VPN not forwarding ports on router.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Nano_Cell

Occasional Visitor
Hi guys,

Hopefully someone can help me with this as I'm no expert with such things.

I have noticed that when I set up my VPN on my PC using either OpenVPN or WireGuard that it allows free access to ports for the programs on my computer without needing to forward them. I can use uTorrent as an good example as I can freely swap the port usage around. When I have a port set in uTorrent and I use a port checking program to check that port on the IP that my VPN has assigned me the port shows as open. When I close uTorrent the port then shows as closed. I can change the IP in uTorrent and it still works accordingly.

Now if I set up my VPN on my router using OpenVPN and try the same thing the ports are closed. I tried forwarding the ports but that doesn't work as I guess it shouldn't as it's using a tunnel to connect to the VPN provider. My VPN provider doesn't offer any way to forward ports from their admin page.

Am I being silly with something here or does OpenVPN work differently on a router? I would assume that when the client is set up as a PC directly that maybe it uses a DMZ like state over the tunnel but when on the router it doesn't. I've tried setting up DMZ on the router to the PC and that doesn't work but it seems obvious that wouldn't. I assume there is maybe a setting I am missing. I have tried to search for it but I can't find much info on VPNs on routers other than setting them up and they don't show anything that I haven't done in my own setup.

Thank you.
 

cptnoblivious

Regular Contributor
First, it sounds like you are trying to setup a VPN client on your computer. In that case, no ports need to be opened inbound (i.e. mapped in via the router) as they're simply translated via NAT.

You can't compare that to torrenting, which uses UPnP. That is, the torrent 'client' is also reachable from the outside and the port is dynamically opened if you will, when the client is started. It needs to be reachable by _others_ who you are a seeder for, so traffic has to be able to pass in unsolicited, i.e. you don't 'reach out' first.

If you were running a VPN Server inside of your network, then you would need to open up ports for the specific VPN protocol your server supports.

Hope that makes sense.
 

Nano_Cell

Occasional Visitor
First, it sounds like you are trying to setup a VPN client on your computer. In that case, no ports need to be opened inbound (i.e. mapped in via the router) as they're simply translated via NAT.

You can't compare that to torrenting, which uses UPnP. That is, the torrent 'client' is also reachable from the outside and the port is dynamically opened if you will, when the client is started. It needs to be reachable by _others_ who you are a seeder for, so traffic has to be able to pass in unsolicited, i.e. you don't 'reach out' first.

If you were running a VPN Server inside of your network, then you would need to open up ports for the specific VPN protocol your server supports.

Hope that makes sense.
Hi there. Thank you for your reply. I realised I hadn't been very specific with what I was asking there. I would rather my router was acting as a client to connect to my VPN provider instead of my PC as my AC86U will most likely be faster than my older PC. But as my router isn't forwarding ports it makes it less usable. I wondered if it was to do with UPnP but does that mean UPnP only works when using OpenVPN directly on a PC and not when it's routing traffic through my router running OpenVPN which is connected to the server?
 

cptnoblivious

Regular Contributor
@Nano_Cell - well, follow the router setup guide for VPN and test your throughput from the PC after :)

Though, I've found that PC's are faster, even older ones or low powered ones, than running the VPN on the router. (based on testing on a 9 year old i3 and a raspberry pi, vs my AX58U, which granted doesn't have a lot of processing power)
 

Nano_Cell

Occasional Visitor
@Nano_Cell - well, follow the router setup guide for VPN and test your throughput from the PC after :)

Though, I've found that PC's are faster, even older ones or low powered ones, than running the VPN on the router. (based on testing on a 9 year old i3 and a raspberry pi, vs my AX58U, which granted doesn't have a lot of processing power)
Haha. Well I know that a lot of routers can be quite slow but I guess more than anything I had hoped that, regardless of throughput speed, the older PC might be a bit quicker in itself if it didn't have to deal with encrypting traffic. It does seem to be a little quicker using it in my initial trials. I should point out that my old laptop can connect to the internet via the routers VPN connection and it works but uTorrent for one doesn't work as there are no ports forwarded to it (works fine if the laptop connects directly) and browsing the internet works okay and seems a little faster :)

I've actually started using WireGuard on it and that is definitely faster than OpenVPN. If I can't find a way round making it work as efficiently on the router than I will just have to carry on with WireGuard. It's also nice having it on the router as I can extend it over other PCs in the house as I need.

If I get really brave I might even try and set up WireGuard on the router as I know Merlin has no current intention to support WireGuard on his firmware so that will be some very manual setting up :p
 

eibgrad

Very Senior Member
When I have a port set in uTorrent and I use a port checking program to check that port on the IP that my VPN has assigned me the port shows as open. When I close uTorrent the port then shows as closed.

This could *only* be true if your VPN provider supports port forwarding, which is NOT common. In fact, even if it was supported, in order for it to work, you would have to specifically establish port forwarding WITH THE VPN PROVIDER, i.e., on the far side of the tunnel and over *his* WAN.

I suppose it's possible that if you're using the VPN provider's app, it might be that the app has the capability to directly support certain protocols, like P2P, and manage such port forwarding behind the scenes. But even so, in my experience, most VPN provider apps are pretty basic and do NOT offer such capabilities. In fact, for some VPN providers, port forwarding over the VPN is NOT supported because it's considered a security/privacy risk (e.g., ExpressVPN). That's why (among other reasons) it's NOT common.

I'm zeroing in on this one point because in order to explain the differences between having the VPN on the PC vs. router, we need to be *certain* the uTorrent app actually is behaving as you assume it is. At present, I'm not convinced it is.
 

