Posted: Fri Oct 16, 2020 15:49 Post subject: Forward Port to Client (OpenVPN)
Hi
I require port 22 to be forwarded from my VPN down to the client so I can portforward to my local tower server.
I have tried the following (https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client):
ip rule add from $(ip route get 1 | grep -Po '(?<=src )(\S+)') table 128
ip route add table 128 to $(ip route get 1 | grep -Po '(?<=src )(\S+)')/32 dev $(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
ip route add table 128 default via $(ip -4 route ls | grep default | grep -Po '(?<=via )(\S+)')
I require port 22 to be forwarded from my VPN down to the client so I can portforward to my local tower server.
What precisely does that mean? You're assuming everyone just knows. Last I heard on that other thread, you were using an OpenVPN client on the router to your own OpenVPN server on a DigitalOcean VPS.
So is this forwarding a need on the VPS? On the router? Both?
Be specific! Provide details! Assume your audience doesn't have a clue about your config (because many don't).
Given so little information, I will venture a *guess* and assume you're running into the classic problem of the target of port forwarding over the WAN being bound to the VPN. And thus the replies from that port forwarding get routed over the VPN rather than the WAN. There are several workarounds, perhaps the following will help.
I am an OpenVPN user with a DigitalOcean droplet serving my VPN, with uber cool hostnames etc. It works well, albeit with connection drops. I have another thread open looking to tune my VPN in relation to the drops etc.
My DigitalOcean Droplet is currently serving all SSHd requests via port 22. I want to forward port 22 (or any other port really) to my local router so that I can forward it to a machine on the LAN.
Here is some further details:
Router: Linksys WRT 1900ACSv2
Firmware: DD-WRT v3.0-r44538 std (10/13/20)
OpenVPN Version: 2.4.9
Hoping for some help. Also, not sure what that link was but it didn't help.
So you want any given port accessed via the public IP of the VPS to be forwarded to the OpenVPN server (running on that same VPS) and through the tunnel to the OpenVPN client running on the router, and targeting either the router itself or beyond to the LAN, correct?
So you want any given port accessed via the public IP of the VPS to be forwarded to the OpenVPN server (running on that same VPS) and through the tunnel to the OpenVPN client running on the router, and targeting either the router itself or beyond to the LAN, correct?
And accessing the WAN of the router directly is NOT an option? Perhaps because you don't have a public IP available from your ISP?
Doesn’t have to be any port. Could just be a random port that I can open on my router. And yes, accessing public IP is not an option, due to ISP restraints.
Is the OpenVPN server currently configured to support site-to-site? IOW, can you ping both the dd-wrt router on its LAN ip and any other LAN devices beyond the router from the OpenVPN server side of the tunnel? If not, you need to get that working first.
Site-to-site requires disabling the "Inbound Firewall on TUN" option in the OpenVPN client. On the OpenVPN server, it requires you specify an "iroute" (that's not a typo, it begins w/ an "i") directive w/ the IP network behind the OpenVPN client.
Code:
iroute 192.168.1.0 255.255.255.0
This iroute directive needs to be in a file using the CN (Common Name) used by the OpenVPN client on its cert, and located in the --client-config-dir (CCD) directory, a directive you add to your OpenVPN server config. You need to add a "route" directive to the OpenVPN server config as well pointing to the same network.
So assuming the CN of the client cert is "client", and your home network is 192.168.1.0/24, and you choose to use /openvpn/ccd as your CCD directory (something you need to initialize prior to running OpenVPN server) ...
Code:
# OpenVPN server config file
client-config-dir /openvpn/ccd
route 192.168.1.0 255.255.255.0
# contents of /openvpn/ccd/client
iroute 192.168.1.0 255.255.255.0
Once that's working (i.e., you can ping any device on the OpenVPN client side from the VPS), you need to forward your ports on the public IP of the VPS to the LAN ip and port of the intended target on the LAN side of the OpenVPN client.
Do you know how to port forward on the VPS and over the tunnel? I don't have a clue about the state of the firewall on the VPS, or if you're even using one (I hope so), or whether you're using UFW, iptables, etc. Using dd-wrt and iptables as a model, a proper port forward would be similar to the following.
The DNAT rule changes the public IP to the internal IP of the target, and the FORWARD rule permits the traffic to be forward from one network interface to the other.
If you're using UFW, you'd have to look into that yourself.
Btw, this assumes you already have forwarding enabled on the VPS. If you're using Ubuntu, you'll probably have to execute the following commands to enable it (you only need to do this once).
Code:
sed -ri.bak 's/#(net.ipv4.ip_forward=1)/\1/' /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
Sounds complicated. Like you say, it’s VPS not Router. On this occasion I am going to outsource to my server tech company to get it working, after all they set this up.
Based on your last two posts, I get the impression that you personally are NOT responsible for setting up the VPS. And that makes me wonder if it might have been a better option to use a commercial OpenVPN provider that supports port forwarding from their end of the tunnel (not all do), thus *they* would be responsible for managing the OpenVPN server, the firewall, etc.. All you would have to do is port forwarding (via scripting) on the router from the OpenVPN client's tunnel to the router and local network. And you would kill two birds w/ one stone; the same VPN could be used for outbound traffic.
You'd have to be careful in your choice of VPN providers since some make it more difficult than others to configure port forwarding w/ their servers (e.g., PIA is awful).
Or else perhaps consider using something like ngrok.
They help you create "generic" tunnels from their servers to your network behind the NAT router. IOW, they take responsibility for managing the server side of the tunnel, and all you have to do is install and configure the client behind your NAT router, either on a Windows or Linux machine (I don't think installation on the router is possible, but it would be cool if it did).
So I am running ngrok now (I'm currently studying for sysops from Linux Training Foundation so I am OK to do be doing this) but I am facing the same problem I had with another option - what is the IP address I am forwarding too?
The VPN server runs CSF which is an iptables script and it appears that CSF supports redirects (see /etc/csf/csf.redirect), but I don't know what the destination IP should be.
Ideally I would want:
*|3000|VPN-IP|3000|tcp/udp
*|2222|VPN-IP|2222|tcp/udp
So I got my server management company to get to the following:
Code:
[root@vpn ~]# ssh root@10.8.0.2
The authenticity of host '10.8.0.2 (10.8.0.2)' can't be established.
RSA key fingerprint is SHA256:*****.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.8.0.2' (RSA) to the list of known hosts.
DD-WRT v3.0-r44538 std (c) 2020 NewMedia-NET GmbH
Release: 10/13/20
Board: Linksys WRT1900ACS
==========================================================
