Open VPN not port forwarding

[Ninmore]

So I have two VPN services one that uses PPTP and on that uses Open-VPN. Recently I got Open-VPN working but for some reason when connected to the VPN no port forwarding works at all unless I use PPTP or no VPN. I checked the port forwarding table and the ports are there and working.

I have been searching around but I cannot seem to find an answer at all. I have tried manually adding port forwarding rules to the table manually but that did not work either, I am out of ideas.

Cheers.

 

[cosmoxl]

that port forwarding won't work with an openvpn client.

SSH into the router and input iptables such as these, changing the tun device, LAN IP, dport as required.

iptables -I FORWARD -i tun11 -p udp -d 192.168.2.42 --dport 64505 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.42 --dport 64505 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 64505 -j DNAT --to-destination 192.168.2.42

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 64505 -j DNAT --to-destination 192.168.2.42

 

[Ninmore]

that port forwarding won't work with an openvpn client.

SSH into the router and input iptables such as these, changing the tun device, LAN IP, dport as required.

iptables -I FORWARD -i tun11 -p udp -d 192.168.2.42 --dport 64505 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.42 --dport 64505 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 64505 -j DNAT --to-destination 192.168.2.42

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 64505 -j DNAT --to-destination 192.168.2.42

So just put those commands in the router though SSH. The rules added but still no luck. The tunnel devices is the same so tun11. I changes the IP address but kept the port the same just to test that port.

 

[cosmoxl]

well, trust me, that's the way you do it.

make sure your VPN provider is forwarding that port, and make sure your server is listening on that port. Otherwise any port checker will show it's closed.

 

[Ninmore]

well, trust me, that's the way you do it.

make sure your VPN provider is forwarding that port, and make sure you're server is listening on that port. Otherwise any port checker will show it's closed.

Okay, I have fixed the port forwarding now. My PPTP VPN allows any ports, but my Open-VPN only allows a given port range for example 7255:7269. Which is annoying as it can change apparently. I used your code above and used this to fix it.

iptables -I FORWARD -i tun11 -p udp -d [Local IP] --dport 7630:7644 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d [Local IP] --dport 7630:7644 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 7630:7644 -j DNAT --to-destination [Local IP]
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 7630:7644 -j DNAT --to-destination [Local IP]

You can now mark this as fixed. Cheers!

 

[janosek]

Hello,
I tried the above without success. I am trying to open up a port on private internet access.

I have an RT-AC66U on .54_1. My PC is on 192.168.1.100 and is currently being policy routed to VPN Client 2 on a gateway that supports port forwarding. My TV, PS3 and Nexus 10 are all routed on VPN client 1.

I successfully acquire a port on private internet access. I get the following port, for example:
('IP Address: ', '199.167.138.119'
('Forwarded port: ', 23258)


I then run:
iptables -I FORWARD -i tun12 -p udp -d 192.168.1.100 --dport 23258 -j ACCEPT
iptables -I FORWARD -i tun12 -p tcp -d 192.168.1.100 --dport 23258 -j ACCEPT
iptables -t nat -I PREROUTING -i tun12 -p tcp --dport 23258 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun12 -p udp --dport 23258 -j DNAT --to-destination 192.168.1.100


Is the correct user script for the above commands "firewall-start"? Or is that too early for tun12 interface?


I then load up a port checking website. It sees my IP as 199.167.138.119. I check port 23258, which utorrent is listening on, and it says its closed. I turned off Windows firewall to make sure that was not interfering. I am not sure what to do.

Here is my current routing table on the router.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
199.167.138.119 23.233.6.129 255.255.255.255 UGH 0 0 0 eth0
10.145.1.5 * 255.255.255.255 UH 0 0 0 tun12
23.233.6.129 * 255.255.255.255 UH 0 0 0 eth0
66.55.144.185 23.233.6.129 255.255.255.255 UGH 0 0 0 eth0
10.100.3.5 * 255.255.255.255 UH 0 0 0 tun11
23.233.6.128 * 255.255.255.224 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 23.233.6.129 0.0.0.0 UG 0 0 0 eth0


Any ideas on why the port check always reads as closed?

Thanks!

 

[ianken]

I think the issue here is the client needs to hit the VPN provider an request the port. That's the way "Private Internet Access" does it. Just connecting is not enough.

To get this to work well, Merlin-WRT would need built in support for PIA. That would be cool. But I don't see that happening. Or you'd need the ability to run a script at VPN connect time that could fetch the port from the service and do the routing.

 

[cosmoxl]

janosek, when you test to see if the port is open do you have a server listening on that port? if no app is there to respond the port checker will say it's closed.

 

[janosek]

janosek, when you test to see if the port is open do you have a server listening on that port? if no app is there to respond the port checker will say it's closed.

Yes, I have utorrent listening on the port. I even turned off windows firewall. utorrent has upnp and nat-pmp port mapping turned off.

My python script is the one setting up the port for PIA and it also sets utorrent to the port that comes back. The last piece was getting the router to port forward the port to my desktop. Currently its manual until I can get it to work, then I will figure out how to automate it.