Using OpenVPN instead of port forwarding to reach systems in my LAN - how hard is this?

I have a few computers in my LAN that I need to reach from outside. I wish I could just use port forwarding, but I’m on Starlink, which uses a CGNAT. That means using a VPN/proxy service that provides port forwarding or using something like OpenVPN. I have not done networking work in a long time, so I’ve been reading up on OpenVPN. I have a VPS for $2 a month running Debian so I can run an OpenVPN server on it. My LAN has a pfSense firewall. I have an iPhone and iPad that I use in remote locations that I want to be able to use to reach between 1-4 systems in my LAN.

So I would be using my firewall, phone, and tablet as clients for the VPN. I would need to be able to have the clients talk to each other and for the incoming data within the VPN to pass from outside, through my firewall, then forward to the appropriate computer in the LAN. I have trouble remembering IP addresses and use “colorful” names for the systems in my LAN. For instance, one Raspberry Pi is named “imladris” and another is named “erebor.” pfSense, on my firewall, also acts as DHCP server for the LAN so all I have to type inside my LAN is “erebor” without a full domain name and it’ll load the web interface on that system.

I’d REALLY like to keep this with the roaming clients, my phone and tablet, so when I turn on OpenVPN on my phone, I can type into the browser “erebor” and that goes to the VPN, which forwards it to the pfSense client, which, in turn, sends that request to the Pi named erebor.

I’ve read through the sample config files and the OpenVPN HowTo for setting things up, but I’m not clear (and I may be misunderstanding some terms here - like I said, it’s been a LONG time…) on just what I need to do. I see (and appreciate) that the config files are so simple, but I’m still not sure what need to do to make things work the way I want. When reading through what I need to do for testing and so on, and knowing this is a first time thing for me, I don’t want to go down a rabbit hole and find I’ve spent a large number of hours working on configuration and testing and find I still don’t have the VPN doing what I need it to do.

It looks like some of this is covered in the OpenVPN HowTo, but I’m not clear on just what I need to do or how much special configuration work this will take.

How hard is it to get an OpenVPN server to behave the way I’m talking about? Any suggestions on what I need to be reading or looking for that addresses my type of situation?

First, I would like to translate your question into OpenVPN language. That is: Set up an OpenVPN server on VPS and generate at least two clients ( Client-A and Client-B). Make sure Client-B could access Client-A and Client-A’s subnetwork through the VPS.

If you don’t have many clients needing to be connected at the same time; it might be quicker and easier to just setup a free OpenVPN CloudConnexa (former OpenVPN Cloud) account; it allows 3 devices being connected at the same time (for more clients, it will carry a cost). You get configs generated by this service to just install on each of your “nodes”, which all just need to run OpenVPN as a client.

Otherwise, you will need to have some basic networking understanding, how networks are configured, how routing and firewalling works. That is usually the most challenging part getting right. A more thorough guide on the important aspects you need to configure is available here: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN

I know there are tons of blogposts on the interweb, describing the same things much shorter … but most of those I’ve seen have security issues, suggests OpenVPN settings which will impact your VPN performance quite negatively or are quite outdated. The post I’m pointing at is more generic and should normally cover all the aspects you need to be aware of and have some kind of understanding of.

Just a note after I finally solved the issue and what worked.

I used a VPS and ran OpenVPN on it and connected okay with my iPhone and iPad. pfSense took more work, but I never could get routes and addresses (and names from the LAN DNS server) to forward through it. I tried a couple other solutions, including a commercial VPN service, but there were problems with all of them.

Then I took someone’s advice and tried Tailscale. I’m shocked and relieved by how quick and easy the configuration for Tailscale was so I could finally reach the systems in my LAN from outside - without port forwarding that would leave ports exposed on the internet.

Okay, I follow. I think I needed all the extra for myself as well as trying to describe what I’m doing. I can see some of this in the HowTo - I’m just trying to pull it all together in my head.

I had not heard about Connexa, so I’m looking into it. I’m considering a total of 3 clients. One is the firewall and 2 are my phone and tablet, which wouldn’t need to be connected at the same time. (Also, I can’t see a reason I’d need to keep either mobile device connected longer than 5 minutes at a time.) This may be a great setup for me and save time. (Normally I don’t mind taking time to learn or relearn something, but I have so much going on right now it’s hard to take too much time out for this.)

Also, thank you for pointing out to watch out for all the other stuff and security or performance issues. I’ve seen other tutorials and howtos, but they all seem lacking in one thing or another.