RT-AC88U Port Forward - OpenVPN Client - Mullvad VPN

[Pirivan]

Router Model: RT-AC88U
Firmware Version: 384.13

Hello all, to start I would like to say many thanks to RMerlin for providing this awesome custom firmware and to all of the expert community members whose feedback/guides have been invaluable over the years.

My issue is as follows; would highly appreciate any assistance if someone else has resolved a similar issue. I had port forwarding setup to forward a single port to single PC on the LAN working without any issues. I then decided to setup the OpenVPN client using the Mullvad VPN service on the router. I used the following guide that Mullvad provides:
https://www.mullvad.net/en/guides/asus-merlin-and-mullvad-vpn/

The VPN is working correctly for all LAN clients but port forwarding is now failing. I followed their instructions at the end of the support guide and appropriately edited the dport and DNAT values to be equal to the port I want to forward and the internal IP address of the client I want the traffic forwarded to and then copied/pasted the command into an SSH session. I confirmed in nano that the nat-start file includes the two iptables rules you would expect the command to generate.

Not sure if this is relevant but I also determined the following facts:

• If you are OUTSIDE of the network the port forward fails (which is of course the ultimate goal to resolve).
• If you are ON the local network via the Wi-Fi (thus your outbound traffic is going over the VPN) but you attempt to connect to the service/port using the EXTERNAL/WAN IP, the port forward actually succeeds. If you REMOVE the port forwarding settings in the WAN -> Virtual Server / Port Forwarding, this causes it to fail (these settings are/were still in place from the successful port forwarding configuration I had setup before I deployed the OpenVPN client on the router).

 

[Jerrk]

I believe i have the same - or very similar problem.

Model: RT-AC87U
Firmware Version: 384.13_1

No issues with port forwarding before setting up the VPN client with Mullvad on my router.
I followed their guide and got the client up and running as it should, but am unable to get the port-forwarding to work. I SSH into the router through putty and run the commands for my PCs IP and the given ports from the mullvad website. Mullvads own port checker and any other i try show the ports as unreachable.

I was basically following the guide line by line since i am not experienced in these fields, and pretty much guessed for the SSH part.
Hopefully someone can point us in the right direction

 

[Pirivan]

Just FYI, I reached out to Mullvad support and while they did a good job working with me to troubleshoot, I have not yet reached a solution. Not sure if it will be helpful to you but here is an edited version of some of the back and forth with support:

First of all when you set the port forwarding through the GUI then it will forward it for the wrong interface and not on the tun/tap interface. If you add for example touch /tmp/jffs/scripts/TESTING or similar in the commands does it actually get executed on boot ?

I removed the port forwarding via the GUI and added touch /jffs/scripts/testing.txt to my nat-start file and confirmed that 'testing.txt' was created after I rebooted the router. This confirms that the script they suggest to add the iptables rules is running on startup

So if you have: Device on INTERNET -> MERLIN ROUTER -> HOST Then you should go to for example: https://www.portforwarding.org/ -> Enter the EXIT IP of the mullvad server you are connected to on the router and the port. In the Merlin router make sure that the script has been run and also make sure that the router is the last device that is connected to the server on that Mullvad account. (Only the last connection to a server gets the port forwarded). On the host behind it make sure that you have the listener running on the port. Does it work then? If not you could try for example TCPdump on the router to see if any traffic comes in on the tun/tap interface on that port.

I tested using https://www.portforwarding.org/ and the exit IP of the mullvad server I am connected to on the router and the port I would like to forward. According to portforwarding.org, the port in question is closed. I disconnected the two other devices I had connected to the Mullvad account (two mobile devices using the OpenVPN application), then rebooted the router so that it would be the 'last device' connected to the server on the Mullvad account. Unfortunately, it still did not work at this point and portforwarding.org still showed the port as closed. The Windows firewall has the custom port open (and I can confirm it works without OpenVPN setup on the router). I can also see that it is open and listening via netstat -an

I have not yet installed TCPdump on the router to view traffic on the tun/tap interface for a custom port (I wasn't quite clear on how to do it).

