Port forwarding not working after installing Wiregaurd VPN (Nord vpn)

bkalai · October 8, 2024, 9:03pm

I installed the openWrt router and port forwarding works

WAN interface connected to my ISP modem. I get a routable public IP address
LAN interface as a default gateway
on the firewall lan forwards to WAN
I setup port forwarding for a custom port on the WAN zone to pass to server in the lan zone and it's forwarding packets. I was able to test the by telneting from the internet on the specific port
i then installed wireguard and used a config filre for the interface and the peering and now the VPN is working but port forwarding is not
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:8fbc:abce::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.5.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'

config interface 'nordWG'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses 'xxx.xxx.xxx.xxx/16'
	option delegate '0'
	list dns '103.86.96.100'
	list dns '103.86.99.100'

config wireguard_nordWG
	option description 'wg.conf'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option persistent_keepalive '25'
	option endpoint_host 'xxx.xxx.xxx.xxx'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	option masq '1'

config zone
	option name 'WAN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'WAN'

config forwarding
	option src 'lan'
	option dest 'WAN'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'rpc'
	option src 'WAN'
	option src_dport '18080'
	option dest_ip '10.0.5.198'
	option dest_port '18080'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'p2pool'
	option src 'WAN'
	option src_dport '3333'
	option dest_ip '10.0.5.163'
	option dest_port '3333'

config zone
	option name 'NordVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'nordWG'
	option masq '1'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config rule
	option name '18080'
	option src 'WAN'
	list src_ip '0.0.0.0/0'
	option src_port '18080'
	option dest 'lan'
	list dest_ip '10.0.5.198'
	option dest_port '18080'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'NordVPN

psherman · October 8, 2024, 9:31pm

This is expected behavior because all outbound traffic is sent via the tunnel instead of the regular wan. The incoming packets that come in via the wan for port forwarding will then egress out the wrong interface (WG instead of wan).

The solution is policy based routing.

https://openwrt.org/docs/guide-user/network/routing/pbr

bkalai · October 9, 2024, 6:20am

Thanks for getting back to me.
I installed luci-app-pbr but it will start

bkalai · October 9, 2024, 8:35am

Thanks for your help
I set a port forwarder

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '18080'
        list proto 'tcp'
        option src 'wan'
        option src_dport '18080'
        option dest_ip '10.0.5.198'
        option dest_port '18080'

and the policy

config policy
        option name '18080 out'
        option src_addr '10.0.5.198'
        option src_port '18080'
        option dest_addr '0.0.0.0/0'
        option dest_port '18080'
        option proto 'tcp'
        option interface 'WAN'

Netwok config

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '103.86.99.100'
	list dns '103.86.96.100'

config interface 'nordWG'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses 'xxx.xxx.xxx.xxx/x'
	list dns '103.86.99.100'
	list dns '103.86.96.100'

config wireguard_nordWG
	option description 'nord-chi'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option route_allowed_ips '1'
	option endpoint_host 'xxx.xxx.xxx.xxx'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

still not working

Wed Oct  9 08:26:40 2024 kern.warn kernel: [ 9624.227587] reject wan in: IN=eth1 OUT= MAC=00:e0:4c:54:69:90:00:01:5c:86:48:a9:08:00 SRC=117.206.185.88 DST=186.72.48.237 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=48870 PROTO=TCP SPT=22638 DPT=23 WINDOW=41385 RES=0x00 SYN URGP=0

what am I doing wrong

egc · October 9, 2024, 8:52am

bkalai:

config policy
        option name '18080 out'
        option src_addr '10.0.5.198'
        option src_port '18080'
        option dest_addr '0.0.0.0/0'
        option dest_port '18080'
        option proto 'tcp'
        option interface 'WAN'

Better remove the dest_port as that could be different.
But even then it will probably not work.
Using fwmark with sport does not seem to work.
Better use a rule.
You can use a pbr include file e.g see

github.com

egc112/OpenWRT-egc-add-on/blob/main/pbr/pbr.user.sport

#!/bin/sh
# shellcheck disable=SC1091,SC3043
# This code is based on idea of https://github.com/egc112

# set all listenports as a space delimited string
myports="51820 51821 51822"

# name: pbr.user.sport
# version: 0.1.0, by egc
# purpose: route sourceports e.g. of VPN servers in your lan via the WAN
# installation:
#  copy this file to /usr/share/pbr
#  in this script adapt'myports' to include all the sourceports you want to route via the WAN
#  in the PBR GUI add as include file or add in /etc/config/pbr:
#     config include
#	       option enabled '1'
#	       option path '/usr/share/pbr/pbr.user.sport'
#
# check from command line with: 'ip rule show'

This file has been truncated. show original

Just use your 18080 as sport

bkalai · October 12, 2024, 8:56pm

I still get

Sat Oct 12 20:31:24 2024 kern.warn kernel: [  125.255798] reject wan in: IN=eth1 OUT= MAC=00:e0:4c:54:69:90:00:01:5c:86:48:a9:08:00 SRC=185.93.1.113 DST=186.72.48.237 LEN=140 TOS=0x00 PREC=0x00 TTL=47 ID=55555 PROTO=UDP SPT=3389 DPT=60294 LEN=120

My pbr config file

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option procd_wan_interface 'WAN'
	list resolver_instance '*'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option enabled '1'
	option path '/usr/share/pbr/pbr.user.sport'

/usr/share/pbr/pbr.user.sport

#!/bin/sh
# shellcheck disable=SC1091,SC3043
# This code is based on idea of https://github.com/egc112

# set all listenports as a space delimited string
myports="18080"

# name: pbr.user.sport
# version: 0.1.0, by egc
# purpose: route sourceports e.g. of VPN servers in your lan via the WAN
# installation:
#  copy this file to /usr/share/pbr
#  in this script adapt'myports' to include all the sourceports you want to route via the WAN
#  in the PBR GUI add as include file or add in /etc/config/pbr:
#     config include
#	       option enabled '1'
#	       option path '/usr/share/pbr/pbr.user.sport'
#
# check from command line with: 'ip rule show'


WAN_INTERFACE="wan"
for listen_port in $myports; do
	ip rule del sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1
	ip rule add sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1
done

and the firewall config

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'pvtwgchi'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'pvtwgchi'
	option masq '1'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'pvtwgchi'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option family 'ipv4'
	option src 'pvtwgchi'
	option src_dport '18080'
	option dest_ip '10.0.5.198'

config rule
	option name '18080'
	list src_ip '10.0.5.198'
	option src_port '18080'
	option dest 'wan'
	option dest_port '18080'
	option target 'ACCEPT'

also pbr GUI fails to start

system · October 24, 2024, 5:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.