Posted: Fri Sep 04, 2020 4:36 Post subject: OpenVPN server RDP port 3389 not open
Dear wonderful people,
I have had an openvpn server (using egc's guide) setup for some time and I was previously able to rdp to my pc and raspberry pi but I haven't used it for some time and now it doesn't seem to work. I have messed around a lot with the settings over the past few months and not sure what I changed.
I see the following behavior when connected through the Openvpn server:
1. I can ping all the devices on my lan.
2. I can access the dd-wrt web interface as well as pihole web management.
3. I have used nmap to check for open ports and it finds that ports like 139 and 445 are open but it fails to resolve 3389 on my pc and it says filtered for port 3389 to my raspberry pi.
I can rdp fine when I am on the lan, and I'm connecting using the local ip addresses (not the computer names). I know the ports are open locally but closed to wan (UPNP off).
I'm guessing that the ports are just closed to different subnets. Could someone help me with an firewall rule that maps rdp ports from 10.8.0.x to 192.168.1.x or maybe tell me what I'm doing wrong? I obviously don't want to expose 3389 to the internet and want to make sure the rule is correct.
I think the firewall rule should be something like:
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.8.0.0/24:3389
iptables -I FORWARD -p tcp -d 192.168.1.0/255.255.255.0 --dport 3389 -j ACCEPT
not sure about the 10.8.0.0/24:3389 part though, is that the correct syntax for the whole subnet?
P.S. Also, I'm using the following firewall rule suggested by egc:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j SNAT --to $(nvram get lan_ipaddr)
I thought that it would just block the ports to the internet, I didn't realize it would block to other subnets as well. How can I adjust this rule so that it blocks only to wan? Thanks!
Block inbound to WAN on those ports, or outbound to WAN?
inbound, I just don't want someone on the internet to be able to remote into my pc. I know the port isn't open by default I just added it to be sure. Does that not make sense? Are you saying that rule just blocks outgoing 3389?