Problems with port forwarding and VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
data_online
DD-WRT Novice


Joined: 29 May 2019
Posts: 11

PostPosted: Sun Jun 23, 2019 20:46    Post subject: Problems with port forwarding and VPN Reply with quote
Hello,

i just spend a couple of ours in my "project" connecting with my Router: WRT3200ACM (DDWRT Firmware 39825).

The router uses OpenVPN to connect to a VPN-Server.

Now i want to install NextcloudPi. I installed it on a RasperyPi and connect it with LAN to my Router.
I configured it, but i still have problems to connect the router from outside.

I did Port Forwarding like this:
Port from: 80 to 80 192.168.1.125
Port from: 443 to 443 192.168.1.125

But Nextcloudpi always tells me, that the port is closed.
I think its because of the VPN.
I am a beginner in this topic. Maybe there is good solution?

Thank you guys!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Jun 24, 2019 6:46    Post subject: Reply with quote
https://www.snbforums.com/threads/simultaneous-vpn-server-and-vpn-client.39508/#post-485507
https://www.snbforums.com/threads/simultaneous-vpn-server-and-vpn-client.39508/#post-485800

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
data_online
DD-WRT Novice


Joined: 29 May 2019
Posts: 11

PostPosted: Mon Jun 24, 2019 14:19    Post subject: Reply with quote
It seems the script is for another firmware?
Or can I use it also for ddwrt?
data_online
DD-WRT Novice


Joined: 29 May 2019
Posts: 11

PostPosted: Mon Jun 24, 2019 15:05    Post subject: Reply with quote
I googled for a lot of hours but I didn't found a complete solution or something like a tutorial for noobs.
Soory for that
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Jun 24, 2019 19:53    Post subject: Reply with quote
data_online wrote:
It seems the script is for another firmware?
Or can I use it also for ddwrt?


Are you referring to the following script?

https://pastebin.com/gnxtZuqg

It *was* written for dd-wrt.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
data_online
DD-WRT Novice


Joined: 29 May 2019
Posts: 11

PostPosted: Tue Jun 25, 2019 10:00    Post subject: Reply with quote
Thank you Smile.

So i need to connect the router via WinSCP and allow to use SSH, right?

STATIC_ROUTES='
192.168.1.125

(IP of my raspb?)

DOMAIN_NAMES='
domain.ddns.net


Last edited by data_online on Tue Jun 25, 2019 14:36; edited 1 time in total
data_online
DD-WRT Novice


Joined: 29 May 2019
Posts: 11

PostPosted: Tue Jun 25, 2019 10:02    Post subject: Reply with quote
In an older topic you wrote about another solution.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1061700

Should I use this or better your script?

The code for the firewall should be.

But maybe my config is different.

My router has the IP 192.168.1.1 and not a fixed WAN IP
My raspb has the IP 192.168.1.125
The Router is behind a DSL Modem

And I want to access the 192.168.1.125 from outside (Port 443)

Code:

# allow modem config
ifconfig `nvram get wan_ifname`:0 192.168.10.2 netmask 255.255.255.0

# VPN setup
<VPN magic>

# allow WAN to LAN access
#########################
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun1".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun1 | while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# Allow WAN to LAN access
iptables -t mangle -F PREROUTING

# allow modem config
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

# SSH Traffic: Bypass VPN
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.1.10 --sport 22  -j MARK --set-mark 1


# VPN killswitch
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -s 192.168.1.10 --sport 22 -j ACCEPT
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 760

PostPosted: Wed Jun 26, 2019 5:33    Post subject: Reply with quote
If you have a whole network VPN setup at the router to encrypt the outgoing internet traffic of all devices on the network. Then you need to use PBR (Policy Based Routing) to exclude whatever devices you want to port forward to from the VPN.

What is happening is you have packets coming into the network through the port forward and going to whatever device you forwarded to, but whatever reply packets the device sends back get caught up in the VPN, and tunneled out that way rather then back the way they came in.
data_online
DD-WRT Novice


Joined: 29 May 2019
Posts: 11

PostPosted: Wed Jun 26, 2019 6:50    Post subject: Reply with quote
So I have to add the following code?

ip rule add from 192.168.1.125/28 table 200
ip route add default via 10.0.0.1 dev ppp0 table 200
ip route flush cache

But I am not sure about the 10.0.0.1
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum