Redirect specific PORT through VPN

[pierredugland]

Hi everyone,

First post here. Hope you guys can help me.

I have followed the instructions here (https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)) to redirect some traffic through my VPN.

The trick is I want to redirect a port and not all traffic that comes from an internal IP address.

I though I could use the -sport parameter (https://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html) to supplement the script above but no luck.

I used that line in the script instead of the recommended one :
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.23 -j MARK --set-mark 0 -p tcp -sport 8112

Here is how I'm setup. You can maybe tell me how I should proceed...

1. AC88U router @ 192.168.1.1. running latest merlin (jffs enabled and I have verified that my vpn client works and that the scritps in the jffs folder get taken into account)
2. NAS sitting on an internal IP address (for the sake of this question let's say 192.168.1.50)
3. On the NAS itself I am running some docker containers, for which I have allowed passthrough access to WAN. Let's use my deluge image as an example : 192.168.1.50:8112 is the address of it and I have forwarded that port through my router to give it access to the internet.

My end goal is to redirect all Deluge traffic through the VPN but not all traffic from the NAS.
I also would like to keep remote access to the target of the redirected traffic (the deluge container in that case).

Is there a way to do it ? What have I missed ?

 

[Martineau]

Hi everyone,

First post here. Hope you guys can help me.

I have followed the instructions here (https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)) to redirect some traffic through my VPN.

The trick is I want to redirect a port and not all traffic that comes from an internal IP address.

I though I could use the -sport parameter (https://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html) to supplement the script above but no luck.

I used that line in the script instead of the recommended one :
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.23 -j MARK --set-mark 0 -p tcp -sport 8112

Here is how I'm setup. You can maybe tell me how I should proceed...

1. AC88U router @ 192.168.1.1. running latest merlin (jffs enabled and I have verified that my vpn client works and that the scritps in the jffs folder get taken into account)
2. NAS sitting on an internal IP address (for the sake of this question let's say 192.168.1.50)
3. On the NAS itself I am running some docker containers, for which I have allowed passthrough access to WAN. Let's use my deluge image as an example : 192.168.1.50:8112 is the address of it and I have forwarded that port through my router to give it access to the internet.

My end goal is to redirect all Deluge traffic through the VPN but not all traffic from the NAS.
I also would like to keep remote access to the target of the redirected traffic (the deluge container in that case).

Even two years ago, I stated that the quoted script is flawed for several reasons (conflicting use of an ASUS reserved fwmark is one)

All of the quoted script features for Selectively routing devices/IPs are now included in the firmware in a more robust manner however, to Selectively Route Ports requires additional manual rules.

i.e. You may be able to force the NAS hosted Deluge data ports via the VPN - whilst still allowing access to the Deluge Web-UI from the WAN (via the forwarded port 8112)

e.g. Enforce Selectively routing Port 62958 traffic from/to 192.168.1.50 via VPN Client 1

NAS="192.168.1.50"
DELUGE_PORTS="62958"
TAG_MARK="0x1000/0x1000"   # VPN Client 1 fwmark TAG (see recommended RPDB fwmarks below)

ip rule add from 0/0 fwmark $TAG_MARK table ovpnc1 prio 9993             # VPN 1 fwmark

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $NAS -p tcp -m multiport --sport $DELUGE_PORTS -j MARK --set-mark $TAG_MARK

NOTE: In order to safely use Selective Port routing, the firmware unfortunately omits to create the following RPDB rules, so the following RPDB fwmark mapping is recommended, and should be executed once during the boot:

ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990             # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991             # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992             # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993             # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994             # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995             # VPN 3 fwmark

 

[ColinTaylor]

Even two years ago, I stated that the quoted script is flawed for several reasons (conflicting use of an ASUS reserved fwmark is one)

All of the quoted script features for Selectively routing devices/IPs are now included in the firmware in a more robust manner however, to selectively route Ports requires additional manual rules.

Maybe you could update the wiki to that effect. Then at least you wouldn't have to keep repeating yourself.

 

[pierredugland]

Even two years ago, I stated that the quoted script is flawed for several reasons (conflicting use of an ASUS reserved fwmark is one)

All of the quoted script features for Selectively routing devices/IPs are now included in the firmware in a more robust manner however, to selectively route Ports requires additional manual rules.

i.e. You may be able to force the NAS hosted Deluge data ports via the VPN - whilst still allowing access to the Deluge Web-UI from the WAN (via the forwarded port 8112)

e.g. Enforce Selectively routing Port 62958 traffic from/to 192.168.1.50 via VPN Client 1

NAS="192.168.1.50"
DELUGE_PORTS="62958"
TAG_MARK="0x1000/0x1000"   # VPN Client 1 fwmark TAG (see recommended RPDB fwmarks below)

ip rule add from 0/0 fwmark $TAG_MARK table ovpnc1 prio 9993             # VPN 1 fwmark

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $NAS -p tcp -m multiport --sport $DELUGE_PORTS -j MARK --set-mark $TAG_MARK

NOTE: In order to safely use Selective Port routing, the firmware unfortunately omits to create the following RPDB rules, so the following RPDB fwmark mapping is recommended, and should be executed once during the boot:

ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990             # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991             # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992             # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993             # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994             # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995             # VPN 3 fwmark

That's great thank you I will give it a try.
If I want several ports included in $DELUGE_PORTS should I just create several lines or is there a syntax for multiple ports ?
Just to confirm, the code you wrote above goes into the `open-vpn` script from the flawed wiki ?

