OpenVPN Port Forwarding Question

[Tydyn Rain St. Clair]

Hello all,

I rarely make posts asking for help or suggestions, as I tend to figure most things out myself via lots and lots of web searches, testing, experimenting, and the like. In this case, however, I think I will ask for help, as the complexity of this issue has my brain hurting.

Here's my situation, in simplified form. I have an OpenVPN server running on my RT-68R router running the latest version of Merlin's firmware (380.59). My laptop has various programs and services that need open ports to function, and for which I've created various port forwarding rules via the Virtual Server / Port Forwarding tab of the router configuration page. I also have my laptop's MAC address bound to a particular internal IP address. Obviously when I'm on my network the port forwarding works just fine. It's only, of course, when I'm not on my home network with my laptop and connect to my router via my OpenVPN tunnel, that these ports are no longer forwarded.

I've been doing a hell of a lot of searching and experimenting to try to be able to get these ports forwarded again while connected via the OpenVPN tunnel, and all to no avail up to this point. I created a nat-start script in my /jffs/scripts folder, and have been testing various iptables forwarding rules, which so far have not worked correctly. In one such attempt I actually made my router unable to connect to the internet. After having removed the lines in the nat-start script which caused that problem, I decided to finally ask for assistance.

So basically, I'm trying to either be able to use the port forwarding rules already in place on my router's Virtual Server / Port Forwarding tab, or to remove those and create successful port forwarding rules via /jffs/scripts/nat-start that will function correctly whether I am on my network or tunneling in via OpenVPN.

This is what I have in my nat-start script as of this moment:

#!/bin/sh
echo "*" >>/tmp/000nat-start
logger "nat" "I'm working!"

iptables -I FORWARD -i tun21 -p udp -d 192.168.3.71 --match multiport
--dports 3690,6346,21028,33682,3673,36275,3194,123 -j ACCEPT
iptables -I FORWARD -i tun21 -p tcp -d 192.168.3.71 --match multiport
--dports 3690,6346,444,81,22001  -j ACCEPT
iptables -t nat -I PREROUTING -i tun21 -p tcp --match multiport --dports
3690,6346,444,81,22001 -j DNAT --to-destination 192.168.3.71
iptables -t nat -I PREROUTING -i tun21 -p udp --match multiport --dports
3690,6346,21028,33682,3673,36275,3194,123 -j DNAT --to-destination
192.168.3.71

iptables -t nat -A POSTROUTING -s 10.69.69.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.69.69.0/24 -o br0 -j MASQUERADE

The 192.168.3.71 IP address is the MAC-bound IP that I have attached to my laptop when on my network. The 10.69.69.0/24 is for my OpenVPN network, of course. The only reason I have 'br0' at the bottom is because in looking through my system logs, the 'br0' interface is often used for outgoing traffic it seems. In doing my reasearch it seems that the 'br0' interface is used for bridges, which only makes me more confused, as I have no bridges operating.

I don't understand iptables rules sufficiently well to create this myself yet, so I've been using rules that others have posted and adjusting the IP addresses and ports. This is not working incredibly well, so if anyone knows how to do this, and would be open to helping me, I would be ridiculously grateful.

I wasn't sure whether to post this question here or in the ASUS-Merlin sub-forum, so for the moment I posted in both to get as many perspectives as possible.

Thank you.

 

[yorgi]

Hello all,

I rarely make posts asking for help or suggestions, as I tend to figure most things out myself via lots and lots of web searches, testing, experimenting, and the like. In this case, however, I think I will ask for help, as the complexity of this issue has my brain hurting.

Here's my situation, in simplified form. I have an OpenVPN server running on my RT-68R router running the latest version of Merlin's firmware (380.59). My laptop has various programs and services that need open ports to function, and for which I've created various port forwarding rules via the Virtual Server / Port Forwarding tab of the router configuration page. I also have my laptop's MAC address bound to a particular internal IP address. Obviously when I'm on my network the port forwarding works just fine. It's only, of course, when I'm not on my home network with my laptop and connect to my router via my OpenVPN tunnel, that these ports are no longer forwarded.

I've been doing a hell of a lot of searching and experimenting to try to be able to get these ports forwarded again while connected via the OpenVPN tunnel, and all to no avail up to this point. I created a nat-start script in my /jffs/scripts folder, and have been testing various iptables forwarding rules, which so far have not worked correctly. In one such attempt I actually made my router unable to connect to the internet. After having removed the lines in the nat-start script which caused that problem, I decided to finally ask for assistance.

So basically, I'm trying to either be able to use the port forwarding rules already in place on my router's Virtual Server / Port Forwarding tab, or to remove those and create successful port forwarding rules via /jffs/scripts/nat-start that will function correctly whether I am on my network or tunneling in via OpenVPN.

This is what I have in my nat-start script as of this moment:

#!/bin/sh
echo "*" >>/tmp/000nat-start
logger "nat" "I'm working!"

iptables -I FORWARD -i tun21 -p udp -d 192.168.3.71 --match multiport
--dports 3690,6346,21028,33682,3673,36275,3194,123 -j ACCEPT
iptables -I FORWARD -i tun21 -p tcp -d 192.168.3.71 --match multiport
--dports 3690,6346,444,81,22001  -j ACCEPT
iptables -t nat -I PREROUTING -i tun21 -p tcp --match multiport --dports
3690,6346,444,81,22001 -j DNAT --to-destination 192.168.3.71
iptables -t nat -I PREROUTING -i tun21 -p udp --match multiport --dports
3690,6346,21028,33682,3673,36275,3194,123 -j DNAT --to-destination
192.168.3.71

iptables -t nat -A POSTROUTING -s 10.69.69.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.69.69.0/24 -o br0 -j MASQUERADE

The 192.168.3.71 IP address is the MAC-bound IP that I have attached to my laptop when on my network. The 10.69.69.0/24 is for my OpenVPN network, of course. The only reason I have 'br0' at the bottom is because in looking through my system logs, the 'br0' interface is often used for outgoing traffic it seems. In doing my reasearch it seems that the 'br0' interface is used for bridges, which only makes me more confused, as I have no bridges operating.

I don't understand iptables rules sufficiently well to create this myself yet, so I've been using rules that others have posted and adjusting the IP addresses and ports. This is not working incredibly well, so if anyone knows how to do this, and would be open to helping me, I would be ridiculously grateful.

I wasn't sure whether to post this question here or in the ASUS-Merlin sub-forum, so for the moment I posted in both to get as many perspectives as possible.

Thank you.

If you are logged onto a VPN server and are using your router as the client no port forward will work from the outside.
Think about it this way. You are connected to a server and all your traffic is re directed via that server.
All the ports that you have open on your router wont work from the outside because from the outside you are connected to another router which has nothing to do with your router.
For example if you have a computer connected to a VPN server and you would like to remote desktop to that computer it will never happen, even if you have the proper ports open for remote desktop. As soon as you disconnect from the VPN server remote desktop will now work.
go here and do a port scan when you are connected to the VPN server and one when you are not connected to the server
and you will see that its 2 different routers. Your router will probably be all stealth while the VPN will have all kinds of open ports which are not your ports. because you are re directing your traffic via a VPN server your routers ports are useless in this scenario.
https://www.grc.com/x/ne.dll?rh1dkyd2
hope that helps

 

[Tydyn Rain St. Clair]

If you are logged onto a VPN server and are using your router as the client no port forward will work from the outside.
Think about it this way. You are connected to a server and all your traffic is re directed via that server.
All the ports that you have open on your router wont work from the outside because from the outside you are connected to another router which has nothing to do with your router.
For example if you have a computer connected to a VPN server and you would like to remote desktop to that computer it will never happen, even if you have the proper ports open for remote desktop. As soon as you disconnect from the VPN server remote desktop will now work.
go here and do a port scan when you are connected to the VPN server and one when you are not connected to the server
and you will see that its 2 different routers. Your router will probably be all stealth while the VPN will have all kinds of open ports which are not your ports. because you are re directing your traffic via a VPN server your routers ports are useless in this scenario.
https://www.grc.com/x/ne.dll?rh1dkyd2
hope that helps

Thank you for your reply. My router IS my VPN server (my laptop and phone are clients), however, hence the reason I've been working with nat-start on my router. Doing a port scan is a good idea though. I'll try that today when I have a free moment.

