Assistance Please! OpenVPN and Port Forwarding.

Forum » Discussions / General » Assistance Please! OpenVPN and Port Forwarding.

Started by:

Kanth (guest)
Date: 12 Sep 2012 17:09
Number of posts: 6

RSS: New posts

Summary:

Need help getting P-Fwd to work while a VPN client.

Unfold All Fold All More Options

Fold

Assistance Please! OpenVPN and Port Forwarding.

Kanth (guest) 12 Sep 2012 17:09

Hi! I'm not that experienced a network guy, but have had several routers in the part.
I installed Tomato VPN build 1.28 on an Asus-RT-N16.. this was my first experience with Tomato.

Then I set it up to forward my ports to my internal machines. So for example, port 80 when the WLAN is hit forwards to 192.168.1.100 port 80.
And that works. It's pretty standard.

After that though this gets odd to me.
I configured the openVPN client for use with a VPN provider. (I've never used one before, but this was the reason for going with Tomato).
So I have a TUN connection , firewall automatic, TLS. Create NAT on tunnel is checked. Redirect internet traffic is NOT checked.

When I start that. I am able to show that all my machines are behind that VPN. However, nothing outside can hit me and access my tunnels.
I am using the WLAN address port 80, and I seem to get the WLAN address connected to, but the traffic never seems to go to 192.168.1.100:80.

I assume there is something I am doing wrong. I have checked and unchecked the create NAT on tunnel, and Redirect internet traffic buttons, and tried multiple configurations, but I am not really getting what I want.

I had presumed there was a way that I would look like the VPN on the internet, but if I gave out the real WAN address those people would connect directly to me and reach my tunnels. That way I could keep the VPN up all the time, and yet still serve pages, ssh, whatever to directly connected sessions.

Can anyone assist or explain to me what I'm doing wrong and how to correct it, assuming it is possible?

Thanks,

Kanth

Options

Unfold Assistance Please! OpenVPN and Port Forwarding. by

Kanth (guest), 12 Sep 2012 17:09

Fold

Paul (guest) 13 Sep 2012 06:42

You're not explaining very clearly what is and isn't working. You say after you initiate the VPN connection to the VPN server your systems are behind the VPN?? What does that mean? When you initiate that connection all you technically do is add another network to the ones you can already access (for instance via the 10.8.0.0 network which is default in openvpn you can route the network on the other end of the server like 192.168.2.0, etc).

For instance:

Local network: 192.168.1.0/24
Remote network: 192.168.2.0/24
when you creat VPN tunnel your 192.168.1.0 network can access hosts on the 192.168.2.0 network via the 10.8.0.X route (vpn end points with the TUN device).

Hope that makes sense? One thought I'm having in your situation, if both of the networks are the same (local and remote) then the router won't know where the host is (on which side of the vpn) so if local: 192.168.1.0 and remote is 192.168.1.0 and you're forwarding port 80 from the WAN to 192.168.1.100, the router wont know where host 100 is. Your networks must be different.

This is at least the way I understand not, there might be someone who can explain this better.

Options

Unfold by

Paul (guest), 13 Sep 2012 06:42

Fold

Re: Assistance Please! OpenVPN and Port Forwarding.

Kanth 13 Sep 2012 15:06

Sure, let me try. I am sorry, I actually do not understand networking extremely well, so I hoped this was more of a common thing and someone would just go.. oh that's common you just do this to fix it. ;) Never works out that way though.

I installed TomatoUSB on the RT-N16 yesterday. It obtained an IP address for the WAN from my cable modem. I am going to call this IP: 209.25.206.84 (the WAN IP).

After that, I set up port forwarding rules to my internal machines which I have statically set internal IP's on. For instance 192.168.1.100 is a linux box. So 2 rules I set up were:
Port Forward TCP source port 22 to destination port 192.168.1.100 port 22.
Port Forward TCP source port 80 to destination port 192.168.1.100 port 80.

I then tested those rules from an external machine to make sure they worked. When I hit port 80 on 209.25.206.84 I got the web page served by the 192.168.1.100 machine. SSH worked as well.

So the next thing I did was set up openVPN. To do that I followed these instructions at privateinternetaccess(dotcom)
pages/client-support/#tomato_openvpn

And then I told the VPN to start now.
Once it had started I went to the various what is my IP sites to see what it showed as. And it showed as a different IP, from a different location. Not the 209.25.206.84 IP.

So that worked.

