Vpn port forward returning through wan

I'm trying to port forward from my VPN provider into the router's port itself. From the tcpdump I see that incoming connection but the response is routed through wan.

config redirect
	option target 'DNAT'
	option name 'vpn-pf'
	option src 'wg'
	option src_dport '12345'
	option dest_port '51822'
	list proto 'udp'
	option dest_ip ''

I read few old topics in the forum but they mostly have iptables command and I guess it's not the case in the latest builds (nft, I guess)

11:44:35.637256 IP [mobile device].5929 > UDP, length 148
11:44:35.648444 IP > [mobile device].5929: UDP, length 92
11:44:35.648494 IP > [mobile device].5929: UDP, length 92

I've enabled "NAT loopback" and tried with internal and external IP under port forwarding. No change.


	"kernel": "5.10.161",
	"hostname": "OpenWRT",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Netgear R6800",
	"board_name": "netgear,r6800",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"

Thank you.

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

Usually the pbr option works fine for the most. mwan3 is an overkill for your case. The set of rule/route is the simplest, however uci rules cannot match port, hence it needs to be done with fwmark.

1 Like

Thank you. It's not very clear for me yet.

I do alread have pbr running. But I don’t know the IP of the incoming connection. How do I set it up that it can route back the traffic correctly? Without disturbing the other pbr rules.

I thought it would be as simple as normal port forwarding. Shouldn't this already take care of the return traffic?

No, you'd have to set that the reply interface should match the inbound interface (one example). It could probably be done my port, IP, etc too. I personally don't use PBR (I manually make the rules), so others can give PBR examples to you.

Otherwise, the default metric/order of the gateways takes priority.

You need a rule to route via vpn packets from and source port 51822

That will route all traffic from the wg sever though commercial vpn.

What I'm trying to achive is to connect to wiregaurd server through vpn port forwarding. In other words, trying to wg sevrer through commercials wg.

Sorry, English isn't my first languages and hence couldn't be clear.

I think we are saying the same thing.
You are trying to connect to the wg server from the vpn. Responses are going out of wan interface. You need to have a rule to send the responses of the wg server via the vpn.

1 Like

I tried it and it didn't work. The handshake failed as I didnt receive any packets back.

config policy
        option name 'WsPf'
        option src_addr ''
        option src_port '51822'
        option interface 'wscribe'
        option chain 'output'

I tried PREROUTING chain as well. I must be missing something very simple here I guess.

Are you falling under the Local Wireguard Server + Wireguard Client (Scenario 1) ?

No. Scenario 2.
WAN is the default route. I have 1 wg client-only (commercial vpn - wscribe) and 1 wg (server+client - homev6)

Here's the list I get on pbr page

Service Gateways
     wan/ ✓

Then you can fix the above rule by removing the source IP address. Leave only the source port for the matching criteria. In case it doesn't work, post the output mentioned at the bottom of the page for getting help.