 

[Tydyn Rain St. Clair]

Thank you for your reply. My router IS my VPN server (my laptop and phone are clients), however, hence the reason I've been working with nat-start on my router. Doing a port scan is a good idea though. I'll try that today when I have a free moment.

Doing a selective port scan from my phone while VPNed into my router showed that the ports I had opened on my router were indeed open.

 

[yorgi]

Thank you for your reply. My router IS my VPN server (my laptop and phone are clients), however, hence the reason I've been working with nat-start on my router. Doing a port scan is a good idea though. I'll try that today when I have a free moment.

if you setup a VPN server on your router, whatever ports are open are for the internal IP and MAC address of the router.
When you are logging onto a VPN server being your router, you are in a tunnel which is dictated by the VPN Server and it wont allow you to have special ports to be open for specific IP address's and MAC address.
I don't think what you are asking for can be achieved even with jffs scripts.

I would be looking more in openVPN help and how to create custom configurations in the VPN server to allow those ports you need opened.

check it out here
https://openvpn.net/index.php/open-source/documentation/howto.html#mitm

all those commands can be added in custom configurations in the advanced settings for VPN server
hope that helps.

 

[yorgi]

Doing a selective port scan from my phone while VPNed into my router showed that the ports I had opened on my router were indeed open.

Yes they are but only for internal IP address like 192.168.1.0/28 or internal MAC address.
try connecting to a remote desktop PC within your VPN client and you will see that you can connect to the desktop if you have opned the appropriate ports. but telling the router to open ports when you are on a different subnet is not from that section.
I think you should be checking openVPN help as I mentioned above

 

[yorgi]

iptables -I FORWARD -i tun21 -p tcp -d 192.168.3.71 --match multiport


Thank you.

check your script local ip address 192.168.3.71
when you connect to the VPN Server from your client being connected to some other router that is not your IP address that you will have.
so there is no way for that to work.

 

[Tydyn Rain St. Clair]

check your script local ip address 192.168.3.71
when you connect to the VPN Server from your client being connected to some other router that is not your IP address that you will have.
so there is no way for that to work.

yorgi, I am grateful for your replies to my post, and I am also grateful that I did not accept you saying that this probably not possible, even with /jffs/scripts. After a huge amount of research and experimentation/testing, I finally got it to work. I have been very focused on learning the ins and outs of iptables, and it finally paid off this evening. I have a set of working /jffs/scripts/nat-start commands that are indeed correctly forwarding my server ports on my laptop while connected via my VPN tunnel to my router. It is a combination of PREROUTING, INPUT, FORWARDING, OUTPUT, and POSTROUTING directives. I still have a bit more to learn, and a little more testing under various conditions, but presently it is working.

 

[yorgi]

yorgi, I am grateful for your replies to my post, and I am also grateful that I did not accept you saying that this probably not possible, even with /jffs/scripts. After a huge amount of research and experimentation/testing, I finally got it to work. I have been very focused on learning the ins and outs of iptables, and it finally paid off this evening. I have a set of working /jffs/scripts/nat-start commands that are indeed correctly forwarding my server ports on my laptop while connected via my VPN tunnel to my router. It is a combination of PREROUTING, INPUT, FORWARDING, OUTPUT, and POSTROUTING directives. I still have a bit more to learn, and a little more testing under various conditions, but presently it is working.

I am happy you figured it out. Please post the script for others who may have the same issue.

 

[Tydyn Rain St. Clair]

I am happy you figured it out. Please post the script for others who may have the same issue.

c

OK, here is the what I have in /jffs/scripts/nat-start. This is working very well, and correctly starts up when I reboot my router. I still have more testing and experimenting to do, and lots more research. There are some complications that I still have to figure out. My next order of business is to find a way to run this script when my VPN tunnel connects to my router, and then reinstate the default routing rules when the tunnel is removed. With the rules that I have, even on my own network, my the ports on my laptop are no longer forwarded correctly unless I am connecting to my router through the VPN tunnel. Anyway, here is the present version of the script. I will keep tweaking and modifying I'm sure. I hope someone finds it useful.

/jffs/scripts/nat-start:

#!/bin/sh
echo "*" >>/tmp/000nat-start
logger "nat" "I'm working!"

iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -d <My WAN IP> -j DNAT --to 10.69.69.2
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -d <My WAN IP> -j DNAT --to 10.69.69.2
iptables -t nat -I PREROUTING 3 -i tun21 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j DNAT --to <My WAN IP>
iptables -t nat -I PREROUTING 4 -i tun21 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j DNAT --to <My WAN IP>

iptables -I INPUT 1 -i eth0 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j ACCEPT
iptables -I INPUT 2 -i eth0 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j ACCEPT
iptables -I INPUT 3 -i tun21 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j ACCEPT
iptables -I INPUT 4 -i tun21 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j ACCEPT

iptables -I FORWARD 1 -i eth0 -o tun21 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o tun21 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j ACCEPT
iptables -I FORWARD 3 -i tun21 -o eth0 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j ACCEPT
iptables -I FORWARD 4 -i tun21 -o eth0 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j ACCEPT
iptables -I FORWARD 5 -i eth0 -o tun21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 6 -i tun21 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 7 -i eth0 -o tun21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 8 -i tun21 -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -I OUTPUT 1 -o eth0 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j ACCEPT
iptables -I OUTPUT 2 -o eth0 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j ACCEPT
iptables -I OUTPUT 3 -o tun21 -p tcp --match multiport --port 3690,4443,6346,8880,22001 -j ACCEPT
iptables -I OUTPUT 4 -o tun21 -p udp --match multiport --port 123,3194,3673,3690,6346,21028,33682,36275 -j ACCEPT

*10.69.69.2 is the virtual IP address that the OpenVPN server on my router gives my laptop (without having found an easy way to bind one virtual IP address to my laptop client, I've moved all other VPN client connections over to a second OpenVPN server on my router, so that the first one is dedicated only to my laptop, so it will always get the same IP address).
*eth0 is my WAN interface.
*tun21 is the OpenVPN interface for the first server.

I tested every line via at the command line while SSHed into my router, and when I had them all correctly functioning, I manually ran /jffs/scripts/nat-start, just to be sure it was working. One thing I will note is that it is very important to have each rule ON ONE LINE, with no text wrap, or iptables will scream with all sorts of errors. Some of it might indeed be overkill, but I wanted to be thorough. I already added and removed several lines, as I tested and refined. There was a SNAT rule at the bottom, which had some interested and undesirable consequences, so I removed it.

If any of you reading this know how to trigger and run a script such as this when my OpenVPN tunnel connects to the server on my router, and then when the tunnel is disconnected, to reinstate the default routing rules, I would very much appreciate some advice, suggestions, pointers, etc...

 

[Tydyn Rain St. Clair]

Well, I am typing this from a coffee shop near my house, and it's all working brilliantly. All my server applications are working correctly as if they were on my network. Basically, I now take my port forwarding wherever I go, regardless of network. Last night I also finally figured out how to set a static IP for my laptop when it connects to my router via the VPN tunnel, which makes this all the easier.

 

[yorgi]

can you use this script to open ports and remote desktop to a computer that is on a VPN?
because normally you cannot remote desktop to the PC that is on a VPN and I wanted to do that for the longest time.
I only need one port to be open which is remote desktop 3389 so this way I can leave my PC connected to the VPN server and go to a buddies house and be able to connect to the PC using remote desktop. If your script can work the same way then it would be amazing
I use PIA VPN so my router is used as a client and connects to PIA Server.
I never thought this was possible but your way has opened up a new door for me
Please let me know

 

[yorgi]

I use TeamViewer (Which seems to be by far the best remote desktop sharing application I've seen to date. It's free for private use.) as my remote desktop control software, and I just tested it. Yep, it works. I'm remote controlling my cloud storage server laptop right now from the coffee shop in which I sit.