The issue is that when that is on, I can not from the external computers, reach the 209.25.206.84:80 hole. It appears to reach the router, but it never reaches the linux box. I have checked the logs, I don't even get the connection on the linux box. So the router, I would assume, is not routing it to 192.168.1.100 at all.

Since I am currently not at the house, and don't have the ability right this second to dump the iptables and route list. I will post them later on tonight to show what they are or show when they are on or off. I think that would help.

But I took a good look at what happens in iptables and route when openvpn is on and off, and I actually could not see anything that seemed to make any sense to me why it would be doing that. If there are things that would be good for me to dump to look and see what is happening, please chime in and I'll grab those as well later.

Thanks!

Options

Unfold Re: Assistance Please! OpenVPN and Port Forwarding. by

Kanth, 13 Sep 2012 15:06

Fold

Re: Assistance Please! OpenVPN and Port Forwarding.

Kanth 13 Sep 2012 21:41

So here is what it looks like to me:
VPN ON (Forwarding stops working)
71.72.120.1 * 255.255.255.255 0 vlan2 (WAN)
10.149.112.1 10.149.112.5 255.255.255.255 0 tun11
68.68.17.21 71.72.120.1 255.255.255.255 0 vlan2 (WAN)
10.149.112.5 * 255.255.255.255 0 tun11
192.168.1.0 * 255.255.255.0 0 br0 (LAN)
71.72.120.0 * 255.255.248.0 0 vlan2 (WAN)
127.0.0.0 * 255.0.0.0 0 lo
default 10.149.112.5 128.0.0.0 0 tun11
128.0.0.0 10.149.112.5 128.0.0.0 0 tun11
default 71.72.120.1 0.0.0.0 0 vlan2 (WAN)

VPN OFF (forwarding works)
71.72.120.1 * 255.255.255.255 0 vlan2 (WAN)
192.168.1.0 * 255.255.255.0 0 br0 (LAN)
71.72.120.0 * 255.255.248.0 0 vlan2 (WAN)
127.0.0.0 * 255.0.0.0 0 lo
default 71.72.120.1 0.0.0.0 0 vlan2 (WAN)

Here is the iptables dumps

VPN ON (Forwarding not working)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 2990 ACCEPT all — tun11 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID
8025 983K ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 shlimit tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
1 140 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
191 13874 ACCEPT all — br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7483 378K ACCEPT all — tun11 * 0.0.0.0/0 0.0.0.0/0
14319 18M all — * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
0 0 ACCEPT all — br0 br0 0.0.0.0/0 0.0.0.0/0
9 360 DROP all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID
249 12232 TCPMSS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
14001 18M ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 wanin all — vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 wanout all — * vlan2 0.0.0.0/0 0.0.0.0/0
309 15543 ACCEPT all — br0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15178 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain shlimit (1 references)
pkts bytes target prot opt in out source destination
0 0 all — * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: shlimit side: source
0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:22
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:25
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:80
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:443
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.130 tcp dpt:45631
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.130 tcp dpt:1550
0 0 ACCEPT udp — * * 0.0.0.0/0 192.168.1.130 udp dpts:1550:1556
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.130 tcp dpts:6783:6785
0 0 ACCEPT udp — * * 0.0.0.0/0 192.168.1.130 udp dpts:6783:6785

Chain wanout (1 references)
pkts bytes target prot opt in out source destination

Chain PREROUTING (policy ACCEPT 430 packets, 34731 bytes)
pkts bytes target prot opt in out source destination
26 1308 WANPREROUTING all — * * 0.0.0.0/0 71.72.125.234
0 0 DROP all — vlan2 * 0.0.0.0/0 192.168.1.0/24

Chain POSTROUTING (policy ACCEPT 71 packets, 4945 bytes)
pkts bytes target prot opt in out source destination
225 11263 MASQUERADE all — * tun11 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all — * vlan2 0.0.0.0/0 0.0.0.0/0
1 340 SNAT all — * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1

Chain OUTPUT (policy ACCEPT 72 packets, 5285 bytes)
pkts bytes target prot opt in out source destination

Chain WANPREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT icmp — * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:45631 to:192.168.1.130
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1550 to:192.168.1.130
0 0 DNAT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1550:1556 to:192.168.1.130
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6783:6785 to:192.168.1.130
0 0 DNAT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpts:6783:6785 to:192.168.1.130

