TP-LINK TL-MR6400 IPSEC L2TP VPN tunnel with GCP server

I have a TP-LINK TL-MR6400 router, connected to internet by means of an LTE sim.
This is a very rough network diagram of my current situation.1 My IoT services sit behind the TL-MR6400.
Unfortunately my mobile provider is NATting my external dynamic IP address from my router and therefore I can't expose nor my MQTT server, neither my cams, while of course, surfing the web from a PC is not a problem.
I found somewhere that this situation can be overcome by creating a VPN tunnel with a fixed IP address server. Therefore I created a micro instance with Google Cloud Platform (GCP) with a static IP address.
In my mind the VPN client should call the GCP VPN server and create the tunnel. At this point the server firewall rules should forward the MQTT and webcam addresses and ports to my static IP address on different ports, in order to control my MQTT topics with a dedicated app or access the remote server via ssh.
A cloud MQTT service is not an option as it needs to be always on, independently from the availability of the internet. The business logic is hosted on the same RPi as the MQTT and it's dialoguing constantly with sensors and actuators on the local network.
If internet is down, I can't control from remote but fallback procedures would still work locally.
Maybe you can recommend:

  • a different 4G LTE router
  • a different protocol to install on my GCP server supported by the MR6400
  • a different firmware like OPENWRT on the TL-MR6400

The solution you are trying to achieve is fine, just keep in mind that that workaround might increase your bandwidth and latency.

As a side note, I am biased in favor of OpenWRT, but that firmware requires some level of expertise and experience in order to set up this kind of environment (or some free time with a lot of focus and internet investigation).

1st scenario.

You could have a GCE instance (with IP forwarding) and an on-prem VM or server to create an OpenVPN tunnel between each-other, create static routing for your GCP project and your on-prem TP-Link, then adding the following iptable rules for each port you desire to expose to the world, something like this.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.128.0.50:80
sudo iptables -t nat -A POSTROUTING -p tcp -d 10.128.0.50 --dport 80 -j SNAT --to-source 10.128.0.100

You would need to change this should you don't want to use NAT here.

2nd scenario.

Pretty much the 1st scenario but using OpenWRT on your TP-Link rather than on-prem VM or server.

Here's a video that explains how to configure an OpenVPN server