What's new

Forcing device-specific port-range through VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

deefour

New Around Here
I'm following this guide: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

I have a VPN configured and enabled.

01.png


VPN director is silent.

02.png


I have my NAS with an IP bound to the MAC address

03.png


and I want only traffic on ports 6881 - 8889 to pass through this VPN client; all other traffic should pass through my normal internet.

Here is my net-start script.

Code:
#!/bin/sh
sleep 10  # During the boot process nat-start may run multiple times so this is required              

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Force specific NAS traffic over VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.50.87 -p tcp -m multiport --dport 6881:6889 -j MARK --set-mark 0x1000/0x1000

The problem: I'm lost between the above script not showing any useful change on reboot, and any changes I make to the VPN client around "Inbound Firewall" and "Redirect Internet traffic ..." resulting in my entire network going offline.

04.png

I'm looking for advice and/or a direction to research further.

I can't seem to get network traffic over the port range when I check for the VPN IP to show up on a site like this: http://checkmyip.torrentprivacy.com/
 
I'm looking for advice and/or a direction to research further.

I can't seem to get network traffic over the port range when I check for the VPN IP to show up on a site like this: http://checkmyip.torrentprivacy.com/

I have attempted what you're trying to do in the past. First off... are you absolutely *sure* that Cyberghost is able to accept/forward port ranges over VPN? The VAST, vast majority of VPN providers do not let you use whatever ports you want, or allow you to open any ports for that matter. I've tried it in the past with StrongVPN, ExpressVPN, then with NordVPN (at the time)... and all were no-go's.

This is a primary reason I started using AirVPN... because it does allow for this, and you configure whatever ports you want to open thru their web interface.

Please note, I do not have AirVPN configured on my router... but just on my laptop whenever its needed. But it just works. ;)
 
Last edited:
@Viktor Jaep, Thanks for the replies and suggestions. I think I've made a lot of progress.
  1. I have an AirVPN configured and active on the router.
  2. I have a range of 9 ports reserved and forwarded to this VPN IP (it it not the normal Bittorrent port range).
  3. I adjusted my NAS' Bittorrent to work with that port range.
  4. I adjusted the nat-start script to work with my NAS and the new AirVPN client.
Here is the full nat-start. The AirVPN client is ovpnc2

Bash:
 #!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required              
# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Force NAS bittorrent traffic over VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.50.87 -p tcp -m multiport --dport 30769:30777 -j MARK --set-mark 0x2000/0x2000

I seem to be stuck with two issues.
  1. I can't seem to prove a connection over the forwarded port range
  2. I can't seem to connect to Bittorrent
I read strong recommendations here not to enable port forwarding on the router, but between the GUI and the above nat-start iptable rules, I'm getting a bit lost.

Here is an example of a forwarded port

10.png


But I'm having trouble getting a TCP connection check:

11.png


Here is the Bittorrent client on my NAS (not sure what's up with picture quality)

12.png


The results are the same whether I have port forwarding set up for the above range or not.

13.png


Here is the AirVPN client sans the custom settings field


14.png


Any attempts to use a tool like Torguard checker result in no connection being established from the NAS.

I don't see any errors worth noting in the system logs, especially around the nat-start script's many executions.

I also must offer: I am glad to pay for help getting this sorted.
 
Last edited:
@Viktor Jaep any further thoughts here?
Sorry I never got back to this. I've had it working before with AirVPN running on the router, but didn't have to go through this level of complexity.

1. Configure AirVPN on their end with the open ports you need
2. Set up your router VPN slots per default using AirVPN.
3. Make sure your devices are forced to route out through the VPN using VPN director
4. Test open ports on end points, should see success.

In other words, I didn't use your nat-start piece. Don't enable port forwarding on the router, as that's all being done over your VPN connection.

Let me know if any of this helps? ;)
 
My understanding is VPN Director is device-specific, not port-specific. Because of that I've not been defining rules for my NAS in VPN director, hoping the nat-start meets my port-specific need.

I want to expose other ports on the NAS from my raw internet connection, not through the VPN.

I think troubles with the nat-start (port-specific filtering) piece that has me stuck.

I will absolutely work through your steps regardless. Thank you!
 
My understanding is VPN Director is device-specific, not port-specific. Because of that I've not been defining rules for my NAS in VPN director, hoping the nat-start meets my port-specific need.

I want to expose other ports on the NAS from my raw internet connection, not through the VPN.

I think troubles with the nat-start (port-specific filtering) piece that has me stuck.

I will absolutely work through your steps regardless. Thank you!

From what I've experienced, those ports were exposed through the VPN connection, and my devices that were affected by VPN Director were able to make use of them.

I wasn't aware you wanted your NAS ports to go through your regular internet connection... in that case, I'm pretty sure you would need to set up port forwarding.

Still not sure how or where that nat-start piece would be necessary... anyways, I would try port forwarding second, but after that, you'd need some serious support from some of the more experienced forum members here who have some experience with that nat-start script...
 
I want only traffic on ports 6881 - 8889 to pass through this VPN client; all other traffic should pass through my normal internet.
How come you are using the netfilter match iprange extension as you are only giving a single ip, you could use -s <source ip> instead. But are your rule accepted by iptables so you could se it applied?

Are the policy route tables created altough there are no rules?

Normally reverse path filtering needs to be turned off (or set to loose) for mark based routing to be accepted. In this case for the ovpn1 interface.

Check ip rule to make sure your nat-start script rules gets applied correctly.

Check ip route show table ovpnc1 so ovpn1 policy route table exists and looks correct.

Check iptables -nvL PREROUTING -t mangle so your firewall rule turns out ok.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top