I've been searching this forum (and others) for a solution to this problem for days so I'm hoping someone can lend a hand. Here's my situation: I have two routers, one with Tomato and another with TomatoVPN. I have the Tomato router (R1) connected to the WAN directly. TomatoVPN (R2) is connected to the LAN on R1 via the WAN on R2. So a very rudimentary diagram: Modem ---> (WAN) R1 192.168.1.0 (LAN) <-----> (WAN) R2 192.168.2.0 (LAN) <-----> Clients I have configured a client VPN connection on R2 which allows any client connected to R2 to access the internet via the VPN. Clients connected to R1 can also access the internet fine, though they use the ISP connection and are not routed through the VPN. This is working as desired. The issue is that I want to allow access to an application running on a machine connected to R2 from the WAN. This has proved (so far) to be impossible. After creating a static route on R1 like this: Destination Gateway Subnet Interface 192.168.2.0 192.168.1.30 255.255.255.0 LAN I can access the application in question from a client connected to R1. However, port forwarding from R1 to R2 does not appear to work. I can see from the logs that the request is accepted at R1 but no logging is generated at all on R2, it's as if the packet never reaches R2. Any help would be greatly appreciated. Thanks.