OpenVPN client port forwarding from VPN server provider

bobafetthotmail · October 6, 2019, 9:02pm

I've looked at other threads with similar issues but I did not find or understand what I should do in my case.

I have a OpenWrt router set up with OpenVPN client to AirVPN VPN provider. I also added the "VPN killswitch" as a static configuration (i.e. without the script), to make sure all traffic moves through the VPN tunnel and won't pass through WAN. https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#kill_switch

It's working fine to access the Internet, but I wanted to use their "port forwarding" feature to forward the ports of their VPN server (that has a static and public IP for obvious reasons) to my OpenWrt router. https://airvpn.org/faq/port_forwarding/

So I set up their system to forward port 32881 to port 32881 of the OpenVPN client device (which is the OpenWrt router).

Then I tried all ways I could to forward the port 32881 from the OpenWrt router to port 22 of a test system at 192.168.1.1. But nothing works. I can't connect to the SSH of this test device.

This is the current firewall config.

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 tetheringwan LTE_MODEM pptp'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].masq='1'
firewall.vpn=zone
firewall.vpn.name='vpn'
firewall.vpn.output='ACCEPT'
firewall.vpn.mtu_fix='1'
firewall.vpn.device='tun0'
firewall.vpn.network=' '
firewall.vpn.forward='ACCEPT'
firewall.vpn.input='REJECT'
firewall.@rule[0]=rule
firewall.@rule[0].src_port='32881'
firewall.@rule[0].src='vpn'
firewall.@rule[0].name='test'
firewall.@rule[0].dest='lan'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].proto='tcp udp'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@redirect[0]=redirect
firewall.@redirect[0].name='test'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].src='vpn'
firewall.@redirect[0].src_dport='32881'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[0].src='vpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='vpn'
firewall.@forwarding[1].src='lan'

vgaetera · October 8, 2019, 6:10am

Verify that you can see the incoming traffic here:

tcpdump -n -i any tcp port 32881

If OpenWrt with the VPN client installed is the same host as 192.168.1.1, make sure the SSH service listens on all interfaces.
Otherwise, OpenWrt must be the default gateway for 192.168.1.1 and the SSH service and firewall should not limit source address on the destination host.

anon50098793 · October 8, 2019, 12:29pm

network is empty?

trendy · October 8, 2019, 12:36pm

You may want to change these to REJECT/DROP.

vgaetera · October 8, 2019, 1:01pm

It's fine:

Otherwise, the forwarding would not work.

bobafetthotmail · October 20, 2019, 10:27pm

Hm, that's weird. If I connect from a device which is NOT in the same LAN network, (using a SSH connection with ConnectBot app on my smartphone using its mobile data connection to access the Internet), it's working.

Which is good enough for what I need this for, I guess.

If I try to connect from a device that is inside the same LAN, which is what I tried to do above, it does not work. Any idea on why?

vgaetera · October 21, 2019, 5:48am

The source zone doesn't match LAN-originated connections:

trendy · October 21, 2019, 4:25pm

You could enable nat loopback to have it working from LAN too. Or just use the internal address.

system · October 31, 2019, 4:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.