Thank you for the updated information. I have tested this with a Asus router running Merlin and just by running the scripts and having IPERF running you should be able to get a connection. It might be that the firmware or something is really buggy which isn't uncommon on router firmwares. I would recommend you to run Mullvad directly on your device and see if that works better. If the router has tcpdump you could SSH into it then run: tcpdump -i THETAP/TUNINTERFACE 'port XXXX'

My next plan is to try resetting my entire router config to defaults and then rebuilding it from scratch (including the OpenVPN client settings) and see if that helps.

In terms of running Mullvad on my Windows device directly, I am not quite sure how to properly setup port forwarding on the router in that situation. Before I setup the OpenVPN client on the router, I was just running the Mullvad client on my Windows device. As soon as the Mullvad Windows client was running, the port forwarding I had setup in the router GUI stopped working. I am sure there a procedure that allows port forwarding on the Asus router to a Mullvad VPN connected Windows client to function properly, I have just not yet located it.

 

[Pirivan]

Slight update in case anyone sees this later. I did reset router config to defaults and rebuilt it all from scratch with the OpenVPN configuration; still no luck with the port forwarding. It's possible that there is some conflicting setting with how I configure my RT-AC88U but it's non-obvious to me if so. The only settings I really modify on a fresh setup are: wireless related (WPS disabled), setting some manual DHCP assignments, configuring different DNS servers on the WAN (I don't want to use the ISP DNS servers), disabling UPnP on the WAN

The last suggestion I received from Mullvad support was:

You could try to allow local network sharing on the mullvad connected computer and see if the port forwarding from the router for your other ports still go through.

This suggesting is referencing removing the OpenVPN configuration from the router and only running it via the Windows client on the endpoint I wish to port forward to. Before setting up the router to connect to OpenVPN I had Mullvad setup in this way and the port forwarding was failing, so I am reasonably certain that this will not work if I test it again.

EDIT-UPDATE

I tried completely removing the OpenVPN Client configuration on my RT-AC88U, setting up the port forwarding again in the router UI and then installed the Mullvad VPN client software on the endpoint I want to connect to and enabled local network sharing within the Mullvad Windows app. Unfortunately, even in this configuration, the port forwarding continues to fail (as I expected).

 

[HoldMyGin]

Hello from me friends. This is my first post here and I am having the exact problem. I come to think that either we are doing something wrong in SSH or the script is wrong.

For the record the script is this:
echo -e "!#/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

What I did was that:

ssh admin@192.168.2.1 entered the password, got logged in in a direcotry that seems i nthe format of /tmp/root# (something like that). I then paste the commands above, changing the YOUPORT to the assigned port by Mullvad in my account and THECOMPUTERSIP to the static IP that i assigned to my desktop I want to reach from the outside.
Of course as you can imagine a could not erach the port from the outside using netcat.
On the other hand, when i used the Mullvad app the port was reachable. And this makes me furious
I have also tried to use the port forwarding function from the GUI but still no luck. I also tried this recommendation from the Mullvad's website: 'If you are using multiple devices that share the same account and connect to the same server, then only the most recently connected device will have the ports forwarded to it. (This does not apply if you are using WireGuard since you can move the ports around to different pubkeys)', but again no luck...

My setup is this. ISP modem connected directly to phone line. All traffic directed to asus router which is permanently running a VPN client service and all IPs are assigned automatically (apart from 2-3 statics I assigned) and routed through VPN.

So, now the cry for help. Can anyone help with this? Is it the script that is wrong? Is it the directory wrong? How can i see that the script is saved in the router (JFFS). What command do i type to verify that is indeed saved, because when i entered it i didn't get any message verifying the success or not.

Any input is welcomed, since i have spent too much time on this and the wife is complaining about her abandonment ...!

 

[Pirivan]

Hello from me friends. This is my first post here and I am having the exact problem. I come to think that either we are doing something wrong in SSH or the script is wrong.

