Newbie + OpenVPN + Forward port + Lucy = Not easy!

Hello everybody....
Well, I am reading pages and pages from google and here, trying to solve my issue, so any help is actually really welcomed.
I have my ISP modem, then my router Xiaomi AX 3600 flashed with openwrt . I set up openwrt with config file from Airvpn. All my lan is behind the router and use the VPN. I would like to have an open port... Airvpn provide me port 6721.
Looks like very simple situation...

My vpn looks like working ( https://www.yougetsignal.com/tools/open-ports/)
but the port remains close.

It looks like the port is correcly open from airvpn as tcpdump -n -i any tcp port 6721 returns traffic.

Here are my settings, any help is really appreciated :slight_smile:

/root@OpenWrt:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdcf:928b:466d::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.31.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.31.2'
network.lan.dns='1.1.1.1' '8.8.8.8' '8.8.8.4'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.vpntunnel=interface
network.vpntunnel.proto='none'
network.vpntunnel.device='tun0'
network.vpntunnel.dns='10.4.0.1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.pbr=include
firewall.pbr.fw4_compatible='1'
firewall.pbr.type='script'
firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnfirewall'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='vpntunnel'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].log='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='vpnfirewall'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='test'
firewall.@redirect[0].src='vpnfirewall'
firewall.@redirect[0].src_dport='6721'
firewall.@redirect[0].dest_port='6721'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.31.192'
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh2048.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.verb='3'
openvpn.airvpn=openvpn
openvpn.airvpn.config='/etc/openvpn/airvpn.ovpn'
openvpn.airvpn.enabled='1'
/

I hope that is not your real WAN IP address you are showing if so please blur that.

An OpenVPN client does not need any port manually opened.

I used the instructions from OpenWRT to setup my OpenVPN client:

Hello Egc, thank you for your answer!
No my WAN IP is not here! 192.168.... are my LAN IP.
openvpn is working without any port forward, and definitely it is working, but I need port forward for P2P.
I already red this page, and also the alternative guide listed at the end, but from yesterday I tried many changes without success

again any help is really welcomed

The link you posted shows: 84.26.xxx.xxx.
If that is the WAN address of the ISP router you are a fellow countryman (Dutch) and if so please remove that link.

Are you trying to Port Forward through Air-VPN into your router?

I may be so old that I can not read any line with 84.26.xxx
please can you provide me the line number?
Yes, exactly, I am trying to port forward through Airvpn into my router

You provided this link:

It showed an IP address if that is the IP address of your ISP router then better delete that.

The normal Port Forward is through the WAN interface but in your case we need to Port Forward through the OpenVPN tun interface.

Unfortunately I cannot give you the exact instructions, I am used to just add the two necessary iptables rules (Allowing FORWARD and a PREROUTING DNAT rule) via simple iptables command but I am not familiar yet with nftables.

But one of the more knowledgeable and helpful forum member will undoubtedly chime in and give the right instructions.

lol... This is your ip :slight_smile:

Yeah already figured that out :facepalm: but then why post that link was not very helpful :frowning:

To be clear you're saying that:

  • You successfully setup your VPN with the AirVPN company
  • You have a P2P client/server running at IP 192.168.31.192 listening on tcp and udp ports 6721
  • You wish to open this port so it can be accessed using the IP provided via AirVPN thru the established tunnel for P2P

correct?

OK, if I understand correctly:

config redirect
        option target 'DNAT'
        option src 'vpnfirewall'
        option proto 'tcp'
        option src_dport '6721'
        option dest_port '6721'
        option name 'P2P'
        option dest 'lan'
        option dest_ip '192.168.31.192'

Hope this helps.

:spiral_notepad: (This all assumes the P2P device at 192.168.31.92 uses 192.168.31.1 as it's gateway.)

wow wow WOW ... All looks correct...
I have to feed my teenager at home... She eat like a lion.. I'll try after lunch.
You definitely understood the issue, and one item remains... what kind of thing I did wrong with Lucy? I tried to follow a lot of tutorial... do you know if there is any tuto including Lucy for port forward with vpn?

I'm not sure about question, as you didn't show any screenshots.

Port Forwarding thru a VPN isn't that common with commercial companies; but the instructions are the same as any Port Forward tutorial.

Lastly, once you add the firewall rule, it will appear in the web GUI for your easier view and understanding. To be honest, the rule I provided appears identical, I'm not familiar with the CLI method of displaying configs. I was providing the stanzas to add the rule to
/etc/config/firewall using the file edit method.

:spiral_notepad: Very important: Are you sure that the P2P machine is using 192.168.31.1 (i.e. the OpenWrt) as its gateway?

You've configured the LAN - and it appears to have a gateway at 192.168.31.2 - so I want to verify that's correct.

Hope this helps.

Dear lleachii,
unfortunately, I already have this rule... and it does not work. please see below my firewall config file.
Yes, from my internet router my openwrt router is on 192.168.1.11 and then my openwrt is a gateway for my other PCs, machines , etc ... from 192.168.31.2 and the lan ip for openwrt router is 192.168.31.1
So, I have : Internet Router -> OpenWrt Router (LAN) -> PC

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'

config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'vpntunnel'
option mtu_fix '1'
option log '1'

config forwarding
option src 'lan'
option dest 'vpnfirewall'

config redirect
option target 'DNAT'
option name 'test'
option src 'vpnfirewall'
option src_dport '6721'
option dest_port '6721'
option dest 'lan'
option dest_ip '192.168.31.192'

well... I don't know how to manage this situation... Any help?

Maybe it'll help if I directly ask these questions.

  • What is 192.168.31.2?
  • Can you provide the contents of /etc/config/dhcp

Hi !
here is the content :

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option strictorder '1'

config dhcp 'lan'
option interface 'lan'
option start '2'
option limit '250'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option force '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config dhcp 'vpntunnel'
option interface 'vpntunnel'
option ignore '1'

Don't know if I make it right,
but I would like in my lan the openwrt server is on 192.168.31.1 and adresses from xx.2 to xx.255 are for other machines... But maybe I didn't choose the right options in Luci

This inquiry is very important too. What device is .2 - if your OpenWrt is .1?

FYI - you specified in your configuration that another router exists at 192.168.21.2.

currently there is nothing on xxx.2 my openwrt is on xxx.1

I just tried to remove the IPv4 gateway, but it changes nothing .... I am lost!