1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Forwarding an incoming port from OpenVPN to a local LAN IP

Discussion in 'Asuswrt-Merlin' started by NetSetGo, Jun 20, 2019.

  1. NetSetGo

    NetSetGo New Around Here

    Joined:
    Jun 17, 2019
    Messages:
    6
    Hi!
    I have a possibly trivial scenario, which, after searching and reading some vaguely related threads would probably be solvable with iptables and some jffs scripts, but I found nothing that would cover my scenario:

    1. I have a VPN service provider, where I configure portforwarding of port 50001
    2. On RT-AC5300 I successfully configured and enabled VPN Client 1 to connect to that VPN service provider. I have also enabled strict tunnelling policy and set up three local static IPs to explicitly use this VPN client and disconnect if the tunnel goes down.
    3. I now want to set up portforwarding in such a way that port 50001 from the VPN connection (and not from WAN) is forwarded to one of those three LAN IPs.

    Could someone help with this, please?
     
  2. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    First, make sure you have jffs and custom scripts enabled in Administration->System. Reboot after making any changes. Then open a shell (ssh) to the router using Putty and copy/paste (right-click) the following script into the window. Use the vi editor to make your specific changes to the script (/jffs/scripts/nat-start) for the port forward. Finally, reboot.

    Code:
    SCRIPTS_DIR="/jffs/scripts"
    SCRIPT="$SCRIPTS_DIR/nat-start"
    
    mkdir -p $SCRIPT_DIR
    
    cat << "EOF" > $SCRIPT
    #!/bin/sh
    
    DEV="tun11"
    PROTO="tcp"
    EXT_PORT="50001"
    INT_IP="192.168.1.100"
    INT_PORT="22"
    
    ipt() {
        # precede insert/append w/ deletion to avoid dupes
        while iptables ${@/-[IA]/-D} 2> /dev/null; do :; done
        iptables [email protected]
    }
    
    # create internal port forward
    ipt "-t nat -I PREROUTING -i $DEV -p $PROTO --dport $EXT_PORT \
        -j DNAT --to $INT_IP:$INT_PORT"
    ipt "-I FORWARD -i $DEV -p $PROTO -d $INT_IP --dport $INT_PORT \
        -j ACCEPT"
    
    exit 0
    EOF
    
    chmod +x $SCRIPT
     
    Last edited: Jul 12, 2019
    NetSetGo, L&LD and Swistheater like this.
  3. NetSetGo

    NetSetGo New Around Here

    Joined:
    Jun 17, 2019
    Messages:
    6
    Thank you, and especially for the install-friendly way :)
    I'll test it tonight. Will VPN Client1 interface always be on "tun11" or do I have to look it up and change?
     
  4. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    Yes. All OpenVPN client network interface names are predictable (tun11, tun12, etc.) as you move from OpenVPN client #1, to OpenVPN client #2, etc.
     
    L&LD likes this.
  5. NetSetGo

    NetSetGo New Around Here

    Joined:
    Jun 17, 2019
    Messages:
    6
    Thanks again! Writing to say that it works perfectly!
     
    L&LD likes this.