For the record the script is this:
echo -e "!#/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

What I did was that:

ssh admin@192.168.2.1 entered the password, got logged in in a direcotry that seems i nthe format of /tmp/root# (something like that). I then paste the commands above, changing the YOUPORT to the assigned port by Mullvad in my account and THECOMPUTERSIP to the static IP that i assigned to my desktop I want to reach from the outside.
Of course as you can imagine a could not erach the port from the outside using netcat.
On the other hand, when i used the Mullvad app the port was reachable. And this makes me furious
I have also tried to use the port forwarding function from the GUI but still no luck. I also tried this recommendation from the Mullvad's website: 'If you are using multiple devices that share the same account and connect to the same server, then only the most recently connected device will have the ports forwarded to it. (This does not apply if you are using WireGuard since you can move the ports around to different pubkeys)', but again no luck...

My setup is this. ISP modem connected directly to phone line. All traffic directed to asus router which is permanently running a VPN client service and all IPs are assigned automatically (apart from 2-3 statics I assigned) and routed through VPN.

So, now the cry for help. Can anyone help with this? Is it the script that is wrong? Is it the directory wrong? How can i see that the script is saved in the router (JFFS). What command do i type to verify that is indeed saved, because when i entered it i didn't get any message verifying the success or not.

Any input is welcomed, since i have spent too much time on this and the wife is complaining about her abandonment ...!

How are you able to get the Mullvad app to work and make the port reachable? After removing all of the OpenVPN config on the router and setting up the Mullvad app on my destination PC, trying to connect from outside the network still does not work.

The script very well may not function as expected, not sure. Mullvad support seems to think that the commands are functional but I am not sure what they are doing differently to make it work.

If you want to see if this script is saved on the router and to verify if it is actually executing on startup do the following (one command at a time) after ssh'ing into your router. Please be aware, I am no expert here as I pieced this together from what Mullvad support asked me to do. Do not make changes via SSH if you are not comfortable with what you are doing OR aren't sure how to easily format your jffs partition and start over if you mess up OR reset your router config completely. Make sure to backup your configuration before messing around as I won't be able to assist you if you get into a bad state.

cd /jffs/scripts/
ls

The above commands will take you to the directory that was created when you ran the command and show you a list of the files in that directory. If you see a file named 'nat-start' in the /jffs/scripts/ directory, that means the command created the file successfully. If you want to test if the file is executing properly on startup, do the following:

nano /jffs/scripts/nat-start

This will bring you into a text editor for nat-start where you can see the two iptables rules the command you ran added. Add the following line at the bottom:

touch /jffs/scripts/TESTING.txt

Then use Ctrl + X to quit the editor and you will be asked if you want to save your changes. Press Y for Yes. Then, reboot the router. After rebooting the router, SSH back into it and again run

cd /jffs/scripts/
ls

You should see a file named 'TESTING.txt" in the /jffs/scripts directory along with the nat-start file. This confirms that the nat-start script is executing when the router boots up. Feel free to REMOVE the line touch /jffs/scripts/TESTING.txt from the nat-start file if you desire and save the changes. You can also delete the TESTING.txt file with the following command (assuming you are in the /jffs/scripts/ directory):

rm TESTING.txt

 

[HoldMyGin]

Hello again,

Well, by using the Mullvad app, the process is quite straight forward actually. You just connect to any server you want from the app and you follow the process described here :
https://mullvad.net/en/guides/port-forwarding-and-mullvad/

either by an online port checker or with the tools mentioned in the article. I for example used the Linux specific commands. It does not matter whether you have the ovpn client config files removed or not. The app works on top of all.

BTW, I assume that you have requested an open port from your Mullvad's account ( ) ...!

Now, for the steps you mentioned above I have tried them and indeed they are in the notepad BUT I have not yet confirmed if they are running at boot... I cant remember the command now, but should be something with iptables etc etc. Will try and do it later on and provide feedback.

 

[amoney]

I have mullvad vpn client running on my router and have port forwarding working fine. All port forwarding is managed via the nat-start script and not via the UI settings.

