Port forwarding and VPN

[fatsplat]

I have an Asus RT-AX88U running Merlin firmware version 384.14. The router is running an OpenVPN client which is connected to a commercial VPN provider, with a rule for routing client traffic through the tunnel (a selective routing rule) that 192.168.1.0/24 goes through the VPN. In other words, all LAN traffic should be in the VPN.

I have a computer at LAN address 192.168.1.2 and want to port forward incoming requests to the router on port (say) 1234, to port 22 of 192.168.1.2. Thus, I would like that if from the wider internet I ssh to the router's real IP address on port 1234, I will be connected to my computer at 192.168.1.2.

I am unable to do this in the set-up as described above. A problem seems to be the VPN; if I add a selective routing rule that traffic from 192.168.1.2 should go through the WAN, then port forwarding works fine. Without that selective routing rule, no connection is made.

Can anyone advise me on how to make port forwarding work with the VPN on, please?

Many thanks.

 

[Val D.]

Can anyone advise me on how to make port forwarding work with the VPN on, please?

If your VPN service provider's server is the entry point for your network (all network VPN), the port must be forwarded there, if there is such option. When you go through WAN, then your router is the entry point and this is why your port forwarding works.

 

[fatsplat]

Thank you for the reply! I'm sorry that I don't understand: are you able to elaborate in more simple terms?

In particular I don't understand "the port must be forwarded [to the VPN service provider's server]", because the Asus firmware only allows to forward ports to LAN addresses, not WAN addresses. If you mean that I should set up port forwarding at the VPN service provider, unfortunately, this is impossible (I checked).

My question, then, is whether an incoming port forwarding rule can be made to go from the WAN to the router to the LAN even if the VPN client is switched on. For instance, perhaps there's a magic selective routing rule to allow incoming WAN connections to be forwarded from my router to my device at LAN address 192.168.1.2, without turning off the outgoing VPN rule for 192.168.1.2?

(I tried playing with "Policy Rules" vs "Policy Rules (strict)" and with "Inbound Firewall Block/Allow", but that doesn't seem to help.)

 

[ColinTaylor]

I remember this same question being asked a couple of times recently. Search the forums for those posts.

 

[Martineau]

Thank you for the reply! I'm sorry that I don't understand: are you able to elaborate in more simple terms?

In particular I don't understand "the port must be forwarded [to the VPN service provider's server]", because the Asus firmware only allows to forward ports to LAN addresses, not WAN addresses. If you mean that I should set up port forwarding at the VPN service provider, unfortunately, this is impossible (I checked).

My question, then, is whether an incoming port forwarding rule can be made to go from the WAN to the router to the LAN even if the VPN client is switched on. For instance, perhaps there's a magic selective routing rule to allow incoming WAN connections to be forwarded from my router to my device at LAN address 192.168.1.2, without turning off the outgoing VPN rule for 192.168.1.2?

(I tried playing with "Policy Rules" vs "Policy Rules (strict)" and with "Inbound Firewall Block/Allow", but that doesn't seem to help.)

see Wiki

 

[fatsplat]

Thank you. Are you able to be more specific and provide precise links to a relevant post or relevant posts?

To be clear, I have been searching for a solution for some time also before I posted on this forum, but the internet is large, and seemingly relevant material, like this post on port forwarding using an openvpn client requires me to hardwire a fixed IP address for my VPN provider, which unfortunately is not available in my case.

 

[fatsplat]

... and I'm a noob at iptables.

 

[ColinTaylor]

Thank you. Are you able to be more specific and provide precise links to a relevant post or relevant posts?

There was a spurious character in the link that Martineau posted. Did you realise that the actual link was:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)

 

[Maya]

I want to achieve the same thing on a GT AX-11000. Haven't started or done a lot of research yet but, on just my initial scan, it's slim pickings and seriously over my head!

If you find a straightforward solution, please post it up!

 

[fatsplat]

There was a spurious character in the link that Martineau posted. Did you realise that the actual link was:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)

Thanks. So would it be fair to say that from the link provided

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)

the Example 2 seems most relevant?

Suppose ALL traffic from LAN device 192.168.1.88 is routed via a VPN but hosts the RDP service (Port 3389)

So for testing purposes I can ssh into my router and paste this line

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.88 -p tcp -m multiport --sport 3389 -j MARK --set-mark 0x8000/0x8000

changing the IP address and port appropriately, it should do what I want?

Does the "set-mark" parameter need tweaked?

 

[ColinTaylor]

I want to achieve the same thing on a GT AX-11000. Haven't started or done a lot of research yet but, on just my initial scan, it's slim pickings and seriously over my head!

If you find a straightforward solution, please post it up!

The solutions discussed here require custom scripts using Merlin's firmware. Merlin does not provide a firmware for the GT- routers therefore these solutions would not be applicable to you.

 

[ColinTaylor]

Thanks. So would it be fair to say ...

Yes, exactly. That is my understanding although I've never tried it myself.

Does the "set-mark" parameter need tweaked?

No.

 

[Maya]

The solutions discussed here require custom scripts using Merlin's firmware. Merlin does not provide a firmware for the GT- routers therefore these solutions would not be applicable to you.

Ha! Just my luck!
I can find very little on this for my router...but I'll try searching the rog forum.
Thanks for letting me know - saved me staring at this for ages trying to figure it out!

 

[Val D.]

The solutions discussed here require custom scripts using Merlin's firmware.

Isn't this solution more like a workaround?
Exclude traffic on port from VPN, then forward through WAN?

 

[ColinTaylor]

Isn't this solution more like a workaround?
Exclude traffic on port from VPN, then forward through WAN?

It's not a workaround because this is exactly what he was asking for in the original post. He wasn't asking for port forwarding through the VPN client if that's what you were thinking

 

[Val D.]

It's not a workaround because this is exactly what he was asking for in the original post. He wasn't asking for port forwarding through the VPN client if that's what you were thinking

Yes, I was under impression he wants to run everything in and out through the VPN tunnel.

 

[fatsplat]

Isn't this solution more like a workaround?
Exclude traffic on port from VPN, then forward through WAN?

If this is reference to my original question, to clarify for the record: I have a router running a VPN client to a commercial VPN service. So the router is associated with two IP addresses: a "real" one from my ISP, and a "virtual" one from my VPN provider. I also have a machine on the router LAN, one of whose ports I would like to make accessible on the global network.

This is IMO a common scenario nowadays.

I want incoming traffic on a specific port to the router's real IP address to be forwarded to a local port of a LAN machine. I explicitly do need that LAN machine to be inside the router's VPN for all other matters (so that the service it provides will benefit from the protection of the VPN I purchased).

So far, I can't find a way to do it. Not using the firmware's web interface, and (so far) not using the router's cli.

Part of the problem, I have realised thanks to the posts on this forum, is that asuscomm's free DDNS service returns the router's real IP address (regardless of whether I use the "external" or "internal" method). If it could be made to return the IP address of the router's VPN client then perhaps I could handle port forwarding all at VPN level, as has been observed.

 

[Wade Coxon]

Or you could switch to a different DDNS provider and run their client on a device on your LAN (other than your router).

 

[fatsplat]

Or you could switch to a different DDNS provider and run their client on a device on your LAN (other than your router).

Thanks. I would be very grateful if you could recommend a provider that is free, turnkey, and offers an update client that works well with Linux.

I could then presumably run the update client on the LAN machine in question.

 

[Wade Coxon]

Thanks. I would be very grateful if you could recommend a provider that is free, turnkey, and offers an update client that works well with Linux.

I could then presumably run the update client on the LAN machine in question.

I use NOIP which offers a free tier.
The only limitation with this is that you need to ensure that the I is refreshed at least every 30 days or your chosen subdomain will be cancelled.

I chose to pay the subscription fee for mine after using the free version for several years.

Clients are available for PC, Mac and Linux, and they offer a guide to writing your own.