What's new

VPN Blocking Incoming Connections

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Noggin01

New Around Here
I set up an RT-AC86U yesterday with Merlin firmware. I've been configuring most of the services on it today, saving VPN for last. I've successfully configured the VPN service and set it up so that it, by default, does not route traffic through the tunnel. I've added one of my servers to the VPN tunnel, but now port forwarding doesn't work.

I'm using dyndns to allow me to access a few services when I'm away from home. The router is in a double NAT situation, behind my ISPs cable modem (which doesn't allow bridging), so the router has been placed in the DMZ. The ports I care about, and only the ports I care about, are forwarded to the server which is running the services.

As soon as I turn on the VPN tunnel, I lose the ability to connect to my TeamSpeak and OwnCloud services running on my server. Is there a way to disable this behavior? I want outgoing connections to go through the VPN, but still allow forwarded connections for my non-VPN public IP to go to my server.
 
I've successfully configured the VPN service and set it up so that it, by default, does not route traffic through the tunnel.

Exactly how did you do this?

As soon as I turn on the VPN tunnel, I lose the ability to connect to my TeamSpeak and OwnCloud services running on my server. Is there a way to disable this behavior? I want outgoing connections to go through the VPN, but still allow forwarded connections for my non-VPN public IP to go to my server.

Might help if you mentioned the version. The new 384.12 release now blocks inbound connections by default (using the new "Inbound Firewall" option on the OpenVPN client), whereas prior releases did NOT.

Also, to port forward via the VPN, you have to establish *local* port forwards over the OpenVPN client's network interface, and that can NOT be done via the GUI, only via scripting.

https://www.snbforums.com/threads/forwarding-an-incoming-port-from-openvpn-to-a-local-lan-ip.57191/
 
Exactly how did you do this?

  1. I downloaded an ovpn file from my VPN service provider
  2. I uploaded it to the router and was happy to find that it seemed to mostly configure the options based on the file that was uploaded
  3. I added my login/password to the settings as that wasn't auto-filled as of course it is not part of the ovpn file I uploaded
  4. I changed "Redirect Internet Traffic" from "No" to "Policy Rules"
  5. I set "Blocked routed clients if tunnel goes down" to "Yes"
  6. I added my server's IP (which is a reserved DHCP address) to the list and set it to "VPN"

I've verified that my server is using the VPN tunnel as "curl https://whatismyip.com" reports me having a different IP address as when I go to that site with my laptop. I've also verified that if I turn off the VPN tunnel, my server loses internet access. I've further verified by using an offsite server reports 'nslookup my.dyndns.com' as my actual public, non-VPN ip address that my laptop reports.

Might help if you mentioned the version. The new 384.12 release now blocks inbound connections by default (using the new "Inbound Firewall" option on the OpenVPN client), whereas prior releases did NOT.

I'm using the 384.12 version. I did try setting the VPN's Inbound Firewall to "Allow", but that didn't work for me and I don't think it is what I want anyway. I don't want to allow incoming connections over the VPN tunnel, I want to allow them from my local, public IP address.

If I turn the VPN tunnel off and change "Blocked routed clients if tunnel goes down" to "No", then I can access all of my services from outside of my network using my dynamic dns address. If I turn the VPN on, I lose access to those services from outside of my network. I can still reach those services from within my network.Edit: I'm using dnsmasq to make my.dyndns.com resolve as the private IP address of the server.

Also, to port forward via the VPN, you have to establish *local* port forwards over the OpenVPN client's network interface, and that can NOT be done via the GUI, only via scripting.

I don't think that's what I want, I want my friends and myself to connect to my server using my.dyndns.com and then forward those ports straight to the server. I don't think I want to route them to the VPN connection. Even if I did want to do that, I think I'd have to have ports forwarded from my VPN provider to my network, and they only allow a single, randomly chosen port to be forwarded.

https://www.snbforums.com/threads/forwarding-an-incoming-port-from-openvpn-to-a-local-lan-ip.57191/
This looks like he wants the port proided by the VPN service provider to be forwarded to his machine. I'm trying to route a WAN port to my machine, bypassing the VPN. Perhaps this is a dumb thing to do. I'm tempted to set up an RPi that listens for connections on the ports I'm interested in and then just fowards them to the server. I'm not sure if that'd be easier to do. Or maybe I'll move my public facing services to an RPi.
 
Last edited:
I want outgoing connections to go through the VPN, but still allow forwarded connections for my non-VPN public IP to go to my server.
That's not possible. The connection is bidirectional therefore it's either going through the VPN or it's going through the WAN. It's can't come in through one interface and go out through another.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top