How to forward a port after VPN'ing the router

Hola openwrters! I'm very familiar with how to forward a port thru the router; however, I'm no network engineer either. :smiley:

So now that I'm all VPN'ed (I followed this guide) https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-setup-with-NordVPN.htm

forwarding a port from the wan interface to the lan interface just doesn't cut it anymore. I confirmed that if I drop the vpn tunnel on the router, I can forward the port thru, so it's definitely the tunnel wreaking havoc on my forwarding.

Is there a graceful way of going about this, or at worst, can someone point me to where I can just throw up a DMZ and hang this service totally outside of the VPN?

Thanks!

As per guide you followed the VPN interface is assigned to a new firewall zone vpnfirewall.
So if you have already created your port forwards using wan as source zone, they won't work if source zone is vpnfirewall.
The question however is whether you have public IP in the VPN tunnel or if NordVPN forwards you the ports you requested to your private IP.

True. Not sure how it's all working to be honest. But, in my port forward, I did try changing the source to my 'vpnfirewall' zone and back again, to no avail. I've fiddled and fiddled and tried it every which way I know how. Surely there's a way, but I'm not sure what the path is. Thanks!

There is no point in configuring port forward in vpnfirewall zone unless you make sure that you can indeed forward traffic.

Not sure what you're saying there. I did mention I can forward the port successfully if I drop the vpn tunnel.

Let me explain to you then. When you connect to the VPN, you install two static routes for two halves of the internet to be routed via your VPN gateway. This way the gateway of your ISP is ignored.
When someone tries to connect to one of the servers you have forwarded the port on your public IP of your ISP, the reply will be forwarded via the VPN tunnel instead of the ISP, and the packet will be discarded as invalid, because it has different source IP.

What I don't know is if you are aware of that and you are trying to port forward on the vpn interface, or you are trying to make it work on the wan interface.

1 Like

Ideally, I want it to forward thru the VPN tunnel. I plan on using the VPN public IP for my externally facing IP. I understand that this may not work, as an external user wouldn't have any idea how to talk to my encrypted traffic. SO, if this isn't possible, I will just put this service into a DMZ and lock it down - but I'm not sure how to do either one. :smiley:

Ok then back to the original question. Do you have on the vpn interface a public IP? If it starts from 10. , 172.16-31. or 192.168. then it is not public.

Yes, I understand the difference between public or private IP ranges. Mine will start with 103.x.x.x

Easy then, just copy the forwarding rules of the wan to the vpnfirewall zone.
You can also assign the vpn interface into the wan zone, if you don't mind about using the normal ISP when the vpn is down.

1 Like

you lost me there. I only see forwarding rules of my LAN to the vpnfirewall zone, none for my wan. At least that's what I see from the guide I followed. Are there other rules I can dig up that are wan to vpnfirewall that I can copy?

Sorry I meant redirect in firewall config file, which is basically port forwards.

Can you possibly give me an example and/or elaborate? Thanks!

For example:

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '10.0.2.50'
	option reflection '0'
	option proto 'tcp'
	option src_dport '50022'
	option dest_port '22'
	option name 'garida ssh'

Copy this and change src from wan to vpnfirewall.
Then you have redirects (or port forwards) on port 50022 from both ISP and VPN to the internal device.

ahhh, I see said the blind man! Will try this and report results. :smiley:

1 Like

what is the " option reflection '0' " do? Or even better, is there a guide aka man page for all the options?

I found that I basically had already created what you suggested, as I found it in the /etc/config/firewall file already existing from the LuCI attempt I was attempting. So, all I had to do was add your 'reflection' option whatever that does. I tried it w/ and w/o that option, and on different ports, with the vpn up and down, on both my vpn public IP and non-vpn (ISP) public IP. nada. I'm about out of ideas.

Here's where it's at now - I'm trying to get 8080 to forward to my service on 80 (I learned my ISP is blocking 80) -

config redirect
option target 'DNAT'
option dest_ip '192.168.1.100'
option name 'HTTP-Owncloud'
option src_dport '8080'
option dest 'lan'
option proto 'tcp udp'
option src 'vpnfirewall'
option dest_port '80'
option reflection '0'
option enabled '1'

The reflection allows traffic from the LAN to point to the WAN IP and be redirected to the LAN IP of the server. It doesn't make any difference for your testing.
You setting is correct, if it still doesn't work you can troubleshoot further with tcpdump.
tcpdump -i any -vvn tcp port 8080
This way you can see if traffic comes to your router.

1 Like

I have the same issue with my purevpn, but checking the discussion above, I could spot one important matter that was not mentioned.
You need to be sure that your VPN provider allow port forwarding. Some VPN providers sell port forwarding as an extra option.
If the VPN provide does not allow port forwarding, all requests for your port 8080 from public network are stopped and terminated by the VPN provider, and therefore it will not matter whether you have port forwarding or not, you will not receive the packets.
I have purevpn with port forwarding option, I did setup the port forwarding in my OpenWRT router, but I still not get any packets through, so I have a case open with them.

I guess, one way to debug is to have tcpdump in OpenWRT and capture the traffuc on tun0 to see whether you are receiving the packets on VPN side or not.

I have not used port forwarding, but what is the issue? Have you got real IP on tun interface?