One thing to keep in mind is that make sure the machine you want to forward port to is the last machine to connect to the vpn server. I just found out this the hard way when my port forwarding stopped working intermittently because my phone would connect to the same vpn server when i was out side my home network. So i switched the vpn server my phone is using and re connected the vpn client on my router and everything was back to working as expected. Here is a sample from my nat-start script to set up port forwarding.

iptables -t nat -A PREROUTING -i tun+ -p tcp --dport MULLVAD_PORT -j DNAT --to-destination LOCAL_IP:LOCAL_PORT

edit: Changed port name.

 

[Pirivan]

This is really helpful amoney, much appreciated!

I disconnected my mobile devices from the VPN server and reconnected the VPN client on the router. However, it was still not working so I modified my nat-start script to look like yours

iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT_GENERATED_BY_MULLVAD -j DNAT --to-destination LOCAL_IP_OF_WINDOWS_SYSTEM:LOCAL_PORT_OPEN_ON_WINDOWS_FIREWALL
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT_GENERATED_BY_MULLVAD -j DNAT --to-destination LOCAL_IP_OF_WINDOWS_SYSTEM:LOCAL_PORT_OPEN_ON_WINDOWS_FIREWALL

Unfortunately it is still not working so I must be doing something wrong. I noticed in your example that you labeled it is 'WIREGUARD_PORT'. I am just using OpenVPN on my router, not wireguard, are you using the wireguard configuration on your router? That may be why mine isn't working when trying to simulate your iptables rules?

Also, it's interesting that in the iptables commands Mullvad supplies (see below), they don't suggest specifying the 'local port' in the command. Is that because they are assuming that you will modify your local application to use the port that is generated under port forwarding for your account on their website? How did you come to that solution?

iptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP

I setup an iperf listener for the port Mullvad generated but their online port checker (https://am.i.mullvad.net/portcheck) still shows it as unreachable. When checking it with iperf I edited the iptables rules to what Mullvad suggests, removing the local port.

I will keep looking over my config to see if I notice any mistakes/syntax issues etc; I must be missing something if it is working for you. Thanks again for your feedback, extremely helpful.

 

[amoney]

I noticed in your example that you labeled it is 'WIREGUARD_PORT'

I had it mis labeled. Fixed it. I am using open vpn as well and its just a port mullvad forwards.

Also, it's interesting that in the iptables commands Mullvad supplies (see below), they don't suggest specifying the 'local port' in the command. Is that because they are assuming that you will modify your local application to use the port that is generated under port forwarding for your account on their website? How did you come to that solution?

Ya i cant recall how i came to that solution. Probably because my local port and mullvad ports are different. So i wanted to make it explicit.

When i get home i will check if port checker is working for me. I know port is being forwarded because plex remote access is working for me.

For your openvpn client have you set the policy to strict? A policy controlling if clients connected to vpn can send traffic outside of vpn and vice versa. Cant recall exact name. When i get home i will capture exact settings i am running with. Just to confirm the machines you are trying to forward to also have all their traffic getting routed via the vpn client? If not we might need to adjust this policy.

 

[Pirivan]

Ah okay, that makes sense, looks like we are using the same iptables config then essentially. I swapped mine back to including the local port as your explanation makes sense to me and I don't want to use the Mullvad selected port locally, though I could switch my application to that if really necessary.

Yes, I do have the policy set to 'Strict' in the OpenVPN client config.

Yes, all machines on the local network have their traffic getting routed via the VPN client with the OpenVPN client configuration setup on the router (including the one machine I am trying to forward to).

Sounds good on comparing your config when you have a chance to look at it; much appreciated.

 

[HoldMyGin]

If you run this:

sudo iptables -L -n -t nat

What do you get?

PS remove the sudo if it doesn't work.

 

[Pirivan]

I get the following when I run iptables -L -n -t nat (I replaced my WAN IP address with just WAN IP).

Interesting that it's not listing the PREROUTING commands that are in nat-start...

