SSH, Plex, and other port forwards don't work when VPN is on

[smoothdad]

I just installed the latest version of Merlin. I prefer to use OpenVPN on my Arch box (and other individual devices) rather than on my Asus RT-AC66U. When my VPN is off, all port forwards (SSH, Plex, TinyRSS) work fine. But when my VPN is on they don't work. When I used ddwrt previously, I solved the problem by putting the command iptables -t nat -A POSTROUTING -J MASQUERADE in the firewall section. (This command also solved the problem in my old Netgear router.) In Merlin, I've tried adding this comand as a firewall-start and nat-start script, but neither one solves the problem (though the scripts do execute). Any suggestions would be greatly appreciated.

 

[lancer73]

Based on your topic start I can't make any really sensible remarks. A drwing of your network and the data streams would help.

Based on your information I would at least check out the DNS settings. When your VPN is open chances are that your client is using the DNS settings set on the server. Your Asus modem probably answers all DNS requests coming from or via your VPN server, even when you point the server itself at an external DNS server.

 

[nagle3092]

Depending on what vpn you're using plex might not work, period. Its a pretty common issue with plex and vpns. Have you changed to a different provider recently?

 

[smoothdad]

Thank you for the replies. Yes, I've read the Plex/vpn issues extensively. This isn't just Plex though because I can't ssh into my arch box when the VPN is on either. I also had Plex and ssh working on this router when using ddwrt using the firewall command above. But I can't get either Plex or ssh to work when the VPN is on (both work great when vpn is off). I think the issue is that outbound ssh/Plex traffic needs to go back the way it came rather than going through VPN. I think masquerade fixes that. I just can't get it to work with Merlin.

 

[shpankey]

I've had the same problem as well. I didn't even realize there might be a way around it. I use Astrill VPN with a dedicated static IP and port forward capabilities. Plex won't work through any VPN I've tried (HMA, Astrill, a few others).

I would love to hear of a solution. I'm not advanced enough to really contribute other than what I've already said. But since someone mentioned DNS, and I've always wondered what this setting does, would this setting do anything...

"Forward local domain queries to upstream DNS"

???

 

[smoothdad]

I'm pretty sure this isn't a DNS issue. I believe it's a NAT issue.

 

[lancer73]

I'm pretty sure this isn't a DNS issue. I believe it's a NAT issue.

Try it then; use the nslookup tool to resolve your ssh server with and without the VPN. If the replies are the same, then you can check this box and move to the next check.

NAT can be an issue. But normally in a VPN, there is no NAT present, as the VPN server functions as a router to route between VPN clients and the local network. Can't tell really without having a proper overview of your network.

 

[smoothdad]

Thank you for the response. Yes, I tried the nslookup tool and the results were the same with and without the VPN running. My network setup is pretty simple modem: Asus router: arch box. And Luke I mentioned, I'm running the VPN client on my arch box to connect to Private Internet Access.

 

[lancer73]

To be clear; your portforwards are from Internet to your arch box and your arch box is running a VPN client.

If this is the case,it is no wonder thar this is not working. Your network packets are arriving at the arch box, but the return traffic is routed through the VPN tunnel.

Previously you solved this by using masquerading on inbound traffic, so the arch box didn't need to route.

Looking at the iptables rule, you probably need to apply the rule to the proper network interface (I don't know what the proper interface is on an AC66)


Sent from my iPhone using Tapatalk

 

[shpankey]

This is what my VPN provider (Astrill) has to say about NAT...

NAT Firewall add-on

Add a basic packet filter to your VPN connection.

Summary:
Astrill's NAT Firewall blocks outside hosts from creating unsolicited connections to your host. In this article, we discuss how Astrill bypasses traditional wireless router features and how Astrill's NAT Firewall restores protections offered by those features.

Astrill's NAT Firewall VPN feature is a packet filter that stops third parties from connecting to your Astrill-connected system. This filter prevents malicious or corrupted Internet traffic from reaching your system. Such traffic is commonly used to find bugs in software that can be used to take control of your machine. To understand how our NAT Firewall works, let's first look at how your wireless router works.

What is NAT (Network Address Translation)?

If you have a wireless router at home, you probably connect to it with more than one device. Many people have one or more computers, a phone, and maybe even a gaming system all connected to their wireless router. Because your ISP only gives you one IP address, your wireless router has to figure out how to share that IP address with multiple devices. Your router uses NAT (Network Address Translation) to transform one public IP address to many private IP addresses.

