200.0/24 is directly connected, eth3, 03:16:26
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 xxx.xxx.xxx.19/19 u/u OUTSIDE
eth1 192.168.0.1/24 u/u LAN
eth2 192.168.100.1/24 u/u DMZ
eth3 192.168.200.1/24 u/u LAB
lo 127.0.0.1/8 u/u
::1/128
wlan0 192.168.250.1/24 A/D WLAN
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ show ip route kernel
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
K>* 185.236.200.195/32 [0/0] via xxx.xxx.xxx.1, eth0, 2d19h29m
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xxx.xxx.xxx.xxx 0.0.0.0 UG 20 0 0 eth0
xxx.xxx.xxx.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
nordvpn-5727 xxx.xxx.xxx.xxx 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
vyos@vyos:~$
You are getting this route while open vpn is connected, so it seems this is not what you expected, and you are having routing issues while openvpn is connected.
K>* 0.0.0.0/1 [0/0] via 10.8.1.1, vtun0, 18:10:47
What VyOS version you are running? Also, any relevant routing config on this file:
set interfaces openvpn vtun0 openvpn-option '--config /config/auth/nord/included_config.conf'
Running vyos 1.3.0-rc6
vyos@vyos:~$ cat /config/auth/nord/included_config.conf
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
comp-lzo no
remote-cert-tls server
verb 3
pull
fast-io
--mute-replay-warnings
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
openvpn pushes the default gateway when brought up, which is expected and normal. I do want all traffic to go out the vpn tunnel, EXCEPT for inbound to the DMZ server.
There has to be a way for an external internet client to connect to a DMZ server thru the firewall via NAT. I have the NAT forwarding to the DMZ server setup, and the DMZ server does see those packets. The reply packets don’t make it back though. I’m thinking maybe a SNAT rule is needed for return packets from the DMZ server to the router’s external IP is needed.
Firewall rule to allow external packets destined to DMZ server:
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-IN rule 20 action 'accept'
set firewall name OUTSIDE-IN rule 20 description 'Allow access to Emby Server from the Internet'
set firewall name OUTSIDE-IN rule 20 destination port '8920'
set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
NAT to forward external packets to DMZ server:
set nat destination rule 100 description 'DNAT: OUTSIDE-IN to emby-server'
set nat destination rule 100 destination address 'xxx.xxx.xxx.19'
set nat destination rule 100 destination port '8920'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '192.168.100.11'
I’m thinking another NAT rule is needed for the return traffic, but not sure what it should be.
I added this rule, and now see traffic going from the DMZ server back out the Internet, but I’m guessing it’s the wrong way to do it, because the remote client still times out waiting for a response.
set nat source rule 220 description 'SNAT Reflection: emby-server to Internet'
set nat source rule 220 destination address 'xxx.xxx.xxx.0/19'
set nat source rule 220 outbound-interface 'eth0'
set nat source rule 220 protocol 'tcp'
set nat source rule 220 source address '192.168.100.0/24'
set nat source rule 220 translation address 'masquerade'
Just tested again, if I disable the openvpn tunnel, the remote client connects just fine. Session traffic returns just fine when openvpn is disabled.
I disabled the new rule 220, it’s not needed. When the openvpn tunnel is up, traffic does go back out the internet interface to the remote client, but something is wrong, the remote client times out. There must be something wrong with the packets that return to the remote client.
I have two remote clients for testing. The main is an android phone, which is the goal. I also have a laptop running qubes os that has a debian linux vm connecting out to a remote private vpn server, and from there, can test from the internet back in.
If I can’t get the NAT solution working, I’m next tempted to install an openvpn client on the android phone, and have it connect to the vyos router as a vpn client, which means I’ll have to install an openvpn server on the router, but it will have to work next to the current openvpn client on vyos that connects as default all traffic to nordvpn. I’m hesitant to do this, because it will just add another layer of complexity that can make troubleshooting even harder.
I gave up trying to get both openvpn and NAT to run on the same interface, different ports. Apparently, vyos can’t do both on the same interface.
Replacing NAT with openvpn. We’ll see if vyos can run both an openvpn client AND an openvpn server on the same interface, different ports.
OMG that was too easy. I deleted all the NAT stuff, then installed an openvpn server on my vyos router, and installed the openvpn connect client on my android phone. Works great. So much easier too.
I’ll post my config files after I’m done doing lots of testing and optimizing.
Never did get both openvpn and NAT running on the same interface in vyos, but at this point, I no longer need it.
got it working
All I needed was to add a simple static route to the vpn server I’m allowing to NAT in.
That’s a little sloppy, but works. I’ll clean it up by creating a policy based routing rule and table.
I thinks just allow vtun# interface in DMZ zone.