Port Forwarding with Wireguard (or VPN in general?)

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey guys and gals!

This is a problem I have been fighting with for a long time now... :roll_eyes:

Since I got my fibre channel internet connection, I no longer have a public IPv4 address. My ISP offers a dual stack lite (DS-lite) and CG-NAT (100.64.0.0/10) for IPv4.

Because I still want to have a public IPv4 address and open ports for services (like ssh), I got myself a VPN-connection (with OVPN). I can only forward a handful of ports, but that is enough for me at the moment.

On the hardware side, I have a Raspberry Pi 4B with 4GB of RAM (which should do fine IMHO). This is not my main router - I have a FritzBox 4060 for that. The idea is that the machines which should be routed over the VPN get the Pi as the default route and the magic happens in there. :nerd_face:

First of all: The VPN works. I can surf the web using the Pi and the machine I have designated as the ssh-server also connects to the net using the VPN. mtr is a wonderful tool. :nerd_face:

But somehow I just can't get the port forwarding to work. Services like canyouseeme.org and portchecker.co tell me, there are no ports open. I have played around with tcpdump and noticed, that something seems to arrive when I use one of the said websites to check if the port is opened, but nothing seems to come through. This lets me believe that my firewall is blocking the traffic. Of course I have also tried to connect via ssh from the outside. I got no joy there either.

I tried a very simple approach at first: I instructed the router to route traffic on the VPN-interface to $port to an internal IP-address and port 22 there. That is actually pretty trivial - in theory. :squinting_face_with_tongue:

Because I couldn't get it to work, I started searching the web and tinkered with the settings. I went down quite the rabbit hole there. :man_shrugging:t3: Among other things, I read somewhere that port forwards through a VPN require different rules. I can't find the article anymore, however. The content didn't help my case but I remembered the statement about the rules.

Is there something special I have to consider? Do I need an additional NAT-level or something else. I am happy to start from scratch with my firewall config.

Can someone give me a push in the right direction?

Best regards,
Chris

2

Let's start with this... does your VPN service explicitly offer port forwarding services. In other words, are they providing you with either your own dedicated IPv4 (that is not shared by other users) and/or a range of ports that are open for your account specifically for inbound connections to your network? This is not a common use case for most VPN providers, so if they don't say it explicitly in their documentation, you probably don't have that functionality.