Forward Port to Client (OpenVPN)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Fri Oct 16, 2020 15:49    Post subject: Forward Port to Client (OpenVPN) Reply with quote
Hi

I require port 22 to be forwarded from my VPN down to the client so I can portforward to my local tower server.

I have tried the following (https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client):
ip rule add from $(ip route get 1 | grep -Po '(?<=src )(\S+)') table 128
ip route add table 128 to $(ip route get 1 | grep -Po '(?<=src )(\S+)')/32 dev $(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
ip route add table 128 default via $(ip -4 route ls | grep default | grep -Po '(?<=via )(\S+)')

But no joy. Any advice appreciated.
Sponsor
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Fri Oct 16, 2020 15:51    Post subject: Reply with quote
Just to add, the inline commands return the following:

[root@vpn ~]# echo $(ip route get 1 | grep -Po '(?<=src )(\S+)')
134.209.190.50
[root@vpn ~]# echo $(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
eth0
[root@vpn ~]# echo $(ip -4 route ls | grep default | grep -Po '(?<=via )(\S+)')
134.209.176.1
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Fri Oct 16, 2020 15:58    Post subject: Reply with quote
Just tried with openvpn stopped. No joy.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8349

PostPosted: Fri Oct 16, 2020 16:47    Post subject: Reply with quote
Quote:
I require port 22 to be forwarded from my VPN down to the client so I can portforward to my local tower server.


What precisely does that mean? You're assuming everyone just knows. Last I heard on that other thread, you were using an OpenVPN client on the router to your own OpenVPN server on a DigitalOcean VPS.

So is this forwarding a need on the VPS? On the router? Both?

Be specific! Provide details! Assume your audience doesn't have a clue about your config (because many don't).

Given so little information, I will venture a *guess* and assume you're running into the classic problem of the target of port forwarding over the WAN being bound to the VPN. And thus the replies from that port forwarding get routed over the VPN rather than the WAN. There are several workarounds, perhaps the following will help.

http://www.snbforums.com/posts/622640/

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
ddwrt-ovpn-split-basic.sh (UPDATED!)
ddwrt-ovpn-split-advanced.sh (UPDATED!)
ddwrt-blacklist-domains.sh (UPDATED!)
ddwrt-ovpn-client-backup.sh
ddwrt-mount-usb-drives.sh
ddwrt-ovpn-remote-access.sh
ddwrt-pptp-policy-based-routing.sh
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Fri Oct 16, 2020 17:21    Post subject: Reply with quote
So from the start.

I am an OpenVPN user with a DigitalOcean droplet serving my VPN, with uber cool hostnames etc. It works well, albeit with connection drops. I have another thread open looking to tune my VPN in relation to the drops etc.

My DigitalOcean Droplet is currently serving all SSHd requests via port 22. I want to forward port 22 (or any other port really) to my local router so that I can forward it to a machine on the LAN.

Here is some further details:
Router: Linksys WRT 1900ACSv2
Firmware: DD-WRT v3.0-r44538 std (10/13/20)
OpenVPN Version: 2.4.9

Hoping for some help. Also, not sure what that link was but it didn't help.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8349

PostPosted: Fri Oct 16, 2020 19:11    Post subject: Reply with quote
So you want any given port accessed via the public IP of the VPS to be forwarded to the OpenVPN server (running on that same VPS) and through the tunnel to the OpenVPN client running on the router, and targeting either the router itself or beyond to the LAN, correct?

And accessing the WAN of the router directly is NOT an option? Perhaps because you don't have a public IP available from your ISP?

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
ddwrt-ovpn-split-basic.sh (UPDATED!)
ddwrt-ovpn-split-advanced.sh (UPDATED!)
ddwrt-blacklist-domains.sh (UPDATED!)
ddwrt-ovpn-client-backup.sh
ddwrt-mount-usb-drives.sh
ddwrt-ovpn-remote-access.sh
ddwrt-pptp-policy-based-routing.sh
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Fri Oct 16, 2020 20:10    Post subject: Reply with quote
eibgrad wrote:
So you want any given port accessed via the public IP of the VPS to be forwarded to the OpenVPN server (running on that same VPS) and through the tunnel to the OpenVPN client running on the router, and targeting either the router itself or beyond to the LAN, correct?