One side effect of NAT is that it protects your home network from a lot of harmful traffic:

Malicious hackers on the Internet cannot reach your systems because the address translation only works for traffic initiated by your system.
The NAT acts like a very rudimentary firewall, blocking inbound traffic unless it is in response to some previous outgoing traffic.
Since your system is not constantly sending out requests for malicious traffic, NAT doesn't allow that traffic to get to you.

Why would I need a NAT Firewall with Astrill?

When you connect to Astrill, we give your system a public IP address reachable by anyone on the Internet.

Your Astrill IP address is not private, and the VPN tunnels through your wireless router's NAT protections. Malicious hackers can send bad packet data to this public IP and your system will accept it - your wireless router cannot stop it since Astrill is delivering the traffic over your secure connection.
Astrill's NAT Firewall service functions just like your wireless router's NAT feature.

It does not allow unexpected malicious traffic to reach your Astrill IP address.
It will only let through Internet packets that respond to traffic initiated by your system, and that makes your system much less likely to get hacked.
Protect your system from unauthorized access while using Astrill.

...and...

Toggle NAT Firewall here. NAT Firewall prevents intrusion attacks from the Internet while you are connected to Astrill VPN (OpenVPN, PPTP, L2TP/IPSec and Cisco IPSec, StealthVPN, SSTP, IKEv2 protocols only). However, if NAT Firewall is enabled, your P2P software (for example Bittorrent, Skype, etc...) might not work properly. To fix such software, you can here forward up to three ports and still be safe while using our VPN.

Ports will be forwarded only on servers you have a Private IP on.

Please disconnect from Astrill VPN and connect again for the changes to take effect

...from my limited understanding of what they're saying, it seems like the VPN bypasses [or tunnels past] your router's internal NAT [which seems to confirm what lancer73 is saying] But what they are pitching here is an Add-On that costs extra. If you want NAT protection back, you must purchase this add-on... otherwise the default VPN service bypasses your routers NAT and leaves you open. I actually have this add-on and with it they allow 3 port forwards. But I've tried my Plex server with the add-on disabled and still it doesn't work. So, I don't think it's NAT, but I admit I know next to nothing so it very well could be I guess.

Going back to the DNS suggestion. Can anyone tell me what that setting I listed does exactly?

p.s. Astrill is amazing and I'm very happy with it. If I could figure out how to make my Plex visible when running it, I'd be in heaven. Right now, I have to turn off my VPN to allow use of Plex from WAN.

 

[smoothdad]

Thanks Lancer. Yes you are correct about my port forwards, and I agree 100% with your diagnosis of the issue. The question is how to solve it. I used the same masquerade command with the eth0 interface (which I believe is the proper one for the router), and it didn't work.

 

[lancer73]

First you need to try to set the iptables rules from the command line. Foor ssh it should look something like:

iptables -t nat -A POSTROUTING [[-o [interface]] or [-d 192.168.1.0/24]] -p tcp --dport 22 -j MASQ

(type man iptables in your search engine to get the MANual for iptables)

This applies the rule to SSH traffic only. Traffic destination needs to be set, this can either be done by using -o [interface], or -d [your internal network] This rule will only work if it is processes _after_ the rule that takes care of the forwarding. If any previous rule in the POSTROUTING chain matches the packet, this rule will never be processed.

You can view the current rules by executing:
iptables -t nat -L -v and iptables -L -v
This should give you a complete overview of all firewalling rules and should give you a clue on where to add your additional rule.

If you found the proper rule, add it to the nat-start script.

 

[Noremacyug]

i tried this months ago. i too had PIA for my vpn service. after scouring the internet for weeks, as well as this forum, i found no working solution. i think i recall some people using a second router as a dedicated vpn router..... don't recall the implementation though.

this is the thread i started... maybe it will help you out in some way. good luck and try to not pull all your hair out.

http://forums.smallnetbuilder.com/showthread.php?t=15170

 

[shpankey]

Let us know if you get it to work and exactly how you do, if you do... please.

 

[smoothdad]

Lancer, thanks again for your help. I tried everything you suggested. It didn't work. But in doing so I noticed that it looks like the Merlin firmware masquerades all traffic by default anyway, at least in my case. I was able to get ssh working by using the three commands from this post on my arch box. https://bbs.archlinux.org/viewtopic.php?id=151870 Plex, however, still does not work when the VPN is on, but many people seem to have this problem. I will keep trying to find a solution and will post again if I come across anything helpful.