Use port forwarding with active vpn connection

BitBlockv6 · December 13, 2023, 4:28am

Hello,
i'am trying to connect from outside the lan to my normal ISP's IP.. I already managed
to update my ddns provider with the right ISP IP with active VPN ( NordVPN Wireguard ).

In my understanding the connection comes in through the normal wan Interface and the answer is being routed through the vpn because the default route that is being set when activating the vpn.

So i tried the luci-app-pbr but i cant get it to work. Can anyone give me a configuration example of lets say reaching a jellyfin server on port 8096 with the LAN-IP 192.168.1.5 on the normal ISP IP while the default route goes through a wireguard server from NordVPN !?

Of course first i tried to connect easily to the vpn's public IP and port forwarded from the vpn interface but the vpn provider seems to block that.

Any help would be nice !

trendy · December 13, 2023, 8:58am

Something like this would do the task. You can add the internal device IP as well.

BitBlockv6 · December 18, 2023, 6:05pm

Hello thank you for your answer !
I tried this config but without that emby server domains because i'am
connecting directly with tablet and mobile phone to that port and dont use this type of server log-in.
I think Jellyfin (fork of emby) dont have that server domains anyways.
So i tried to type in remote ip a not secure way "0.0.0.0/0" that was not successfull than i extra created a ddns domain with updating app on my phone and typed in that domain to be allowed to connect but that didnt work either.
Should i let the field blank ?
That pbr luci app looks so easy and self explaining to set up but i cant get it to work properly......

Any Ideas ?

thanks.....

BitBlockv6 · December 18, 2023, 6:07pm

I even tried to asked chatGPT to tell me what iptables-nft command i can try but the feedback was nonsense.

trendy · December 18, 2023, 10:22pm

Could you post here the uci export pbr to verify the rule?

BitBlockv6 · December 19, 2023, 6:02am

Hello,
here the output:

package pbr
config pbr 'config'
        option strict_enforcement '1'
        option resolver_set 'none'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '3'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option enabled '1'
        option verbosity '1'
        option ipv6_enabled '1'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        list ignored_interface 'vpn'
        list ignored_interface 'tailscale'
        list ignored_interface 'zerotier'
        list ignored_interface 'NordVPNClient'
        list ignored_interface 'Tailscale'
config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '1'
config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '1'
config policy
        option name 'Jellyfin Remote Clients'
        option interface 'wan'
        option src_port '8096'
        option src_addr '192.168.1.240'
        option dest_addr '0.0.0.0/0'
        option dest_port '0-65535'

trendy · December 19, 2023, 10:51am

Looks fine, what is the output of:

uci set pbr.config.verbosity='2'; \
uci commit pbr; \
ubus call system board; \
uci export dhcp; uci export firewall; uci export network;\
/etc/init.d/pbr status
/etc/init.d/pbr reload
/etc/init.d/pbr status

BitBlockv6 · December 19, 2023, 4:30pm

Here the output on pastebin:

Output

trendy · December 20, 2023, 9:45pm

Does it work fine if you disable the NordVPN?
Are you connecting from the internet and not connected to the lan using the wan IP address?
I don't see any hits on the rules, so either that, or your ISP is blocking something.