Yes I did get an IP on the tun interface.
The issue is that it seems like the ports are not open when I try to access them from outside throught he VPN connection.
The ports are configured as open ports in the VPN server through purevpn members portal, and port forwarding rules are configured in OpenWRT (who is terminating the VPN tunnel)
OK, try to open some port in OpenWRT for SSH-server, and try to connect to it.
I forwarded port 80 on wan interface and accessed the web page from phone running on wifi for the parent network, it worked.
Did the same on the vpn tunnel, and tried from phone through 4g to access the web site using the vpn ip address, it did not work.
config redirect
option target 'DNAT'
option name '80_wan'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '192.168.0.210'
option dest_port '80'
config redirect
option target 'DNAT'
option src_dport '80'
option dest 'lan'
option dest_port '80'
option src 'vpnfirewall'
option dest_ip '192.168.0.210'
option name '80_vpn'
iptables-save -c -t nat | grep 80_vpn
root@OpenWrt:~# iptables-save -c -t nat | grep 80_vpn
[0:0] -A zone_vpnfirewall_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: 80_vpn" -j REDIRECT --to-ports 80
[0:0] -A zone_vpnfirewall_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: 80_vpn" -j REDIRECT --to-ports 80
root@OpenWrt:~#
The packets does arrive your computer, but they are responded throught your default interface, wich should be the wan.
Thats why it does not work, because you have to set the vpn as default interface
Do you mean that I need to have port forward on the VPN and on the wan at the same time?
I expected that port forward on the VPN is enough to get the traffic reach my local web server
No. The packets arrive your web server, and your web server sees the real IP of the client, so it respond to that IP throught his default route, wich is the wan if you didnt change that in openwrt.
So in the case where it did not work, the flow was like this:
Mobile Phone (public IP) ---> purevpn ----> Home router -----> (172.111.a.b) OpenWRT (192.168.0.1) ----> (192.168.0.210) PC with web server
In the case where it worked, it was like this:
Mobile Phone (192.168.1.20) ---> (192.168.1.66) OpenWRT (192.168.0.1) ----> (192.168.0.210) PC with web server
When I do findmyip from the webserver pc, I get the 172.111.a.b ip, which is the VPN assigned IP
Zero hits, nothing reached OpenWrt. Check that you have indeed a public IP on the VPN interface or if forwarding is enabled on your vpn provider.
And one more thing you have created a REDIRECT for incoming packets on port 80, which sends the packets to the router. What you need is a DNAT which sends packets to another host in the lan.
1 Like
I can only make the DNAT to a specific known IP address, right.
root@OpenWrt:~# iptables-save -c -t nat | grep 80_vpn
[0:0] -A zone_vpnfirewall_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: 80_vpn" -j DNAT --to-destination 192.168.0.210:80
[0:0] -A zone_vpnfirewall_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: 80_vpn" -j DNAT --to-destination 192.168.0.210:80
OK, please, make sure, router has default route via tun interface. See also counters in output of iptables -nvL -t nat
Try also to just open port, e.g. of router web-interface on five minutes, check only web-page, not typing password:
config rule
option src 'wan'
option src_port '80'
option proto 'tcp'
option target 'ACCEPT'
root@OpenWrt:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3317 packets, 858K bytes)
pkts bytes target prot opt in out source destination
3317 858K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
551 118K zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
2752 735K zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
14 4964 zone_vpnfirewall_prerouting all -- tun0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 46 packets, 8442 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 250 packets, 18604 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 894 bytes)
pkts bytes target prot opt in out source destination
653 63823 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
2 684 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
199 15357 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
449 47572 zone_vpnfirewall_postrouting all -- * tun0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_vpnfirewall_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_vpnfirewall_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
2 684 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
551 118K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
Chain zone_vpnfirewall_postrouting (1 references)
pkts bytes target prot opt in out source destination
449 47572 postrouting_vpnfirewall_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom vpnfirewall postrouting rule chain */
449 47572 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpnfirewall_prerouting (1 references)
pkts bytes target prot opt in out source destination
14 4964 prerouting_vpnfirewall_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom vpnfirewall prerouting rule chain */
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:44158 /* !fw3: HNT */ redir ports 44158
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: 80_vpn */ to:192.168.0.210:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 /* !fw3: 80_vpn */ to:192.168.0.210:80
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:44159 /* !fw3: HNT */ redir ports 44159
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
199 15357 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
199 15357 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
2752 735K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
root@OpenWrt:~#
OK, zero counters, as you can see. I hope, you have tried to connect from your phone. Also make sure (see output of ip a s, that your tun interface has real IP).