Solved VPN + Remote port forwarding config issue/question

dividebyzero

New Around Here
I feel like I've gotten pretty close to solving this but hitting a wall and hoping for some guidance.

I'm running an AX86U FW 386.7 - I'm using VPN director for a few clients and it's been working well. I'm trying to get remote access through the tunnel so I can access my media server remotely (emby). I am able to get it working, but I can't get it to *stay* working.

I've had my VPN provider open the ports, and have a working OVPN file with the new config. Forwarded in the ports in the router, but no dice. Further research indicates why: the GUI only allows forwarding ports via WAN, not the VPN interface.

Digging in further, I found the FAQ below which explains how to enable this functionality over the VPN interface via SSH. It says things need to be re-entered after router reboot, which isn't ideal but I could live with if needed:

Here's the code for that with placeholders:

iptables -t nat -A PREROUTING -i tun+ -p udp --dport PORT -j DNAT --to-destination IP_ADDRESS
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT -j DNAT --to-destination IP_ADDRESS

So here's the thing, after entering the above, it does work; the port shows as open with VPN (https://portchecker.co/check) , and I can access my application. Great, right?! However, when I disable SSH, or seemingly do anything else that saves/applies a change, then the remote access no longer works. Port shows closed, app no longer works.

Anyone have any insight into how to make this work more reliably? Must at least be able to persist SSH getting disabled. Would be ideal if it could persist even through router reboots, but even if I have to do something every reboot I could live with that.

Thanks!
 
Last edited:

alecmascot

Regular Contributor
This works for me :

The command to create the script has to be executed on the router using SSH access. It has to be updated each time the port of the port forwarding changes! The command contains two placeholders for variable values which have to be replaced accordingly: YOURPORT with the port of the port forwarding, and THECOMPUTERSIP with the ip address of the device in the LAN to which the data arriving via the port forwarding should be forwarded.

echo -e "#!/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start
 

dividebyzero

New Around Here
This works for me :

The command to create the script has to be executed on the router using SSH access. It has to be updated each time the port of the port forwarding changes! The command contains two placeholders for variable values which have to be replaced accordingly: YOURPORT with the port of the port forwarding, and THECOMPUTERSIP with the ip address of the device in the LAN to which the data arriving via the port forwarding should be forwarded.

echo -e "#!/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

Appreciate you sharing this. Unfortunately no dice -- after running the script, port checker shows the port as still closed.

Did you have to do anything else in conjunction with running this?
 

juanantonio

Occasional Visitor
Mine works properly adding these two lines for each port I want to open:

Code:
iptables -I FORWARD -i tun11 -p tcp -d YOURDEVICEIP --dport YOURDEVICEPORT -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport YOURDEVICEPORT -j DNAT --to-destination YOURDEVICEIP

I added these lines to file /jffs/scripts/firewall-start. May works if you add them to file /jffs/scripts/nat-start. The only thing is that you should remember adding execute permissions to either one or another file:

Code:
chmod +x /jffs/scripts/firewall-start

or

Code:
chmod +x /jffs/scripts/nat-start

In this way, the iptables command will be executed every time the router powers on or reboots. Make note the type of protocol in each line of command (tcp/udp). Replace it with your desired protocol, as with your IP and port.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top