Nano_Cell

Occasional Visitor
This could *only* be true if your VPN provider supports port forwarding, which is NOT common. In fact, even if it was supported, in order for it to work, you would have to specifically establish port forwarding WITH THE VPN PROVIDER, i.e., on the far side of the tunnel and over *his* WAN.

I suppose it's possible that if you're using the VPN provider's app, it might be that the app has the capability to directly support certain protocols, like P2P, and manage such port forwarding behind the scenes. But even so, in my experience, most VPN provider apps are pretty basic and do NOT offer such capabilities. In fact, for some VPN providers, port forwarding over the VPN is NOT supported because it's considered a security/privacy risk (e.g., ExpressVPN). That's why (among other reasons) it's NOT common.

I'm zeroing in on this one point because in order to explain the differences between having the VPN on the PC vs. router, we need to be *certain* the uTorrent app actually is behaving as you assume it is. At present, I'm not convinced it is.
I appreciate your scepticism. If there is anyway I can prove it to you I will. I tried with OpenVPN (using the official client) and WireGuard (using Tunsafe) and with both it says the port is open when uTorrent is open and closed when uTorrent is closed. I used the IP address that was assigned and stated in the client and was revealed to be my IP address by sites online. Also, more importantly, uTorrent works when using these clients on the PC in question, which I can only assume is due to the difference between the ports being open and not.

Edit: I do also appreciate that this could potentially be a security risk just as using DMZ is.
 

eibgrad

Very Senior Member
What do you mean by *official client*? Do you mean the app provided by the OpenVPN provider? Or the client provided by OpenVPN itself (OpenVPN Connect) from their website?

And if you don't mind my asking, who is the VPN provider? I want to see what the VPN provider officially states is supported. If you told me ExpressVPN, for example, then obviously my skepticism would be warranted.
 

Nano_Cell

Occasional Visitor
Sorry, I meant the official OpenVPN client provided by OpenVPN themselves.

I use Njalla VPN service. They don't have their own apps to my knowledge but they currently support OpenVPN and WireGuard as the 2 methods to connect.
 

eibgrad

Very Senior Member
Thanks. They certainly don't provide much details about their VPN, do they. Not unless you sign up I suppose.


That makes it tough to know if port forwarding actually is supported. As I said, normally VPN providers resist this because of the security/privacy concerns, and just the hassle of having to support an API on their website for users to manually manage the port forwarding. But if their VPN is willing to accept UPnP requests over the tunnel, then I suppose it is possible. But again, this would be rather unusual. So unusual, many VPN providers who do support it make a point of bragging about it.
 

Nano_Cell

Occasional Visitor
They used to be called iPredator and then they merged with another branch of theirs to then be called Njalla. The name change was only recent so perhaps you'd have more luck with finding information on iPredator if it hasn't all come down. They are suppose to be all about privacy so I don't know if this is intentional behavior or not.
 

Nano_Cell

Occasional Visitor
Also, assuming they are willing to accept UPnP connections, is there a reason this would then not work via the router?
 

eibgrad

Very Senior Member
Since I have no way to be sure one way or the other, let's assume it works as you assume. When it comes to supporting OpenVPN on the router, port forwarding is going to be a problem since (afaik) any UPnP requests will be bound to the WAN, NOT the VPN. And at that point, you could only manage the port forwarding *manually*, typically using a webpage/app provided by the VPN provider on their website. That's generally how it works.
 

Nano_Cell

Occasional Visitor
So it could just be a limitation of the router software that does not forward UPnP requests to the provider for any clients connecting via it even if the provider supports it?
 

eibgrad

Very Senior Member
The router supports its own UPnP server, and when you issue a UPnP request from the client, it assumes you intend to enable port forwarding over the WAN. It does NOT take into consideration the possibility you may want this port forwarding established over the VPN because it's NOT a routing problem (it is for *you*, but not UPnP). UPnP is only about the management of port forwarding wrt the WAN. So it's not really fair to call it a limitation of the router. The router is doing exactly what UPnP is supposed to do. It's probably more proper to call it a limitation of UPnP.

So at best, your unsolicited inbound traffic will NOT be over the VPN, but the WAN (needless to say, a problem for most ppl). And the only way to get around the problem is via manual port forwarding wrt the VPN rather than relying on UPnP. But the VPN provider would have to make that possible via some API, or some configuration page on their website, or by requiring you to use their own app.

Or to put if more succinctly, (afaik) there is no such thing as forwarding of UPnP requests from UPnP server to UPnP server.
 
Last edited:

Nano_Cell

Occasional Visitor
I only meant a limitation in general but yes I see that you are saying it's probably a limitation sepcifically in UPnP and that makes sense.

May I ask if it's strange that after disabling UPnP on the router and on the Windows 7 PC in question that this ability to change ports and have them forward correctly is still working? I have also disabled the setting for it in uTorrent.

I disabled it in W7 by disabling "UPnP Device Host" service and "SSDP Discovery" service. I'm not sure if that was the correct way of disabling it and maybe it doesn't make a difference with a VPN. I'm currently connected via Tunsafe with WireGuard.
 

eibgrad

Very Senior Member
May I ask if it's strange that after disabling UPnP on the router and on the Windows 7 PC in question that this ability to change ports and have them forward correctly is still working? I have also disabled the setting for it in uTorrent.

Are we talking about having the VPN also active on the PC? Router? Not at all?
 

Nano_Cell

Occasional Visitor
Are we talking about having the VPN also active on the PC? Router? Not at all?
The VPN is only active on the PC. I realise that probably makes disabling UPnP on the router irrelevant as it would just be between the PC and the VPN provider but as for the other settings?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top