Posted: Tue May 14, 2013 11:51 Post subject: Port forwarding with openVPN running
I have set up port forwarding on my router to send traffic to my torrent client. Port forward works fine until I enabled OpenVPN.
I have setup openvpn using the client gui with policy based routeing for a single ip address on my internal network. This ip is the machine my torrent client is running on.
As soon as i disable openvpn the port forward works again.
I have searched the forums but can't find this exact issue. Any ideas would be appreciated.
I'm running DD-WRT v24-sp2 (03/25/13) std on a Netgear wnd 3700v2 router.
Hi,
difficult to identify w/o more precise elements but you should be aware that Openvpn implementation is not completely stabilized (after all, these are still beta versions of DD-WRT). I have very limited experience but maybe you should try to set the forwarding rules directly in the command interface and not in the GUI menu (it worked for me). The GUI and OpenVPN don't alwayes fit well together
how can a port be forwarded from WAN to a machine, that uses an openvpn tunnel as main gateway huh ? or whatever. less information has been postet.post iptables output and route output. _________________ RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
Hi
just to make sure we talk about the same things :
in my case, I use an OpenVPN tunnel provided by Astrill. My DD-WRT router is considered as the client (in the Applet provided by Astrill, I can however decide which devices on the LAN will be excluded from the tunnel, mainly for performance's sake). I use port forward for devices which are tunneled (IP cameras in my case). which means the forwarded port are ports opened on the WAN IP adress provided by the OpenVPN.
Here are the rules I included using the "command" interface and not the GUI (it did not work and Astrill support told me it would not) :
iptables -t nat -I PREROUTING -p tcp -i tun0 --dport 6100 -j DNAT --to 192.168.x.x:6100
iptables -I FORWARD -p tcp -d 192.168.x.x --dport 6100 -j ACCEPT
I can access my cameras from internet, using my private IP adress.
now, I don't use torrent, so maybe the technique would be completely different?
As far as the openVPN implementation is concerned, what I know so far is that it works when I use the special applet but I could not even start the tunnel using the GUI
Posted: Thu Jun 13, 2013 10:15 Post subject: I can confirm a problem
I am having dd-wrt on router with port forwarding to freebsd server with postfix, httpd, ftp, sshd,...
Immidiately after i start openvpn client (tun) the port forwarding dies. The daemons are accessible from internal network but the port forwards are not working any more. When i stop vpn, the port forwards are working again.
I went trough hell with this for 3 days as the router was the last thing i would suspect ("take the tcpdump first, idiot"), defining the routes, enforcing routes using pf, at the end i started sniffing packets and it is FACT that the packets dont arrive to the server if the openvpn is on.
The interesting part is that the RDP over port forwarding (on windows computer) IS accessible.
Some facts:
- the router has nothing to do with VPN client, it is started on internal host
- the port forwarding works with openvpn turned off
- the packets dont even arrive to the server (running tcpdump), so they are stopped either before they arrive to tcpdump or more likely they are not even sent out.
Afternoon i will take a hub (THE hub) and attach it on the same cable with laptop sniffing the transfer to eliminate any doubt.
I have noticed the same thing with the same router
firmware 21x for the wlnr3700r3 cannot run OpenVPN and have any port forwards. I wonder if they make tomato for this thing. I also have some 21x loaded wnr3500s laying around I may try one of them also. The 37000 is too new to have old firmware. The 3500 has had a jump from 14x with no open vpn support to 21x with, but it may have the same problem.
Swap your port and IP for whatever.
This line WORKS.
---
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 32400 -j DNAT --to-destination 10.5.10.100
---
This works for me for getting Plex Media Server to work with the OpenVPN client enabled. Set plex to manually use 32400. Save this line in "Save Firewall"
If you have multiple Plex servers, use 2 lines something like:
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 32400 -j DNAT --to-destination 10.5.10.100
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 32450 -j DNAT --to-destination 10.5.10.110:32400
And set the 2nd server to manually use port 32450
Swap your port and IP for whatever.
This line WORKS.
---
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 32400 -j DNAT --to-destination 10.5.10.100
---
This works for me for getting Plex Media Server to work with the OpenVPN client enabled. Set plex to manually use 32400. Save this line in "Save Firewall"
If you have multiple Plex servers, use 2 lines something like:
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 32400 -j DNAT --to-destination 10.5.10.100
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 32450 -j DNAT --to-destination 10.5.10.110:32400
And set the 2nd server to manually use port 32450
The above solution doesn't help, unfortunately. Anybody know any other ways?
Thanks a lot.
I have the same issue with an R8000. Port forwarding works fine until I enable openvpn client. Did you manage to make it work? How would I do that let's say for my server on port 80 to be reachable?
I have the same issue with an R8000. Port forwarding works fine until I enable openvpn client. Did you manage to make it work? How would I do that let's say for my server on port 80 to be reachable?
Unfortunately, I didn't manage to do it. Perhaps, someone else here can enlighten us. Thx.
so, no one provided iptables rules, routing tables or whatever to solve the problem. all just said: does not work. _________________ RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
I guess at least we all agree what we'd like to get is all our traffic trhough the VPN interface except port forwarded traffic which should go through the regular WAN interface.
I only have basic knowledge of iptables and I have no clue how to route traffic using it. But I understand that the ingoing traffic is well routed to the server. The problem is: the outgoing traffic from the server is routed through the VPN interface. So does anyone would know how to route the outgoing traffic of a specific ip address through the WAN interface?