VPN Port routing for a Synology NAS

[figorr]

I am trying to add some rules in order to be able to access to the Synology NAS from outside while the VPN is ON.

If the VPN is OFF ... I can access to the NAS from outside without any problems (through ports 5000 and 5001). So my idea is that ports 5000 and 5001 go through WAN in order NAS can be accessible when the VPN is ON.

I setup the NAS at OpenVPN Client3.

Then I followed "Policy based Port routing (manual method)",
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

I created the script "nat-start" using Notepadd ++, with permissions 755.

Then I run the client 3 and started the nat-start script. Then I tried to add the following iptable rules (I also added port 32400 in order to made Plex accessible from outside).

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -p tcp -m multiport --sport 5000 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -p tcp -m multiport --sport 5001 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x8000/0x8000

Looking at the System log ... the VPN is active and the nat-start script seems to be working OK, but I still cannot access the NAS from outside.

May 4 16:03:28 JUANDOASUS ovpn-client3[29031]: updown.sh tun13 1500 1585 10.33.0.6 10.33.0.5 init
May 4 16:03:28 JUANDOASUS openvpn-updown: Forcing 192.168.2.100 to use DNS server 1.1.1.1
May 4 16:03:28 JUANDOASUS rc_service: service 29152:notify_rc updateresolv
May 4 16:03:28 JUANDOASUS custom_script: Running /jffs/scripts/service-event (args: updateresolv)
May 4 16:03:31 JUANDOASUS openvpn-routing: Configuring policy rules for client 3
May 4 16:03:31 JUANDOASUS ovpn-client3[29031]: Initialization Sequence Completed
May 4 16:14:15 JUANDOASUS rc_service: service 30860:notify_rc nat-start
May 4 16:14:15 JUANDOASUS custom_script: Running /jffs/scripts/service-event (args: nat-start)

If run the command "iptables -t nat -L", it seems that no rules had been added.

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNSVPN3 tcp -- anywhere anywhere tcp dpt:domain
DNSVPN3 udp -- anywhere anywhere udp dpt:domain
DNSVPN1 tcp -- anywhere anywhere tcp dpt:domain
DNSVPN1 udp -- anywhere anywhere udp dpt:domain

Am I missing something?

 

[djblade20354]

Can you not use the quick connect? I keep my VPN on all the time and access it via quick connect. I've never had an issue on browser's or on any apps(android)

Sent from my ONEPLUS A3003 using Tapatalk

 

[figorr]

Thank you @djblade20354,

Yes, I have been using QuickConnect and it was working fine, but if I want to access any other feature or app, like PLEX, ... then the DS returns to me an error and won't connect.

And if you try to access your Plex Library from outside your local Network (using the PLEX app or the Plex web) ... the library located in the NAS is not accessible.

So this is the main reason why I thought about using port forwarding while I am using VPN. But I don't know if it is still possible or if I am doing something wrong.

 

[Martineau]

I am trying to add some rules in order to be able to access to the Synology NAS from outside while the VPN is ON.

If the VPN is OFF ... I can access to the NAS from outside without any problems (through ports 5000 and 5001). So my idea is that ports 5000 and 5001 go through WAN in order NAS can be accessible when the VPN is ON.

I setup the NAS at OpenVPN Client3.

Then I followed "Policy based Port routing (manual method)",
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

I created the script "nat-start" using Notepadd ++, with permissions 755.

Then I run the client 3 and started the nat-start script. Then I tried to add the following iptable rules (I also added port 32400 in order to made Plex accessible from outside).

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -p tcp -m multiport --sport 5000 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -p tcp -m multiport --sport 5001 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x8000/0x8000

Looking at the System log ... the VPN is active and the nat-start script seems to be working OK, but I still cannot access the NAS from outside.

May 4 16:03:28 JUANDOASUS ovpn-client3[29031]: updown.sh tun13 1500 1585 10.33.0.6 10.33.0.5 init
May 4 16:03:28 JUANDOASUS openvpn-updown: Forcing 192.168.2.100 to use DNS server 1.1.1.1
May 4 16:03:28 JUANDOASUS rc_service: service 29152:notify_rc updateresolv
May 4 16:03:28 JUANDOASUS custom_script: Running /jffs/scripts/service-event (args: updateresolv)
May 4 16:03:31 JUANDOASUS openvpn-routing: Configuring policy rules for client 3
May 4 16:03:31 JUANDOASUS ovpn-client3[29031]: Initialization Sequence Completed
May 4 16:14:15 JUANDOASUS rc_service: service 30860:notify_rc nat-start
May 4 16:14:15 JUANDOASUS custom_script: Running /jffs/scripts/service-event (args: nat-start)

If run the command "iptables -t nat -L", it seems that no rules had been added.

