port forward to client openVPN

[snafflekid]

I have a openVPN client and server running in tun mode on two ASUS RT-N66U with Merlin. I have configured the routing tables to allow me to access the client LAN from the server side and the server LAN from the client side.

Client LAN is 192.168.0.0 (opened netmask to 255.255.0.0 on purpose) and server LAN is 172.16.200.0

My goal is to access devices on 192.168.0.0 by forwarding ports from the server wan through the vpn tunnel. My server IP address is dynamic and I use a DDNS service so I would like to access client machines from anywhere by an address such as: foo.bar.com:7777 -> 192.168.1.232:8080

I have had no luck in using the GUI port forwarding configurer. For example, I add an entry in the server router to forward port 7777 to 192.168.1.232:8080 but a port tester like http://www.yougetsignal.com/ shows the ports closed. I can open ports to machines on 172.16.200.0 however.

my ip routes look like this on the server side:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
73.189.128.1    *               255.255.255.255 UH    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun22
172.16.200.0    *               255.255.255.0   U     0      0        0 br0
73.189.128.0    *               255.255.254.0   U     0      0        0 eth0
192.168.0.0     10.8.0.2        255.255.0.0     UG    0      0        0 tun22
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         73.189.128.1    0.0.0.0         UG    0      0        0 eth0

my client side ip routes:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.1     *               255.255.255.255 UH    0      0        0 eth0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun11
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
172.16.200.0    10.8.0.1        255.255.255.0   UG    0      0        0 tun11
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         VerizonBRV      0.0.0.0         UG    0      0        0 eth0

I have tried adding the following iptables entries to /jffs/scripts/firewall-start

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 7777 -j DNAT --to 192.168.1.232:8080
iptables -A FORWARD -p tcp -d 192.168.1.232 --dport 8080 -o tun22 -j ACCEPT

the rule shows up but the port is not open. I am a beginner with iptables but I have been trying to ramp up my knowledge quickly. I am reading iptables tutorial also. And now I am getting interested in Linux kernel programming!

 

[snafflekid]

I have been reading, reading and studied this long thread http://www.snbforums.com/threads/openvpn-policy-routing-guide.24384/

I was able to access machines on my client side VPN through forwarded ports on the public internet. It worked after I set up policy rules in the client GUI that forced the machines to talk back through the VPN tunnel. But I really want packets returning through the WAN. Sending security camera video through the tunnel is SLOW and I am trying to avoid that.

My guess is that NAT running on my server side router needs packets to both enter and return through it. iptables may be blocking the port creation.

Any advice on how to approach this unidirectional NATting is appreciated.