And accessing the WAN of the router directly is NOT an option? Perhaps because you don't have a public IP available from your ISP?


Doesn’t have to be any port. Could just be a random port that I can open on my router. And yes, accessing public IP is not an option, due to ISP restraints.

Thanks in advance
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8349

PostPosted: Fri Oct 16, 2020 20:40    Post subject: Reply with quote
Is the OpenVPN server currently configured to support site-to-site? IOW, can you ping both the dd-wrt router on its LAN ip and any other LAN devices beyond the router from the OpenVPN server side of the tunnel? If not, you need to get that working first.

Site-to-site requires disabling the "Inbound Firewall on TUN" option in the OpenVPN client. On the OpenVPN server, it requires you specify an "iroute" (that's not a typo, it begins w/ an "i") directive w/ the IP network behind the OpenVPN client.

Code:
iroute 192.168.1.0 255.255.255.0


This iroute directive needs to be in a file using the CN (Common Name) used by the OpenVPN client on its cert, and located in the --client-config-dir (CCD) directory, a directive you add to your OpenVPN server config. You need to add a "route" directive to the OpenVPN server config as well pointing to the same network.

So assuming the CN of the client cert is "client", and your home network is 192.168.1.0/24, and you choose to use /openvpn/ccd as your CCD directory (something you need to initialize prior to running OpenVPN server) ...

Code:
# OpenVPN server config file
client-config-dir /openvpn/ccd
route 192.168.1.0 255.255.255.0

# contents of /openvpn/ccd/client
iroute 192.168.1.0 255.255.255.0


Once that's working (i.e., you can ping any device on the OpenVPN client side from the VPS), you need to forward your ports on the public IP of the VPS to the LAN ip and port of the intended target on the LAN side of the OpenVPN client.

Do you know how to port forward on the VPS and over the tunnel? I don't have a clue about the state of the firewall on the VPS, or if you're even using one (I hope so), or whether you're using UFW, iptables, etc. Using dd-wrt and iptables as a model, a proper port forward would be similar to the following.

Code:
iptables -t nat -I PREROUTING -p tcp -d <public-ip> --dport 22 -j DNAT --to 192.168.1.1:22
iptables -I FORWARD -p tcp -d 192.168.1.1 --dport 22 -j ACCEPT


The DNAT rule changes the public IP to the internal IP of the target, and the FORWARD rule permits the traffic to be forward from one network interface to the other.

If you're using UFW, you'd have to look into that yourself.

Btw, this assumes you already have forwarding enabled on the VPS. If you're using Ubuntu, you'll probably have to execute the following commands to enable it (you only need to do this once).

Code:
sed -ri.bak 's/#(net.ipv4.ip_forward=1)/\1/' /etc/sysctl.conf
sysctl -p /etc/sysctl.conf


In short, 99% of the required changes are on the VPS! Which is what makes it difficult for us to support you. I don't mind helping, but it's *your* VPS, and so there's a heavy burden on your shoulders to get things sorted correctly on that platform.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
ddwrt-ovpn-split-basic.sh (UPDATED!)
ddwrt-ovpn-split-advanced.sh (UPDATED!)
ddwrt-blacklist-domains.sh (UPDATED!)
ddwrt-ovpn-client-backup.sh
ddwrt-mount-usb-drives.sh
ddwrt-ovpn-remote-access.sh
ddwrt-pptp-policy-based-routing.sh
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Fri Oct 16, 2020 21:24    Post subject: Reply with quote
Sounds complicated. Like you say, it’s VPS not Router. On this occasion I am going to outsource to my server tech company to get it working, after all they set this up.

Thanks for the explanation it will help a lot.