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNSVPN3 tcp -- anywhere anywhere tcp dpt:domain
DNSVPN3 udp -- anywhere anywhere udp dpt:domain
DNSVPN1 tcp -- anywhere anywhere tcp dpt:domain
DNSVPN1 udp -- anywhere anywhere udp dpt:domain

Am I missing something?

Try

iptables  --line -t mangle -nvL PREROUTING

ip rule

 

[figorr]

Thank you @Martineau,

If I run iptables --line -t mangle -nvL PREROUTING, I got this:

Chain PREROUTING (policy ACCEPT 124 packets, 22156 bytes)

num pkts bytes target prot opt in out source destination

1 10083 5158K MARK all -- tun13 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 1290K 1305M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

3 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.100-192.168.2.100 multiport sports 5000 MARK or 0x8000

4 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.100-192.168.2.100 multiport sports 5001 MARK or 0x8000

5 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.100-192.168.2.100 multiport sports 32400 MARK or 0x8000

6 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.100-192.168.2.100 multiport sports 59969 MARK or 0x8000

7 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.100-192.168.2.100 multiport sports 59970 MARK or 0x8000

And when I run ip rule ... I got this:

0: from all lookup local

10001: from 192.168.2.1 lookup main

10101: from 192.168.2.21 lookup ovpnc1

10102: from 192.168.2.20 lookup ovpnc1

10103: from 192.168.2.92 lookup ovpnc1

10104: from 192.168.2.22 lookup ovpnc1

10105: from 192.168.2.23 lookup ovpnc1

10106: from 192.168.2.24 lookup ovpnc1

10107: from 192.168.2.25 lookup ovpnc1

10501: from 192.168.2.100 lookup ovpnc3

32766: from all lookup main

32767: from all lookup default

 

[netware5]

Opening your NAS ports to the external world poses a significant security risk. For accessing NAS from outside I would propose using of OpenVPN server.

 

[Martineau]

Thank you @Martineau,

If I run iptables --line -t mangle -nvL PREROUTING, I got this:

Chain PREROUTING (policy ACCEPT 124 packets, 22156 bytes)

num   pkts bytes target     prot opt in     out     source               destination       

1    10083 5158K MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2    1290K 1305M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.100-192.168.2.100 multiport sports 5000 MARK or 0x8000
4        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.100-192.168.2.100 multiport sports 5001 MARK or 0x8000
5        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.100-192.168.2.100 multiport sports 32400 MARK or 0x8000
6        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.100-192.168.2.100 multiport sports 59969 MARK or 0x8000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.2.100-192.168.2.100 multiport sports 59970 MARK or 0x8000

And when I run ip rule ... I got this:

0:    from all lookup local 
10001:    from 192.168.2.1 lookup main
10101:    from 192.168.2.21 lookup ovpnc1
10102:    from 192.168.2.20 lookup ovpnc1
10103:    from 192.168.2.92 lookup ovpnc1
10104:    from 192.168.2.22 lookup ovpnc1
10105:    from 192.168.2.23 lookup ovpnc1
10106:    from 192.168.2.24 lookup ovpnc1
10107:    from 192.168.2.25 lookup ovpnc1
10501:    from 192.168.2.100 lookup ovpnc3
32766:    from all lookup main
32767:    from all lookup default

Please use the code tags from the 'insert' drop-down menu when posting output.

So the iptables show there are no replies from 192.168.2.100 to be tagged outbound with fwmark 0x8000 to the WAN.

However, even if there were hits, you are missing the necessary fwmark RPDB rule(s)

Did nat-start run correctly?

ls -lah /jffs/scripts/nat-start

cat /jffs/scripts/nat-start

 

[GSpock]

You have to make sure that your VPN provider allows port fwd. Then you should open port 5000 & 5001 at the VPN provider server IP address ; the iptables commands will do the rest.

Here below my iptables command for client 3 (tun13), which seems quite different from yours:

iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.191 --dport 8881 -j ACCEPT
iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.191 --dport 8881 -j ACCEPT
#
iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.192 --dport 8882 -j ACCEPT
iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.192 --dport 8882 -j ACCEPT
#
iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.193 --dport 8883 -j ACCEPT
iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.193 --dport 8883 -j ACCEPT
#
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8881 -j DNAT --to-destination 192.168.1.191
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8882 -j DNAT --to-destination 192.168.1.192
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8883 -j DNAT --to-destination 192.168.1.193
#

 

[figorr]

Ok, thank you.

I am a noob using custom scripts. But It looks it is running Ok. When I run the command "
ls -lah /jffs/scripts/nat-start" I got this:

admin@JUANDOASUS:/tmp/home/root# ls -lah /jffs/scripts/nat-start

-rwxr-xr-x 1 admin root 818 May 4 16:01 /jffs/scripts/nat-start

And when I am running the command "cat /jffs/scripts/nat-start", I got this:

admin@JUANDOASUS:/tmp/home/root# cat /jffs/scripts/nat-start

#!/bin/sh

sleep 10 # During the boot process nat-start may run multiple times so this is required

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
do
ip rule del prio 999$VPN_ID 2>/dev/null
done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992 # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993 # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994 # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995 # VPN

 

[figorr]

You have to make sure that your VPN provider allows port fwd. Then you should open port 5000 & 5001 at the VPN provider server IP address ; the iptables commands will do the rest.

Here below my iptables command for client 3 (tun13), which seems quite different from yours:

iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.191 --dport 8881 -j ACCEPT
iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.191 --dport 8881 -j ACCEPT
#
iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.192 --dport 8882 -j ACCEPT
iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.192 --dport 8882 -j ACCEPT
#
iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.193 --dport 8883 -j ACCEPT
iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.193 --dport 8883 -j ACCEPT
#
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8881 -j DNAT --to-destination 192.168.1.191
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8882 -j DNAT --to-destination 192.168.1.192
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8883 -j DNAT --to-destination 192.168.1.193
#

Thank you @GSpock,

My VPN provider is TorGuard, and I think TorGuard allows port forwarding. I am going to check.

Yes, your iptables look different.

It's my first time using iptables, and I used the way I found in the "Policy based Port routing (manual method)",
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method).

 

[figorr]

Thank you @GPSpock. Now it is working Ok.

I went to Torguard Client panel and I use the PORT MANAGEMENT to open the ports in the VPN Address (I have a Dedicated IP from TorGuard).

Then I access the router through ssh and I introduced the following ip rules

iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 5000 -j DNAT --to-destination 192.168.2.100
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 5001 -j DNAT --to-destination 192.168.2.100
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 32400 -j DNAT --to-destination 192.168.2.100
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 59970 -j DNAT --to-destination 192.168.2.100
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 59969 -j DNAT --to-destination 192.168.2.100

After that ... the NAS is accessible from outside the LAN using the DDNS provided from Synology.

And now I can also access Plex, using the library stored in the NAS.

Everything looks fine.

 

[L&LD]

I would suggest heeding what @netware5 warns about in post 6 above.

Use the router to create an OpenVPN Server connection back to your network. Turn off all VPN and open ports on your NAS.

 

[dosborne]

I would suggest heeding what @netware5 warns about in post 6 above.

+1

 

[figorr]

I would suggest heeding what @netware5 warns about in post 6 above.

Use the router to create an OpenVPN Server connection back to your network. Turn off all VPN and open ports on your NAS.

Thank you. I will consider this too.
Just one question. If am using a Dedicated IP (not a shared IP) for the VPN, why is risky?

 

[L&LD]

A dedicated or shared IP isn't really any barrier.

When someone gets through the NAS, they will have access to everything. Not necessarily the same situation if the router (is first) compromised.

The more levels of security from your important files and the front door of your network (the router), the better.

Opening up the NAS directly is just making things too easy for the bad guys.

 

[figorr]

Ok, thanks for the advice.

I tried to setup the ASUS OpenVPN Server, but when I import the ovpn file to client 4 ... I lost the internet connection. I tried different setups without success.

I followed x3mTek guide https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/ , but same result.

I will try again tomorrow. But if someone has a setup that want to share ... it will be welcomed.

 

[L&LD]

@figorr are you setting up an OpenVPN Server and then importing that into the same router (as Client 4)?

 

[GSpock]

I would suggest heeding what @netware5 warns about in post 6 above.

Use the router to create an OpenVPN Server connection back to your network. Turn off all VPN and open ports on your NAS.

Indeed, I also have tested this way of accessing the NAS, it works great as well. I also recommend in any case to activate the 2 steps authentification on the NAS ...

 

[figorr]

@figorr are you setting up an OpenVPN Server and then importing that into the same router (as Client 4)?

Yes, I am too noob.

Now I have seen the proper way is to upload the ovpn config file into the NAS, not in the router. And I have to create the VPN connection under the NAS LAN settings.

I will test this way when I arrive at home. Now I am at work.

 

[figorr]

Indeed, I also have tested this way of accessing the NAS, it works great as well. I also recommend in any case to activate the 2 steps authentification on the NAS ...

Thank you.

I have just activated the 2 steps authentification in the NAS. Some extra security is always welcomed.