Posted: Mon Apr 02, 2018 16:03 Post subject: Port forward to local webserver issues (Open VPN)
Hello DD-WRT community.
I have an issue with my DDWRT router in regards to port forwarding and I am convinced its user error hence my first post here.
I have a TP-Link TL-WDR3600 with the latest DDWRT firmware installed from this site.
I have an open VPN script that I run via command (run at startup) that allows any connected device to use the VPN.
The service works but I am unable to forward ports on the router via GUI. The only way I can get port forwarding working is to use the command line interface option for port forwarding, see below.
When I do this my port forward works as expected, however I am no longer able to access the routers administration panel loacally (LAN) and any device plugged into the router other than the one thats been port forwarded does not get access to the internet.
I contacted the company who provided my OpenVPN service and they told me to run the below port forward command instead, replacing <INCOMING IF> with my interface (eth0, eth1 etc), in the below command I used eth0.
I assume by OpenVPN and script you mean you have a script which configures and starts an OpenVPN client on startup...
Thanks for the feedback,
Yes you are right the script configures and starts the OpenVPN on startup.
The VPN is setup over a 1:1 static (unique IP) that allows incoming connections so communication to the local webserver is through the same network interface.
Like I said before running the below command works perfectly
But once I do this any other device plugged into the router will not gain access to the routers local admin page (192.168.222.1) and will also have no internet.
Why is the above command restricting every other device?
Sorry for my poor explanation, perhaps this will make things more clear.
Thanks I will try this first thing in the morning and let you know my results.
The reason I am not using the GUI is because no matter what method I tried in the GUI to forward a port nothing would work.
There was also nothing in the log file to suggest any issues, this could be due to the script I am running on startup which you will see below (sensitive data removed)
# create the config file
echo "
client
nobind
# Here is the IP address of your VPNUK server
# followed by the port and protocol to use
remote 109.169.3.2 1194 udp
dev tun
dev-type tun
comp-lzo yes
verb 3
log /tmp/openvpn.log
script-security 3
auth-user-pass user.txt
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
for port in $forward_spec;
do
SPORT=`echo $port | cut -d \: -f 4 | cut -d \> -f 1`
DST=`echo $port | cut -d \: -f 4 | cut -d \> -f 2`
DPORT=`echo $port | cut -d \: -f 5`
for proto in tcp udp;
do
echo "$iptables -I FORWARD -i tun0 -p $proto --dport $SPORT -j ACCEPT" > $fw
echo "$iptables -t nat -I PREROUTING -i tun0 -p $proto --dport $SPORT -j DNAT --to $DST:$DPORT" >>$fw
done
done
for port in $forward_port;
do
SPORT1=`echo $port | cut -d \: -f 4`
SPORT2=`echo $port | cut -d \: -f 5 | cut -d \> -f 1`
DST=`echo $port | cut -d \: -f 5 | cut -d \> -f 2`
for proto in tcp udp;
do
echo "$iptables -I FORWARD -i tun0 -p $proto --dport $SPORT1-$SPORT2 -j ACCEPT" >>$fw
echo "$iptables -t nat -I PREROUTING -i tun0 -p $proto --dport $SPORT1-$SPORT2 -j DNAT --to $DST" >>$fw
done
done
sh $fw
# assure the network traffic is NATted
/usr/sbin/iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
sleep 20
# first octets of the network of the VPN tunnel
NET=`ip ro ls 0.0.0.0/1 | cut -d \ -f 3 | awk 'BEGIN {FS="."} {print $1"."$2"."$3}'`
# enter the new DNS server on top of the old ones
echo "nameserver $NET.1" > /tmp/resolv.dnsmasq.TMP
cat /tmp/resolv.dnsmasq >> /tmp/resolv.dnsmasq.TMP
mv /tmp/resolv.dnsmasq.TMP /tmp/resolv.dnsmasq
# change some DNSMasq options
sed -i 's/stop-dns-rebind//g' /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
But the port forward did not work, if you go to http://109.169.3.4 you will see the DDWRT admin page and not the webserver sitting behind it, see below
Is this command failing because the WAN IP is local? (192.x) the router does not show the VPN WAN address because it sits behind another router but when connected to it you do get the VPN IP (also navigating to 109.169.3.4 from the outside gets you to the router as well)
Could there also be an issue with the initial script that starts the openVPN service conflicting with this port forward request?
And could there be something in that script that would stop the port forward function working through the GUI?
Thanks in advance, I really appreciate the help here.
this service I have from my VPN provider is dedicated, IOW I am the only user who has access to this IP and in turn there are no blocked ports on the service (you pay extra for this).
Just to be sure I spoke to the support guys and they confirmed that there are no blocked ports on my VPN IP and 100% I am the only person who has access to that IP.
Just to be sure however i will try your command with some different ports and let you know my results.
Please see below response, I had just reboot the router so the last port forward command will not be present, please let me know if you want me to run the last command and rerun this query. Thanks
Seems to me you're doing a lot more messing around w/ iptables than originally indicated. For example, where's the ESTABLISHED/RELATED rule in the INPUT chain? And normally there's a DROP rule at the end of the INPUT and FORWARD chains as well (to catch fall-thru situations).
If you're manipulating the firewall beyond what the script requires and adding the VPN port forwards, then it's going to be difficult to debug the problem.
Thanks for taking your time to help me with this.
I have had a development while working on this over the last few hours.
I have been using the "run command" option in the DDWRT GUI to apply the port forward and it has been working without issue this whole time.
However, I just went to apply the command that I know works (but locks off local access) and the port forward did not apply at all.
Since i had the Telnet session open I ran the command in there and it worked immediately
This leads me to believe the "run command" function in the gui does not always parse the commands you enter, possibly due to latency issues as I am running off a 4G connection here.
Anyway I went back over all the commands you listed before and the below command now shows my webserver
Btw, the Run Commands feature is known to have issues. I never use it for anything. It doesn't quite work like a shell (telnet/ssh) as you might expect. It interprets entered commands, esp. multi-line commands, in an odd way I've never understood. If you're just experimenting w/ commands/scripts, always use a proper shell (telnet/ssh). And once these firewall rules are working to your satisfaction, place them in the firewall script.
I can confirm the below code works as my local devices have access to the internet & router.
Thanks for your help with this, I have been pulling my hair out for weeks on this and not even the support for the VPN who created the original script could figure out what the issue was.
Now this matter is solved I have 1 last question,
If I want to forward more ports to the same device do I just run the same commands again but with the new ports?
And do you think it would be wise to add all the ports I want forwarded to the script that runs at startup?
I assume you mean restrict to a specific public source IP, not WAN ip. The WAN ip is your own public IP. And besides, this is a VPN port forward, not a WAN port forward.
Thank you for the clarification, this works perfectly,
In the end I have done the following to completely get my webserver up & running for those of you who use the UKVPN service (& any other vpn service via startup script I assume)
To port forward allowing only a specific public address..
I have been running this setup abroad and it has worked perfectly.
I have a small issue I need to address to this config however.
I am running a VoIP server through the VPN on this and although I have forwarded some UDP ports I actually need to forward a large range of UDP only (5000 - 65565)
How can I forward a range of UDP ports in 1 command? will the below work?
Code:
iptables -t nat -I PREROUTING -i tun0 -s [Public IP to allow] -p udp --dport 5000:65535 -j DNAT --to 192.168.0.2:5000:65535