VPN Policy Routing

[maghuro]

Hello everyone, I've a question.
I've a VPN through all my network except for my QNAP device.
I used policy routing so my QNAP use WAN instead of VPN
Source IP -> Qnap
Destionation IP -> 0.0.0.0
Iface -> WAN

Everything's OK!

My question is - when I'm outside home, and I send some file to my QNAP, will it go through VPN or WAN? Because it is incoming traffic?
Do i have to put also another rule:
Source IP -> 0.0.0.0
Destionation IP -> QNAP IP
Iface -> WAN

?
So the question is, policy routing is only for outgoing connections, or it assume also the rules for incoming connections to the devices on policy routing?

Thanks!

 

[ColinTaylor]

It will come in through the WAN because the client will be connecting to the WAN IP address. Policy routing is for outgoing connections.

 

[maghuro]

It will come in through the WAN because the client will be connecting to the WAN IP address. Policy routing is for outgoing connections.

Thank you sir! The simple answer I was looking for.
If however I have port forwarding configured on vpn, and I access through vpn, theoretically I can connect to qnap from outside via vpn?
But outgoing traffic will always be redirected through wan.

 

[ColinTaylor]

If however I have port forwarding configured on vpn, and I access through vpn, theoretically I can connect to qnap from outside via vpn?
But outgoing traffic will always be redirected through wan.

Not all VPN providers offer the ability to port forward to the VPN client. If you do come in through this route then the return traffic must go back through the same path. It can't come in via the VPN and out via the WAN (or vice versa).

To clarify the earlier point about policy routing and outgoing connections, we're talking about the establishment of a new network connection to a remote service.

 

[maghuro]

Not all VPN providers offer the ability to port forward to the VPN client. If you do come in through this route then the return traffic must go back through the same path. It can't come in via the VPN and out via the WAN (or vice versa).

To clarify the earlier point about policy routing and outgoing connections, we're talking about the establishment of a new network connection to a remote service.

Perfect. Thanks for you help, I fully understood right now!

It wouldn't work as I was imagining, because if I established a connection from outside via VPN (AirVPN does support portforwarding), and on router I have device policy for qnap to go through wan, probably the connection won't be established, because I'd make the connection through the vpn and qnap would answer via WAN, which doesn't work.

 

[ColinTaylor]

It wouldn't work as I was imagining, because if I established a connection from outside via VPN (AirVPN does support portforwarding), and on router I have device policy for qnap to go through wan, probably the connection won't be established, because I'd make the connection through the vpn and qnap would answer via WAN, which doesn't work.

This scenario is something I'm not sure about, and I can't test because NordVPN doesn't support port forwarding.

Under normal circumstances the router does "connection tracking". This means that when an incoming packet connects to a LAN server and establishes a connection the router keeps track of the path between the two ends. So WAN connections stay on the WAN and VPN connections stay on the VPN. Whether or not policy routing breaks this process I don't know. I suggest you try it and find out. It'll either work or it won't. I'd be interested to hear your results.

 

[maghuro]

Assuming that I did everything right, it didn't worked.
AirVPN allows only to forward ports above 1024. But if that particular server has some port claimed by a client, I have to choose another one or get a random generated one.
That's what I did.
1 - claimed port 44021 and forwarded to my internal VPN ip on port 8080.
Can't connect qnap from outside.
2 - activated port forwarding on router from "external" port 8080 to qnap 8080. Didn't worked.
3 - then I tried to forward on router from external 44021 to internal Qnap 8080. Didn't worked.
4 - then on AirVPN I claimed port 44021 and forwarded to my internal IP on port 44021. Then activated port forwarding on router from 44021 to 8080. Didn't worked.
5 - I set qnap to use 44021 port (so I can go directly on connection, instead of this jumps). Qnap immediately opened port 44021 via UPnP and.... It didn't worked trying to connect via the vpn IP.
6 - for the sake of completeness I port forwarded manually from 44021 to 44021 to qnap, and surprisingly... It didn't worked also!

So I assume... Neither outgoing and incoming connections can be made via vpn when policy routing says that qnap should go to wan.

I repeat - assuming I did everything right

 

[ColinTaylor]

I can't say I'm that surprised. I don't know enough about how the routing works behind the scenes to speculate further.

EDIT: I don't see why you shouldn't have been able to get access to the Qnap via the WAN address if your policy rules were set for that.