Thanks again for taking the time.

 

[Martineau]

If I want several ports included in $DELUGE_PORTS should I just create several lines or is there a syntax for multiple ports ?

Simply use a .csv format for the ports together with ':' delimited ranges

e.g. three distinct ports (62958,12345,54321), and eleven ports in the range 54000:54010.

DELUGE_PORTS="62958,12345,54321,54000:54010"

NOTE: Using a single rule consolidates the rule count, so if you need to debug, then you can temporarily create multiple individual rules.

Just to confirm, the code you wrote above goes into the `open-vpn` script from the flawed wiki ?

Simply clone '/jffs/scripts/openvpn-event' from @john9527's openvpn-event script template template so you can explicitly choose which openvpn-event trigger code is actually used by each individual Server/Client.

Now you can create unique trigger event custom scripts for each client/server

i.e. Create script 'vpnclient1-route-up' to add your iptables rules only for VPN Client 1, and delete them in 'vpnclient1-down' to prevent duplicates.

 

[beardhunter]

Hi folks

Sorry if my question does not fit this thread, but I found it most relevant when google´n around ;-)

I have setup vpn client on my ac86u running as it should. My vpn provider does provide some random portnumbers to add to jffs partition.

Just to specify, I have been able to open ports to an emby server because the Emby ports can be changed to specific ports.
In Plex server, port 32400 can not be changed though. And the problem is that my vpn provider does not offer 32400 as a port to be forwarded.

Therefore I need to map the port provided by my vpn to 32400, right?

As I am fairly new at scripts, and confused about what the script actually does, other than open ports, I need help understanding why opening ports in the web interface does not work?

Also if an missing something in the jffs script, please let me know. As mentioned earlier, this script does open port correctly when I use Emby, but not Plex. And I really want to get remote access in Plex.

Anyhow, this is what the script looks like:

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.1** --dport 1**** -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.1** --dport 1**** -j ACCEPT

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.1** --dport 1**** -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.1** --dport 1**** -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 2**** -j DNAT --to-destination 192.168.1.1**
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 2**** -j DNAT --to-destination 192.168.1.1**

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 2**** -j DNAT --to-destination 192.168.1.1**
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 2**** -j DNAT --to-destination 192.168.1.1**

 

[Salles]

Hi folks

Sorry if my question does not fit this thread, but I found it most relevant when google´n around ;-)

I have setup vpn client on my ac86u running as it should. My vpn provider does provide some random portnumbers to add to jffs partition.

Just to specify, I have been able to open ports to an emby server because the Emby ports can be changed to specific ports.
In Plex server, port 32400 can not be changed though. And the problem is that my vpn provider does not offer 32400 as a port to be forwarded.

Therefore I need to map the port provided by my vpn to 32400, right?

As I am fairly new at scripts, and confused about what the script actually does, other than open ports, I need help understanding why opening ports in the web interface does not work?

Also if an missing something in the jffs script, please let me know. As mentioned earlier, this script does open port correctly when I use Emby, but not Plex. And I really want to get remote access in Plex.

Anyhow, this is what the script looks like:

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.1** --dport 1**** -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.1** --dport 1**** -j ACCEPT

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.1** --dport 1**** -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.1** --dport 1**** -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 2**** -j DNAT --to-destination 192.168.1.1**
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 2**** -j DNAT --to-destination 192.168.1.1**

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 2**** -j DNAT --to-destination 192.168.1.1**
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 2**** -j DNAT --to-destination 192.168.1.1**

Not sure I understand why your Plex server needs to go through your VPN provider?

Is your Plex server on a NAS with a specific LAN-IP or a hard drive connected to your router?
Do you want a couple of devices at home to use a VPN client or do you need your router (192.168.50.1) to go through the VPN client?

 

[beardhunter]

@Salles

Thank you for answering. I understand your "confusion" , as I did not explain the whole scenario..

I´m behind double nat (4g/lte) and must use open-vpn on the ac86u to grant remote access to my home server.

So yes, my router is running a vpn client

My previous vpn service offered custom ports so I could "order" 32400 which worked perfect when adding the port to the script I posted earlier.

My present vpn service offers random ports and I cannot "order" 32400 but only for example 12345

Question is how I map 12345 to 32400 in the ac86u running Merlinwrt as adding these informations in the webinterface does not open 32400

I guess I need to add something in the jffs script. But I´m not smart/linux-know how, enough to
figure out which command to type in?

 

[Salles]

@Salles

Thank you for answering. I understand your "confusion" , as I did not explain the whole scenario..

I´m behind double nat (4g/lte) and must use open-vpn on the ac86u to grant remote access to my home server.

So yes, my router is running a vpn client

My previous vpn service offered custom ports so I could "order" 32400 which worked perfect when adding the port to the script I posted earlier.

My present vpn service offers random ports and I cannot "order" 32400 but only for example 12345

Question is how I map 12345 to 32400 in the ac86u running Merlinwrt as adding these informations in the webinterface does not open 32400

I guess I need to add something in the jffs script. But I´m not smart/linux-know how, enough to
figure out which command to type in?

Ok, I understand.
Sorry no idea how to do that.
I would switch VPN service provider if you know it works with your previous one.