Hello everyone,
//Problem
I need to open specific incoming port ranges that goes to my public address and forward them to one machine in LAN, bypassing OpenVPN that is meant to govern everything else.
Internet <=> WAN <=> LAN <=> PC (just for 60950-60961, FTP Server + Dedicated Gaming Server)
Internet <= ProtonVPN <= WAN <= ClientVPN <= LAN (everything else)
//Intro
I am having trouble configuring port forwarding using DDNS when I activate OpenVPN.
Whenever I enable OpenVPN the FTP client cannot connect to me, and DDNS service throws "XHR request timed out" warning, but strangely the domain points properly to my public IP address (it may be due to fact my ISP rarely changes it).
On disabled OpenVPN everything works as intended (Camera establishes connection to FTP server and stores clips, my friends can play on my server).
While I consider myself able to navigate the tech stuff, I am totally lost here. Right now I am learning to use SSH connections and internal workings of managing a network, which is fun, but I really need those camera recordings going. I have read many help/tutorial articles but it seems I am either understanding them wrong, or they are not meant for my use-case.
//Config
ISP Router in bridge mode, Asus RT-AX53U (wan connected to ISP router), test server on LAN1 and bunch of private devices on Wi-Fi networks.
Firmware version 23.05.5 r24106-10cc5fcd00 / LuCI openwrt-23.05 branch git-24.264.56413-c7a3562
Kernel version 5.15.167
Server is Windows 10 ISS with FTP service set up on port 60960 (with PASV on 60950-60959), and additional port 60961 for hosting game servers for my friends.
Camera set to connect to FTP server. Its working without VPN.
On remote side I have a camera that is set to save recordings to FTP server.
Additionally I may be hosting game servers for me and my friends and I need them to be able to connect to me too.
In the future I may create VPN tunnel to connect remotely to my home network.
On configuration side I have OpenVPN client using ProtonVPN as stated in their guide:
But modified so that VPN is on separate unmanaged interface with tun0 device and having separate firewall zone.
DynDNS service is configured from tutorial I cannot find. It is using no-ip.com (my ISP rarely changes my public address, but it can happen, so I need free DDNS just for one hostname to IP conversion).
//Logs
All my config (I know it would be helpful) is posted here:
#######################
##\etc\config\network##
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfd:c877:b182::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.16.32.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '10.2.0.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '10.2.0.1'
config interface 'VPN'
option proto 'none'
option device 'tun0'
list dns '10.2.0.1'
config device
option name 'tun0'
config interface 'Public'
option proto 'static'
option device 'br-pubwifi'
option ipaddr '192.168.69.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option delegate '0'
config device
option type 'bridge'
option name 'br-pubwifi'
option bridge_empty '1'
config device
option name 'phy0-ap1'
option ipv6 '0'
########################
##\etc\config\firewall##
config defaults
option input 'ACCEPT'
option output 'REJECT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
option log_limit '50'
list network 'lan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option log '1'
option log_limit '50'
list network 'VPN'
option masq '1'
config forwarding
option src 'lan'
option dest 'VPN'
config zone
option name 'WAN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option log '1'
option log_limit '50'
list network 'wan'
config zone
option name 'Public'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option log '1'
option log_limit '50'
list network 'Public'
option masq '1'
config forwarding
option src 'Public'
option dest 'WAN'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'T1'
option src 'WAN'
option src_dport '60950-60961'
option dest_ip '172.16.32.10'
option dest_port '60950-60961'
option reflection '0'
config rule
option name 'T22'
option family 'ipv4'
option src 'WAN'
option src_port '60950-60961'
option dest 'lan'
list dest_ip '172.16.32.10'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'T54'
option src 'VPN'
option src_dport '60950-60961'
option dest_ip '172.16.32.10'
option dest_port '60950-60961'
config forwarding
option src 'VPN'
option dest 'lan'
config forwarding
option src 'WAN'
option dest 'lan'
####################
##\etc\config\ddns##
config ddns 'global'
option ddns_dateformat '%F %R'
option ddns_loglines '250'
option ddns_rundir '/var/run/ddns'
option ddns_logdir '/var/log/ddns'
config service 'myddns_ipv4'
option service_name 'no-ip.com'
option lookup_host 'all.ddnskey.com'
option enabled '1'
option use_ipv6 '0'
option domain 'all.ddnskey.com'
option username '#'
option password '#'
option ip_source 'network'
option interface 'wan'
option use_syslog '2'
option check_unit 'minutes'
option force_unit 'minutes'
option retry_unit 'seconds'
option ip_network 'wan'
###################
##\etc\config\pbr##
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
config include
option path '/etc/pbr.netflix.user'
option enabled '0'
config include
option path '/etc/pbr.aws.user'
option enabled '0'
config policy
option name 'Test1'
option src_port '60950-60961'
option dest_port '60950-60961'
option interface 'wan'
option enabled '0'
###########################
##\OpenVPN\ProtonVPN.ovpn##
client
dev tun
proto udp
remote 1.0.0.127 51820
#(...)
remote 1.0.0.127 80
server-poll-timeout 20
remote-random
resolv-retry infinite
nobind
cipher AES-256-GCM
setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass /etc/openvpn/ProtonVPN.auth
##END OF LOGS##
//Question
Is it possible to do what I want to do, or should I pursue alternative solution, if so - which one?