Port Forwarding while running OpenVPN Client

[Viktor Jaep]

Hi All,

I'm using StrongVPN's openvpn service on my RT-AC3100, and is working great at this moment. Whenever I have VPN actively running, the ports that I had configured via the GUI to be forwarded to internal clients no longer seem to work, and ports appear "closed" when checking them from the outside.

My question is... what is the best way to enable port forwarding while using the VPN? I dug up this script from another thread, and wondering if something like this would work? Is there a way for this to automatically run when the router reboots, or am I out of luck? Is there anything easier or more straightforward than this? Please let me know if I'm missing anything...

iptables -I FORWARD -i tun12 -p udp -d 192.168.2.140 --dport 9958 -j ACCEPT
iptables -I FORWARD -i tun12 -p tcp -d 192.168.2.140 --dport 9958 -j ACCEPT
iptables -t nat -I PREROUTING -i tun12 -p tcp --dport 9958 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun12 -p udp --dport 9958 -j DNAT --to-destination 192.168.2.140

Thank you,
Viktor

 

[Jack Yaz]

Hi All,

I'm using StrongVPN's openvpn service on my RT-AC3100, and is working great at this moment. Whenever I have VPN actively running, the ports that I had configured via the GUI to be forwarded to internal clients no longer seem to work, and ports appear "closed" when checking them from the outside.

My question is... what is the best way to enable port forwarding while using the VPN? I dug up this script from another thread, and wondering if something like this would work? Is there a way for this to automatically run when the router reboots, or am I out of luck? Is there anything easier or more straightforward than this? Please let me know if I'm missing anything...

iptables -I FORWARD -i tun12 -p udp -d 192.168.2.140 --dport 9958 -j ACCEPT
iptables -I FORWARD -i tun12 -p tcp -d 192.168.2.140 --dport 9958 -j ACCEPT
iptables -t nat -I PREROUTING -i tun12 -p tcp --dport 9958 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun12 -p udp --dport 9958 -j DNAT --to-destination 192.168.2.140

Thank you,
Viktor

It entirely depends if your VPN provider supports port forwarding. If the endpoint you connect to (so your public IP), doesn't allow port forwards, then it won't work. Some providers, like AirVPN, allow you to register some port forwards on specific servers.

 

[Viktor Jaep]

It entirely depends if your VPN provider supports port forwarding. If the endpoint you connect to (so your public IP), doesn't allow port forwards, then it won't work. Some providers, like AirVPN, allow you to register some port forwards on specific servers.

According to support, StrongVPN does indeed forward all ports.

 

[RMerlin]

Then it means you have to use the IP of your tunnel rather than the IP of your ISP, otherwise your traffic will come in from the ISP, and will try to be routed out through the VPN, which won't work.

 

[Viktor Jaep]

Then it means you have to use the IP of your tunnel rather than the IP of your ISP, otherwise your traffic will come in from the ISP, and will try to be routed out through the VPN, which won't work.

Thank you... so in that case, would something like this work? Is this the only way to do it, with commands like this? I'm not missing anything in the GUI that would accomplish this, right? Is there a way to ensure this survives on a reboot, or would I just need to run this each time I reboot the router?

iptables -I FORWARD -i tun12 -p udp -d 192.168.2.140 --dport 9958 -j ACCEPT
iptables -I FORWARD -i tun12 -p tcp -d 192.168.2.140 --dport 9958 -j ACCEPT
iptables -t nat -I PREROUTING -i tun12 -p tcp --dport 9958 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun12 -p udp --dport 9958 -j DNAT --to-destination 192.168.2.140

Thanks,
Viktor

 

[RMerlin]

Might work. I'm not sure, I never tried to forward ports through a VPN tunnel.

 

[sevenz]

I see you're using my example

I take a look at StrongVPN FAQs and I don't see anything about port forwarding. Mind if you link it for me to see?

 

[Viktor Jaep]

I see you're using my example

I take a look at StrongVPN FAQs and I don't see anything about port forwarding. Mind if you link it for me to see?

I'm sorry, sevenz... not sure what you mean? Link what from where? Thanks for your example... I'm just trying to get clarification on this, and seeing if there's a way to make sure this survives a reboot, etc. Have you been able to use this or enhance upon it?

Thanks,
Viktor

 

[Viktor Jaep]

Might work. I'm not sure, I never tried to forward ports through a VPN tunnel.

I gave it a shot... the commands were successful, and the entries are in my iptables, however, the port still shows as closed. ;( It might be tougher than expected... bah. I'll continue researching.

Thanks,
Viktor

 

[sevenz]

I'm sorry, sevenz... not sure what you mean? Link what from where? Thanks for your example... I'm just trying to get clarification on this, and seeing if there's a way to make sure this survives a reboot, etc. Have you been able to use this or enhance upon it?

Thanks,
Viktor

Link to where they state that they give/provide you some kind of port forwarding, but that's not the important part.

Have you fixed it? And have you seen this link? https://www.snbforums.com/threads/strongvpn-port-forwarding.10615/
He uses StrongVPN as well, though it's an old thread.

 

[Viktor Jaep]

Link to where they state that they give/provide you some kind of port forwarding, but that's not the important part.

Have you fixed it? And have you seen this link? https://www.snbforums.com/threads/strongvpn-port-forwarding.10615/
He uses StrongVPN as well, though it's an old thread.

Ahhh... No, I was chatting with a support guy about it... He was the one who verified that yes, they do allow port forwards.

Wow! That post looks very promising! I can tell you now that I wasn't using the 192.168.1.150:XXXX port notation... So that may very well do the trick! Hope to give this a shot this afternoon! Also, it looks like you can use that NAT script to help it survive a reboot!

Thanks for the help!
-Viktor

 

[Viktor Jaep]

He uses StrongVPN as well, though it's an old thread.

Well, I tried it, with no luck... I followed the example he had in his post:

iptables -t nat -I PREROUTING -p tcp --dport 8083 -j DNAT --to 192.168.1.150:8083
iptables -I FORWARD -p tcp -d 192.168.1.150 --dport 8083 -j ACCEPT

When that didn't work... I was wondering how this command could even work when it's not even referencing the VPN public IP or connection. So I modified it to reference the tun connection based on your example:

iptables -t nat -I PREROUTING -i tun12 -p tcp --dport 8083 -j DNAT --to 192.168.1.150:8083
iptables -I FORWARD -i tun 12 -p tcp -d 192.168.1.150 --dport 8083 -j ACCEPT

So that still didn't work.

Dead in the water... ;(

Thanks,
Viktor

 

[MaxIkar]

Well, I tried it, with no luck... I followed the example he had in his post:

iptables -t nat -I PREROUTING -p tcp --dport 8083 -j DNAT --to 192.168.1.150:8083
iptables -I FORWARD -p tcp -d 192.168.1.150 --dport 8083 -j ACCEPT

When that didn't work... I was wondering how this command could even work when it's not even referencing the VPN public IP or connection. So I modified it to reference the tun connection based on your example:

iptables -t nat -I PREROUTING -i tun12 -p tcp --dport 8083 -j DNAT --to 192.168.1.150:8083
iptables -I FORWARD -i tun 12 -p tcp -d 192.168.1.150 --dport 8083 -j ACCEPT

So that still didn't work.

Dead in the water... ;(

Thanks,
Viktor

I know it's been awhile.
I needed the same, but just for a single IP on my home network.
What I actually did (kind of a hack) is "Force Internet traffic through tunnel - Policy Rules", and configured that specific IP address to go to WAN, bypassing the VPN.