Tydyn Rain St. Clair
Occasional Visitor
Hello all. I'll do my best to explain my situation and what I'm attempting to do as clearly and succinctly as possible. Two years ago (May 30th 2016) I posted in this forum asking for help to figure out a way to successfully forward server ports via an OpenVPN tunnel from my laptop (running an OpenVPN client) and my router (then an RT-AC68R/U).
While I wasn't able to get things working from suggestions in the posts, after a ridiculous amount of research, testing, and experimenting, I was finally able to get everything up and running just the way I wanted. I did so by creating a set of scripts (4 to be exact) that ping laptop via its static OpenVPN address, and if it responds, an 'up' script is run that changes the routing table to forward the necessary ports to my laptop, and, when I disconnect the OpenVPN service within 30 seconds the change in IP address is detected by the ping scripts, and run a 'down' script which changes the routing table to again forward the ports to my usual laptop IP address once again.
This automated port forwarding worked for many months flawlessly, even after migrating all my settings and scripts to the RT-AC5300 when I was able to get a hold of one. When I moved residence, I had to put my RT-AC5300 in storage for many months, and when I finally was able to hook it up and get it online again, I noticed that there had been several updates to Merlin's firmware, so I upgraded to the most recent (I don't, of the top of my head, remember which firmware version I was running previously). After doing so, I noticed to my chagrin, that my OpenVPN scripts were no longer working correctly, at least not fully. It seems that some notable code changes had occurred across these various versions of Merlin's firmware that broke how my originally-working scripts functioned.
The first set of scripts (the same script run twice, at the same time, via cron, one with a 30-second sleep time, to get past cron's inability to work with times less than one minute) began to not be able to correctly detect my the IP change (from LAN IP to OpenVPN IP), which I was able to fix by choosing another, slightly more complex way that the scripts choose whether to run the up or the down scripts. Of the second set of scripts (the up and down scripts), the down script continued to work fine, but the up script partially broke (my server ports were still automatically forwarding correctly, however, I lost the ability go to web pages - after lots more testing, it seems that some sites were still accessible (IPv6 addresses), but most were not (IPv4 addresses). If I start the OpenVPN client on my laptop without my scripts running, I have no trouble going to any web sites, but obviously no more port forwarding. It's been this way for months now. I've done my best to resolve this issue, on and off, since then, usually giving up in frustration, to return to it another day.
So what I'm seeking right now is for suggestions and advice on the correct Iptables rules to be able to both surf online (me and everyone else on my network) and every AND have my server ports forwarded. My original up and down scripts were quite extensive, as I wanted to cover all possible bases, however, after months of trying unsuccessfully to get this working again, I now have a strong desire to simplify. I'm also now convinced that I don't actually need the extensive set of rules that I originally had, and that I do the same thing with FAR fewer commands (I'm guessing like 3 or 4, likely in PREROUTING, FORWARDING, and POSTROUTING).
Here's how I have things set up, to make things as clear as possible for anyone willing to assist:
My RT-AC5300 is connected to a bridged Comcast/Xfinity modem-router gateway, and has the public WAN IP address.
My RT-AC5300 internal network is 192.168.3.0/24
My laptop's assigned static IP address is 192.168.3.3
My laptop's assigned static OpenVPN IP address is 10.69.69.3
My OpenVPN server is running on my RT-AC5300
My OpenVPN client is running on my laptop, along with my server applications that need their ports forwarded correctly on my RT-AC5300 router, through the OpenVPN tunnel.
I could post my 'up' script, but since I am basically just trying to start from scratch, I don't think it's super useful to do so, though I will if needed.
While I wasn't able to get things working from suggestions in the posts, after a ridiculous amount of research, testing, and experimenting, I was finally able to get everything up and running just the way I wanted. I did so by creating a set of scripts (4 to be exact) that ping laptop via its static OpenVPN address, and if it responds, an 'up' script is run that changes the routing table to forward the necessary ports to my laptop, and, when I disconnect the OpenVPN service within 30 seconds the change in IP address is detected by the ping scripts, and run a 'down' script which changes the routing table to again forward the ports to my usual laptop IP address once again.
This automated port forwarding worked for many months flawlessly, even after migrating all my settings and scripts to the RT-AC5300 when I was able to get a hold of one. When I moved residence, I had to put my RT-AC5300 in storage for many months, and when I finally was able to hook it up and get it online again, I noticed that there had been several updates to Merlin's firmware, so I upgraded to the most recent (I don't, of the top of my head, remember which firmware version I was running previously). After doing so, I noticed to my chagrin, that my OpenVPN scripts were no longer working correctly, at least not fully. It seems that some notable code changes had occurred across these various versions of Merlin's firmware that broke how my originally-working scripts functioned.
The first set of scripts (the same script run twice, at the same time, via cron, one with a 30-second sleep time, to get past cron's inability to work with times less than one minute) began to not be able to correctly detect my the IP change (from LAN IP to OpenVPN IP), which I was able to fix by choosing another, slightly more complex way that the scripts choose whether to run the up or the down scripts. Of the second set of scripts (the up and down scripts), the down script continued to work fine, but the up script partially broke (my server ports were still automatically forwarding correctly, however, I lost the ability go to web pages - after lots more testing, it seems that some sites were still accessible (IPv6 addresses), but most were not (IPv4 addresses). If I start the OpenVPN client on my laptop without my scripts running, I have no trouble going to any web sites, but obviously no more port forwarding. It's been this way for months now. I've done my best to resolve this issue, on and off, since then, usually giving up in frustration, to return to it another day.
So what I'm seeking right now is for suggestions and advice on the correct Iptables rules to be able to both surf online (me and everyone else on my network) and every AND have my server ports forwarded. My original up and down scripts were quite extensive, as I wanted to cover all possible bases, however, after months of trying unsuccessfully to get this working again, I now have a strong desire to simplify. I'm also now convinced that I don't actually need the extensive set of rules that I originally had, and that I do the same thing with FAR fewer commands (I'm guessing like 3 or 4, likely in PREROUTING, FORWARDING, and POSTROUTING).
Here's how I have things set up, to make things as clear as possible for anyone willing to assist:
My RT-AC5300 is connected to a bridged Comcast/Xfinity modem-router gateway, and has the public WAN IP address.
My RT-AC5300 internal network is 192.168.3.0/24
My laptop's assigned static IP address is 192.168.3.3
My laptop's assigned static OpenVPN IP address is 10.69.69.3
My OpenVPN server is running on my RT-AC5300
My OpenVPN client is running on my laptop, along with my server applications that need their ports forwarded correctly on my RT-AC5300 router, through the OpenVPN tunnel.
I could post my 'up' script, but since I am basically just trying to start from scratch, I don't think it's super useful to do so, though I will if needed.