Kind regards
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Sat Oct 17, 2020 13:36    Post subject: Reply with quote
So it appears that CSF (a firewall I use) supports redirects.

If anybody knows how to find out what IP address OpenVPN would be referencing my local network as I may be able to save myself some time/money.

Kind regards
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8349

PostPosted: Sun Oct 18, 2020 4:15    Post subject: Reply with quote
Based on your last two posts, I get the impression that you personally are NOT responsible for setting up the VPS. And that makes me wonder if it might have been a better option to use a commercial OpenVPN provider that supports port forwarding from their end of the tunnel (not all do), thus *they* would be responsible for managing the OpenVPN server, the firewall, etc.. All you would have to do is port forwarding (via scripting) on the router from the OpenVPN client's tunnel to the router and local network. And you would kill two birds w/ one stone; the same VPN could be used for outbound traffic.

You'd have to be careful in your choice of VPN providers since some make it more difficult than others to configure port forwarding w/ their servers (e.g., PIA is awful).

Or else perhaps consider using something like ngrok.

https://ngrok.com/

They help you create "generic" tunnels from their servers to your network behind the NAT router. IOW, they take responsibility for managing the server side of the tunnel, and all you have to do is install and configure the client behind your NAT router, either on a Windows or Linux machine (I don't think installation on the router is possible, but it would be cool if it did).

I'm just trying to think of alternatives for a situation like yours where you are not necessarily the expert when it comes to configuration and management of the server side. If you can push that off to some entity w/ that specific expertise, it minimizes the burden on you, and simplifies the solution.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
ddwrt-ovpn-split-basic.sh (UPDATED!)
ddwrt-ovpn-split-advanced.sh (UPDATED!)
ddwrt-blacklist-domains.sh (UPDATED!)
ddwrt-ovpn-client-backup.sh
ddwrt-mount-usb-drives.sh
ddwrt-ovpn-remote-access.sh
ddwrt-pptp-policy-based-routing.sh
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Sun Oct 18, 2020 11:44    Post subject: Reply with quote
Hi

Thanks for your careful consideration with this.

So I am running ngrok now (I'm currently studying for sysops from Linux Training Foundation so I am OK to do be doing this) but I am facing the same problem I had with another option - what is the IP address I am forwarding too?

The VPN server runs CSF which is an iptables script and it appears that CSF supports redirects (see /etc/csf/csf.redirect), but I don't know what the destination IP should be.

Ideally I would want:
*|3000|VPN-IP|3000|tcp/udp
*|2222|VPN-IP|2222|tcp/udp

So I'm stuck. Thanks in advance.
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Tue Oct 20, 2020 17:23    Post subject: Reply with quote
So I got my server management company to get to the following:

Code:
[root@vpn ~]# ssh root@10.8.0.2
The authenticity of host '10.8.0.2 (10.8.0.2)' can't be established.
RSA key fingerprint is SHA256:*****.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.8.0.2' (RSA) to the list of known hosts.
DD-WRT v3.0-r44538 std (c) 2020 NewMedia-NET GmbH
Release: 10/13/20
Board: Linksys WRT1900ACS
==========================================================
 
     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/
                                                     
                       DD-WRT v3.0
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.32.0 (2020-10-13 00:42:27 +03) built-in shell (ash)


Now I need to have the router forward it to 192.168.1.10.

Note also, the following also works:
Code:
curl -s -v -L 10.8.0.2


Results in the DD-WRT Router Page being returned, ie:
Code:
[root@vpn ~]# curl -s -L 10.8.0.2 | grep DD-WRT
      <title>DD-WRT (build 44538) - Info</title>
....


Basically, I finally have an IP I can use for my local network - but I have no idea how to achieve what is desired.

The setup is as follows:
VPN Server -> ssh root@10.8.0.2 -> Results in Local Network

Hoping someone can help!
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 57

PostPosted: Sat Oct 24, 2020 11:46    Post subject: Reply with quote
Still hoping someone can help. All the best.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum