Help with port forwarding for ProtonVPN on AX-56U

[Aide0669]

The Asus AX-56U router allows for an OpenVPN connection to launch at startup, and disables all non-VPN traffic. This makes for a really great setup for me, where all my devices are thus behind a VPN at the router level. Furthermore, I was able to add port forwarding to my VPN so I can connect to it remotely if I want to do work away from home.

Unfortunately my current VPN provider (IVPN.net) will soon no longer allow port forwarding (starting Sept 30), so I'm trying to switch my router VPN to ProtonVPN. I've seen it's possible to SSH into the JFFS folder on my Asus router and add scripts, and I've seen ProtonVPN allows port forwarding with scripts (seen here).

Can someone help me add ProtonVPN port forwarding to the AX-56U router? Preferably I need whatever port number they give me to remain the same in between 3 minute router resets.

Thank you in advance!

 

[juanantonio]

Well, I'm currently forwarding ports through my vpn provider, which is AirVPN to my LAN devices, using shell scripts.
My router is not an AX-56U, as yours, but I think this doesn't make a difference.
Basically, you only need to put out these lines on firewall-start (or in nat-start) scripts, located in /jffs/scripts folder:

iptables -I FORWARD -i ovpn1 -p tcp -d 10.50.1.2 --dport 3380 -j ACCEPT
iptables -t nat -I PREROUTING -i ovpn1 -p tcp --dport 3380 -j DNAT --to-destination 10.50.1.2

Of course, changing interface name to your interface's name, and ports and ip addresses to yours, and also:

iptables -D FORWARD -i ovpn1 -p tcp -d 10.50.1.2 --dport 3380 -j ACCEPT
iptables -t nat -D PREROUTING -i ovpn1 -p tcp --dport 3380 -j DNAT --to-destination 10.50.1.2

On your firewall-stop or nat-stop, in order to remove the rules from iptables.

This is all, I hope I could have help you.

 

[Aide0669]

Thanks. Your suggestion is what worked with IVPN as they assigned a port to me in their web portal, but IVPN is ending port forwarding in 2 days. Here is how ProtonVPN suggests creating port forwarding on Linux:

https://protonvpn.com/support/port-forwarding-manual-setup/

For a Linux setup ProtonVPN only assigns a port via a terminal using the natpmpc command. For example, Proton says this command:

natpmpc -a 1 0 udp 60 -g 10.2.0.1

results in ProtonVPN reserving a port for the client (eg: 53186). Then you create a port mapping for TCP, and then you need to loop the natpmpc command (eg: every 45 seconds or so) or else the ProtonVPN port will close (their window is 60 seconds):

while true ; do date ; natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done

So my confusion is how to setup these natpmpc commands within my Asus router, possibly within the JFFS folder, so that they automatically execute when the router boots. Any ideas?

 

[juanantonio]

I've no idea.
If I launch natpmpc command on my AX-86U console, it tells the following:

juanantonio@RT-AX86U-6C38:/tmp/home/root# natpmpc
-sh: natpmpc: not found
juanantonio@RT-AX86U-6C38:/tmp/home/root#

So it seems to me that the command is not implemented on my Asus Router.
Regards.

 

[Aide0669]

Is it possible to install natpmpc, or is there a natpmpc equivalent that might work that is already installed?

Perhaps a script can install natpmpc on boot?

 

[ColinTaylor]

Similar thread here. Unfortunately the OP never posted a follow-up.

 

[juanantonio]

Well, I would say that you can install through opkg:

juanantonio@RT-AX86U-6C38:/tmp/home/root# opkg list natpmpc
natpmpc - 20150609-3 - libnatpmp is an attempt to make a portable and fully compliant implementation
 of the protocol for the client side. It is based on non blocking sockets and
 all calls of the API are asynchronous. It is therefore very easy to integrate
 the NAT-PMP code to any event driven code.
 This package contains the natpmp client.

If you need it, as I can see, you could install typing

opkg install natpmpc

In your router's terminal.
Regards.

 

[Aide0669]

Interesting. Thanks! Is it relatively straightforward to create a script that can run the natpmpc commands above on router boot? I'm pretty noob over here.

 

[juanantonio]

Interesting. Thanks! Is it relatively straightforward to create a script that can run the natpmpc commands above on router boot? I'm pretty noob over here.

There are plenty of tutorials online. Only search Google for that.
You should put your natpmpc commands on nat-start or firewall-start, and also their respectives, nat-stop and firewall-stop, I think.
Regards

 

[ColinTaylor]

There are plenty of tutorials online. Only search Google for that.
You should put your natpmpc commands on nat-start or firewall-start, and also their respectives, nat-stop and firewall-stop, I think.
Regards

There are no such scripts as nat-stop and firewall-stop.

 

[juanantonio]

There are no such scripts as nat-stop and firewall-stop.

You are right, @ColinTaylor, I mistaken my script wgclient-stop with the other ones.
So, if you want to delete your iptables rules added on nat-start and firewall-start, how should you proceed?
Regards

 

[ColinTaylor]

You are right, @ColinTaylor, I mistaken my script wgclient-stop with the other ones.
So, if you want to delete your iptables rules added on nat-start and firewall-start, how should you proceed?
Regards

It might take a bit of experimentation, but for OpenVPN I would probably use an openvpn-event script with conditional code based on the interface name and the value of $script_type (e.g. route-up and route-pre-down). Then not use nat-start or firewall-start at all.

EDIT: It looks like making changes in the GUI that would cause a firewall restart will wipe out any changes made by openvpn-event. So in the end it's probably best to use nat-start and firewall-start to insert rules and not worry about deleting them.

 

[ewm]

I have multiple wireguard connections active via Proton VPN. Not all of them have port forwarding enabled.



On a network connected linux machine, when I run this command it's successful:

natpmpc -g 10.2.0.1

However when I run it directly on the router via SSH, it fails:

admin@RT-AX56U-BE88:/tmp/home/root# natpmpc -g 10.2.0.1
initnatpmp() returned 0 (SUCCESS)
using gateway : 10.2.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -100 (TRY AGAIN)
readnatpmpresponseorretry returned -100 (TRY AGAIN)

Can anyone help me out?

Seeing as all the wireguard interfaces use the same IP (described here) - maybe the command is not getting sent through to a connection that has port forwarding enabled?