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VSERVER    all  --  0.0.0.0/0            WAN IP

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.1.0/24      0.0.0.0/0
ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0            policy match dir out pol ipsec
PUPNP      all  --  0.0.0.0/0            0.0.0.0/0
MASQUERADE  all  -- !WAN IP              0.0.0.0/0
MASQUERADE  all  --  192.168.1.0/24      192.168.1.0/24

Chain DNSFILTER (0 references)
target     prot opt source               destination

Chain DNSVPN1 (0 references)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain PCREDIRECT (0 references)
target     prot opt source               destination

Chain PUPNP (1 references)
target     prot opt source               destination

Chain VSERVER (1 references)
target     prot opt source               destination
VUPNP      all  --  0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
target     prot opt source               destination

 

[Pirivan]

Alright, I resolved the issue. HoldMyGin pointed me in the right direction when I ran iptables -L -n -t nat and I did not see the PREROUTING entries that should be there based on the nat-start script executing, so I started to wonder if the script really was running on startup. It feels like a dumb fix (I bet it will seem dumb to anyone familiar with Linux/Unix) but it worked. The issue here was the code that Mullvad tells you to run on their site https://mullvad.net/en/guides/asus-merlin-and-mullvad-vpn/:

echo -e "!#/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

It's the !# portion. On my router, with that start to the script, it won't execute. I noticed this when I tried to simply tried to run the script while ssh'ed into the router via: sh nat-start
It would throw an error stating ' !#/bin/sh: not found'

Simply changing the command to #! resolved the issue. So the script I use to create the nat-start file and populate it looks like:

echo -e "#!/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport PORT_PROVIDED_BY_MULLVAD -j DNAT --to-destination LOCAL_IP_OF_WINDOWS_SYSTEM:LOCAL_PORT_OPEN_ON_WINDOWS_FIREWALL \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT_PROVIDED_BY_MULLVAD -j DNAT --to-destination LOCAL_IP_OF_WINDOWS_SYSTEM:LOCAL_PORT_OPEN_ON_WINDOWS_FIREWALL" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

Aside from fixing the #! issue, this is a slight modification to the script Mullvad provides based on amoney's information to allow the port Mullvad generates for you to forward to the actual port you have open on your destination system for whatever service you want. Alternatively, you could just use the port Mullvad generates for you and change your application to use that port; it's up to you. If you do that, you just fill in LOCAL_IP_OF_WINDOWS_SYSTEM without the port portion.

To check if it's working just go to https://am.i.mullvad.net/portcheck and input the port that Mullvad generates for you (it will outfill in your OpenVPN public IP, if you are using some other service to test, just get the OpenVPN public IP from the VPN section of the Asus router).

Then, when you are testing connecting to your internal application from outside the network, make sure to use the OpenVPN public IP that your router is assigned AND the port Mullvad generates for you (not the internal port your application is actually using).

As pointed out previously by amoney, connecting other devices to the same Mullvad Open VPN server/region will break this config because the forwarding only works for the LAST device connected on your account in the same region, so if you want to connect other devices (like a mobile phone when outside of your wireless network), choose another region for that OpenVPN profile).

 

[amoney]

Glad it worked out.

I just use vi to edit files rather than echo and redirect.

vi /jffs/scripts/nat-start

 

[HoldMyGin]

Success!!! Yesss!!

It finally worked. Thank you Pirivan and amoney for the inputs!

I did mine without the pc port, was not necessary so yeassshhh!!

Now back to the server building again.

 

[slinkoff]

Can I just ask whether people who have got this working in this thread have it working consistently? I can get it working for a few hours but then my ports show as closed again without me doing anything. I've tried re-applying the port forwarding settings at my VPN provider (Ivacy) but it makes no difference. Seems to come back sometimes after a router reboot but not consistently.

 

[amoney]

Can I just ask whether people who have got this working in this thread have it working consistently? I can get it working for a few hours but then my ports show as closed again without me doing anything. I've tried re-applying the port forwarding settings at my VPN provider (Ivacy) but it makes no difference. Seems to come back sometimes after a router reboot but not consistently.

Yup has been working without any issues for a while now. I would check with your VPN provider and see if they can determine why port forwarding would stop working intermittently.

 

[slinkoff]

ok thanks, I will check with them. Just a further question, is your VPN DNS set to Exclusive or Relaxed?

 

[amoney]

ok thanks, I will check with them. Just a further question, is your VPN DNS set to Exclusive or Relaxed?

Its set to Strict.