Chain PREROUTING (policy ACCEPT 30135 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 8249 packets, 1001K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 21808 packets, 18M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 15208 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 37007 packets, 38M bytes)
pkts bytes target prot opt in out source destination

VPN OFF (Forwarding does work)
Chain INPUT (policy DROP 34 packets, 1728 bytes)
pkts bytes target prot opt in out source destination
1 40 DROP all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID
8898 1117K ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 shlimit tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
1 140 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
348 25898 ACCEPT all — br0 * 0.0.0.0/0 0.0.0.0/0
52 17782 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31330 34M all — * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
0 0 ACCEPT all — br0 br0 0.0.0.0/0 0.0.0.0/0
23 1570 DROP all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID
436 21692 TCPMSS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
30785 34M ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 wanin all — vlan2 * 0.0.0.0/0 0.0.0.0/0
207 21155 wanout all — * vlan2 0.0.0.0/0 0.0.0.0/0
521 36967 ACCEPT all — br0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 706 packets, 579K bytes)
pkts bytes target prot opt in out source destination

Chain wanin (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:22
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:25
1 60 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:80
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.100 tcp dpt:443
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.130 tcp dpt:45631
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.130 tcp dpt:1550
0 0 ACCEPT udp — * * 0.0.0.0/0 192.168.1.130 udp dpts:1550:1556
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.130 tcp dpts:6783:6785
0 0 ACCEPT udp — * * 0.0.0.0/0 192.168.1.130 udp dpts:6783:6785

Chain wanout (1 references)
pkts bytes target prot opt in out source destination

Chain PREROUTING (policy ACCEPT 230 packets, 17996 bytes)
pkts bytes target prot opt in out source destination
88 4468 WANPREROUTING all — * * 0.0.0.0/0 71.72.125.234
0 0 DROP all — vlan2 * 0.0.0.0/0 192.168.1.0/24

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
125 9484 MASQUERADE all — * vlan2 0.0.0.0/0 0.0.0.0/0
1 340 SNAT all — * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1

Chain OUTPUT (policy ACCEPT 32 packets, 2147 bytes)
pkts bytes target prot opt in out source destination

Chain WANPREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT icmp — * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.1.100
1 60 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.100
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:45631 to:192.168.1.130
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1550 to:192.168.1.130
0 0 DNAT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1550:1556 to:192.168.1.130
0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6783:6785 to:192.168.1.130
0 0 DNAT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpts:6783:6785 to:192.168.1.130

Chain PREROUTING (policy ACCEPT 48670 packets, 36M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 9373 packets, 1167K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 39161 packets, 34M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 16960 packets, 21M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 56098 packets, 56M bytes)
pkts bytes target prot opt in out source destination

As always, Thanks.. if you see anything and can give some thoughts, I'm always appreciative!

Options

Unfold Re: Assistance Please! OpenVPN and Port Forwarding. by

Kanth, 13 Sep 2012 21:41

Fold

Paul (guest) 14 Sep 2012 04:44

iptables isn't my strong suite but I think it's the following line that's changing the natting and sending it to tun11 interface instead of br0

225 11263 MASQUERADE all — * tun11 192.168.1.0/24 0.0.0.0/0

Try to play with a few options to experiment with on the vpn settings, try turning off "create nat on tunnel" or whatever in the vpn options. Also play with the "router internet traffic through tunnel" options (don't forget to stop and start vpn after each change". Also try to set firewall to custom on vpn settings, if one of those options restores your port forwarding at least you'd know where to look.

Also I didn't see the 209 IP address anywhere in your iptables dump, so I'm not sure if that's a made up IP or if that's not the ip of the router you are examining? Is that the ip of the gateway of the vpn server?

Hope this helps.. not sure what else to suggest :)

Options

Unfold by

Paul (guest), 14 Sep 2012 04:44

Fold

Re: Assistance Please! OpenVPN and Port Forwarding.

Kanth 14 Sep 2012 06:06

Yep..

I'm kinda looking at these two threads. Which kinda seem to indicate the same problem.

forums.openvpn(dotnet)/topic9172.html
forums.openvpn(dotnet)/topic7163.html
strongvpn(dotcom)/forum/viewtopic.php?id=897

It is kinda boggling me though that no one goes behind a vpn service.. and then also uses port forwarding.
I would think this would be a common thing?

Options

Unfold Re: Assistance Please! OpenVPN and Port Forwarding. by

Kanth, 14 Sep 2012 06:06

New Post

TomatoUSB

Unleash your router