Policy-based port routing to bypass NordVPN client

[aliens]

Hi everyone,

I'm on a RT-AC86U with Merlin on 386.12 and a PPPoE WAN + VPN setup. UPnP is disabled. Port forwarding has been enabled in the WAN config on 51413.

To keep it short, my goal is for all the traffic of the network to be routed through my NordVPN (which doesn't allow port forwarding) client, except from a couple of IPs and, additionally, except from a specific ip (192.168.1.234) and port (51413) combination.

I've used the policy-based port routing documentation without any success. It seems that, while the VPN is disabled, the forwarded port is correctly detected as being open. When I enable the VPN, the port now shows as being closed.

NordVPN settings

cat /jffs/scripts/nat-start

#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required

logger -st "nat-start" "Deleting previous rules"

for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

logger -st "nat-start" "Adding iptables rules"

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark

iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.234 -p tcp -m multiport --dport 51413 -j MARK --set-mark 0x8000/0x8000 2>/dev/null

iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.234 -p tcp -m multiport --dport 51413 -j MARK --set-mark 0x8000/0x8000

ip rule show

0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
10010:  from 192.168.1.244 lookup main
10011:  from 192.168.1.166 lookup main
10012:  from 192.168.1.1 lookup main
10410:  from 192.168.1.0/24 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default

iptables -t mangle -L -v -n

Chain PREROUTING (policy ACCEPT 335K packets, 337M bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   172 MARK       tcp  --  br0    *       192.168.1.234        0.0.0.0/0            multiport dports 51413 MARK or 0x8000

Chain INPUT (policy ACCEPT 136K packets, 171M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 199K packets, 166M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 76678 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 276K packets, 180M bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -t nat -L -v -n

Chain PREROUTING (policy ACCEPT 488 packets, 75061 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
   51  4143 GAME_VSERVER  all  --  *      *       0.0.0.0/0            **WAN IP**
   51  4143 VSERVER    all  --  *      *       0.0.0.0/0            **WAN IP**
    0     0 GAME_VSERVER  all  --  *      *       0.0.0.0/0            **VPN IP**
    0     0 VSERVER    all  --  *      *       0.0.0.0/0            **VPN IP**

Chain INPUT (policy ACCEPT 107 packets, 7261 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 77 packets, 5278 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 77 packets, 5222 bytes)
 pkts bytes target     prot opt in     out     source               destination
  334 64143 MASQUERADE  all  --  *      tun12   0.0.0.0/0            0.0.0.0/0
  360 53069 PUPNP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
  157 38043 MASQUERADE  all  --  *      ppp0   !**WAN IP**       0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0   !**VPN IP**      0.0.0.0/0
  270 18585 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain GAME_VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain MAPE (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    3   180 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:51413 to:192.168.1.234:51413
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51413 to:192.168.1.234:51413
   48  3963 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

So, my question is, is it simply the case that NordVPN overrides the policy rules that I've set up by pushing their own rules? However, if that's the case, why are the VPN Director exception rules (the ones I've set up in the GUI for those other IPs) work though? Or is it something else I'm missing?

Much appreciated!

 

[pavlfz]

Hi, I'm no expert at all so my contribution here may be worthless. Be that as it may, I went through a similar conundrum with VPNs recently and lots of frustration. Looking at the above, there are two different addresses - 192.168.1.234 is given in the nat start script but it's 192.168.1.244 in the ip rules and that's directed to the WAN. As I say, I'm no expert, but my problem drove me mad so I hope it's something as simple as that!.

 

[aliens]

Hey, the .244 IP is for a different device that I want completely routed through the WAN, which is why I used the VPN Director GUI rules for that specific case. The .234 IP, however, is for a device which I mostly want routed through the VPN, except for a single port that should bypass it. Hope that makes sense

 

[pavlfz]

Ah yes, I'm with you now. /24 sends everything through the vpn and you have to make exceptions in the director. But, and again coming from a place of little knowledge, don't you need NordVPN to open the port? The incoming ports are at their end aren't they? This means that no matter what you do on the router, the port will stay closed. I'm assuming 51413 is for transmission, given it's the same port I spent many hours over trying to open through a vpn. I'm new to all of this so sorry not to be more help, I hope someone comes along with a solution. I'm following with interest!

 

[aliens]

don't you need NordVPN to open the port

I'm hoping no. Since VPN Director can route certain IPs through the WAN and others through the VPN (and I'm assuming it does that by pushing its own iptables rules), I hope it's possible for the same to be true with an IP/port combination.

 

[pavlfz]

I think you do need the VPN provider to open the port. Hopefully someone who knows will either confirm or deny this!

I tired various VPN services who didn't offer portforwarding so the port was always closed. I then tried AirVPN who provide an open port, but I couldn't get it to work with transmission (not with it on the router, I didn't try with it on the PC), or at least I couldn't get transmission to say the port was open. Since then I've started to suspect the slow speeds I was getting with AirVPN was related to something other than the reported closed port so I might give them another go.

 

[RMerlin]

I'm hoping no. Since VPN Director can route certain IPs through the WAN and others through the VPN (and I'm assuming it does that by pushing its own iptables rules), I hope it's possible for the same to be true with an IP/port combination.

VPN Director works by manipulating routing tables That's why it's limited to using IP addresses.

 

[aliens]

Right, so I guess that takes precedence over the iptables rules I'm trying to set up?

If yes, is there any other workaround? Also, does that mean that the documentation for the policy-based port routing is no longer appliable?

 

[RMerlin]

If yes, is there any other workaround? Also, does that mean that the documentation for the policy-based port routing is no longer appliable?

I don`t know. I never looked at that, and I didn`t write the wiki article either.

 

[Sonyrolfy]

Maybe you can have a look at in the section addons: x3mRouting install by amtm in ssh it still works with your selection for domains by dnsmasq.
Or if you want to do Port forwarding with a vpn provider. Take a look at airvpn ( im not not associated )
my 2 cents

 

[Don->]

Have you looked at the ASUS native firmware? Under the VPN client setup its possible to Route IP's out of Various open VPN's via selecting hosts (Tick Boxes). The number of open VPN sessions are limited due to resource issues. Carefull as I have seen the default internet PPPoE link (It appears to treat the PPPoE as a vpn) being deselected and the newly created Client VPN session then becomming the new default route to the intenet. i.e. everthing on the Lan goes via the VPN.
I have "played" with this on the lastest version of ASUS firmware for the RT-AX88U using PIA vpn. However I have reverted to ASUS Merlin for my use case.