What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
I've got a quick technical question that I am sure could be easily answered by someone with moderate experience using iptables. I've literally spent about 8 hours searching, reading, and experimenting to try to figure this out, but I have had no luck so far.

Background Info:
I am running an Asus RT-AC68U with Merlin firmware, and I have an OpenVPN client setup to operate with the provider PrivateInternetAccess.com. I'm using selective routing to route only 1 (for the moment) local IP over the VPN tunnel (, and that is working perfectly.

Additionally, I am running a route-up script upon VPN connection in order to send a request over the VPN tunnel to ask my VPN provider for an open port (using PrivateInternetAccess' new API they just launched) that I can use for torrents and such. Again, after much trial and error (it is not easy to send to send a GET request over the VPN tunnel from a shell script on the router since something simple like using curl's interface-bind doesn't work), I have this working perfectly as well.

I am using the following script to forward the port given to me by my VPN to the local IP that I want to setup a torrent client on:

Ex local IP:
Ex open port provided by VPN: 43251

iptables -I FORWARD -i tun11 -p udp -d --dport 43251 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d --dport 43251 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 43251 -j DNAT --to-destination
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 43251 -j DNAT --to-destination

This is also working fine, but this is where the change I want to make comes into play.

The Problem:
Being that I have spent so much time and effort researching and writing scripts to automate all of this on the router, I want to make the last final step of having the port provided to me by my VPN provider redirected to a static local port. If I could do this, then I would not have to change the TCP/UDP port in my torrent client every time the router reconnects to the VPN (as the port # changes every time you reconnect). I thought I had figured out the solution which was to change the last 2 iptables command listed above to:

Ex static local port: 17444

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 43251 -j DNAT --to-destination
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 43251 -j DNAT --to-destination

Unfortunately, this does not work. I also tried the following 2 iptables commands in addition to the others (although I had very little hope they were going to do anything):

iptables -t nat -A PREROUTING -i tun11 -p tcp --dport 43251 -j REDIRECT --to-port 17444
iptables -t nat -A PREROUTING -i tun11 -p udp --dport 43251 -j REDIRECT --to-port 17444

I tried the above 2 commands with specifying the local destination IPs as well, but nothing worked.

I apologize for writing such a long message, but I figured it was better to provide as much context as possible. For someone experienced, all they probably need to read is this last section to provide me with an answer... If someone can help me out, I would be FOREVER indebted to you. Thank you in advance.

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!