I saw a post you added but its not here maybe you deleted or being moderated. Not sure why this is happening.
Team viewer is cool if you need to do support for someone but remote desktop is way better experience, You work full screen as if you where on your computer. Team viewer doesn't work the same as remote desktop, otherwise I would not have asked that question.
I would like to get my remote desktop working when i am on the VPN this way I can connect to it regardless.
Your script looks interesting but I think there are to many things there that may not be needed.
I will take a look at it

 

[Tydyn Rain St. Clair]

can you use this script to open ports and remote desktop to a computer that is on a VPN?
because normally you cannot remote desktop to the PC that is on a VPN and I wanted to do that for the longest time.
I only need one port to be open which is remote desktop 3389 so this way I can leave my PC connected to the VPN server and go to a buddies house and be able to connect to the PC using remote desktop. If your script can work the same way then it would be amazing
I use PIA VPN so my router is used as a client and connects to PIA Server.
I never thought this was possible but your way has opened up a new door for me
Please let me know

yorgi, I didn't delete the other reply I originally made to this message. For some reason I'm flagged to have my posts reviews by an admin before they are accepted. The other one never got accepted, so I finally did delete it after I got your message that you saw it. Definitely take a look at the code, and use and adapt it to your needs. I hope it helps.

 

[sfx2000]

For some reason I'm flagged to have my posts reviews by an admin before they are accepted

It's not you - it's an odd pattern match the bbs software auto-flags... happens often enough.

 

[Tydyn Rain St. Clair]

So after weeks of figuring out how to forward all my server ports via the VPN tunnel to my laptop, and succeeding just the other day, I just came up with a solution that is FAR simpler and more elegant, and which makes any scripts unnecessary. Yesterday I learned how to give my laptop a static virtual IP address by using /jffs/configs/openvpn/ccd1 on my router. In the client file in that folder I gave my laptop the address 192.168.3.71, which is the IP address that I have bound to my laptop's MAC address on my network, and it worked. So now I have that IP address whether I am on my network, or on another network connecting in via my VPN tunnel. So my script is no longer needed, and all my ports are still correctly forwarded. I spent weeks researching, experimenting, and testing, and I solve my dilemma with something ridiculously simpler...LOL.

 

[yorgi]

So after weeks of figuring out how to forward all my server ports via the VPN tunnel to my laptop, and succeeding just the other day, I just came up with a solution that is FAR simpler and more elegant, and which makes any scripts unnecessary. Yesterday I learned how to give my laptop a static virtual IP address by using /jffs/configs/openvpn/ccd1 on my router. In the client file in that folder I gave my laptop the address 192.168.3.71, which is the IP address that I have bound to my laptop's MAC address on my network, and it worked. So now I have that IP address whether I am on my network, or on another network connecting in via my VPN tunnel. So my script is no longer needed, and all my ports are still correctly forwarded. I spent weeks researching, experimenting, and testing, and I solve my dilemma with something ridiculously simpler...LOL.

Nice one
I to spent months last year to script rules when VPN tunnel goes down to drop connections and selective routing. Took me forever but I did it
and then Merlin updates the firmware and all that scripting became part of the new firmware. Routers are a constant learning experience

 

[yorgi]

All this time I though you where connecting to a VPN paid server, I never realized that your VPN server was at home.
This is why I was asking you if it would be possible to remote desktop to your PC because its not possible and still is not possible.
When connecting to your home VPN server things are not the same as Paid VPN server.
sorry about that.

 

[Tydyn Rain St. Clair]

All this time I though you where connecting to a VPN paid server, I never realized that your VPN server was at home.
This is why I was asking you if it would be possible to remote desktop to your PC because its not possible and still is not possible.
When connecting to your home VPN server things are not the same as Paid VPN server.
sorry about that.

yorgi, in the weeks of research I was doing, I did come across one paid VPN service that allows you to log in and set certain ports to be forwarded. AirVPN https://airvpn.org/

 

[sfx2000]

The only concern I have is keeping forwarded/exposed ports to an absolute minimum, and if one doesn't control both ends of the VPN tunnel, assume that it's the same as having the ports exposed on the public internet at large.

Be very careful here...