EDIT 2: I think I see why this won't work coming in via the VPN client. The initial packet would enter the VPN tunnel at it's public IP address and be forwarded to your router. When the packet exits the VPN tunnel your router has no way of knowing what LAN IP address it's meant to send it to. That would require a DNAT entry on the router (and Inbound Firewall set to Allow in the VPN client settings).

 

[maghuro]

I can't say I'm that surprised. I don't know enough about how the routing works behind the scenes to speculate further.

EDIT: I don't see why you shouldn't have been able to get access to the Qnap via the WAN address if your policy rules were set for that.

EDIT 2: I think I see why this won't work coming in via the VPN client. The initial packet would enter the VPN tunnel at it's public IP address and be forwarded to your router. When the packet exits the VPN tunnel your router has no way of knowing what LAN IP address it's meant to send it to. That would require a DNAT entry on the router (and Inbound Firewall set to Allow in the VPN client settings).

Policy route for qnap is:

Source IP -> Qnap lan ip
Destionation IP -> 0.0.0.0
Iface -> WAN

Via the wan address I access perfectly well to qnap!

This won't work exactly because of you said on edit 2. Packet comes via vpn and is correctly sent by router to qnap lan ip. Then the packet will go out from QNAP to router and then router send the packet through wan, not VPN (because it's what I put on policy routes), so it never come to me and I can't access it externally.

 

[ColinTaylor]

Policy route for qnap is:

Source IP -> Qnap lan ip
Destionation IP -> 0.0.0.0
Iface -> WAN

Via the wan address I access perfectly well to qnap!

But you said in points 2 and 3 above that this didn't work. Did I misunderstand you?

This won't work exactly because of you said on edit 2. Packet comes via vpn and is correctly sent by router to qnap lan ip. Then the packet will go out from QNAP to router and then router send the packet through wan, not VPN (because it's what I put on policy routes), so it never come to me and I can't access it externally.

That's not what I said. I said the packet comes in via the VPN and is sent to the router but never gets any further because the router has no way of knowing where it's meant to go.

 

[maghuro]

But you said in points 2 and 3 above that this didn't work. Did I misunderstand you?

That's not what I said. I said the packet comes in via the VPN and is sent to the router but never gets any further because the router has no way of knowing where it's meant to go.

Misunderstood probably because of my great English
Everything I did on those points above were with vpn activated on router, policy routes to qnap to wan, and trying to access from exterior to qnap via VPN.

---

Yes, that's because I did this tests, on router I configured portforwarding to get the packet from the vpn port (as I was calling VPN ip from the exterior) and forward it to qnap. The problem is that, as I have defined policy routes so qnap uses wan, the packet is sent back through wan and it is being lost. Correctly, I assume.

 

[ColinTaylor]

Yes, that's because I did this tests, on router I configured portforwarding to get the packet from the vpn port (as I was calling VPN ip from the exterior) and forward it to qnap. The problem is that, as I have defined policy routes so qnap uses wan, the packet is sent back through wan and it is being lost. Correctly, I assume.

The packet is not being sent back through the WAN because it never reaches the Qnap. The packet is being dropped by the router as soon as it arrives.*

* The router's port forwarding rules only apply to WAN to LAN connections. They do not have any effect on VPN to LAN connections.

 

[maghuro]

The packet is not being sent back through the WAN because it never reaches the Qnap. The packet is being dropped by the router as soon as it arrives.*

* The router's port forwarding rules only apply to WAN to LAN connections. They do not have any effect on VPN to LAN connections.

Ho I see! After your edit I understood what you're saying.
And how do we forward a port from VPN to Lan? Is that possible?

 

[ColinTaylor]

Ho I see! After your edit I understood what you're saying.
And how do we forward a port from VPN to Lan? Is that possible?

You would need to create a script with an iptables rule in it. I can't tell you the exact command because I don't use the same firmware as you.

 

[maghuro]

You would need to create a script with an iptables rule in it. I can't tell you the exact command because I don't use the same firmware as you.

I see... Thanks anyway!

Btw, which firmware do you use?

 

[ColinTaylor]

I use John's fork. Being based on an earlier version of Merlin's firmware some of the iptables rules are slightly different now. I'd have to see a dump of the current Merlin rules to be able to suggest any changes.

You can see the relevant rules by looking at the output of this command:

iptables-save -t nat