IKEv2 Port Forwarding 80 and 443 blocks external traffic

[R44VC0RP]

Checklist

• [x] I read the README
• [x] I read the Important notes
• [x] I followed instructions to configure VPN clients
• [x] I checked IKEv1 troubleshooting, IKEv2 troubleshooting and VPN status
• [x] I searched existing Issues
• [ ] This bug is about the VPN setup scripts, and not IPsec VPN itself

Describe the issue A clear and concise description of what the bug is.

I have the IKEv2 VPN setup. When I port forward ports 80, 443 to a internal VPN static IP. All Internal VPN traffic cannot access or send outbound requests on those ports. I know it is only those ports because I am able to ping and telnet other outbound ports and it works.

To Reproduce Steps to reproduce the behavior:

1. Set static IKEv2 IPs for internal IPS
2. Port forward serverIPs port 80 and port 443 to 192.168.43.100.
3. I can host a web server on those ports and everything works.
4. But when I go on the 192.168.43.100 and other internal VPN IPs the outbound traffic is blocked or the page does not load.
5. When I disconnect the VPN it works fine.

Expected behavior A clear and concise description of what you expected to happen.

When I port forward those ports (80, 443) I should still be able to have internal clients access the internet on those ports.

Logs Check logs and VPN status, and add error logs to help explain the problem, if applicable.

Server (please complete the following information)

• OS: [e.g. Debian 11]

• Hosting provider (if applicable): [e.g. GCP, AWS]

• OS: Ubuntu 20.04.6

• Hosting Provider: Digital Ocean

Client (please complete the following information)

• Device: [e.g. iPhone 12]

• OS: [e.g. iOS 15]

• VPN mode: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") or IKEv2]

• Device: Windows Desktop

• OS: Windows Server 2022

• VPN mode: IKEv2

Additional context Add any other context about the problem here.

[hwdsl2]

@R44VC0RP Hello! Based on the instructions for port forwarding to VPN clients (see advanced usage in project documentation), try replacing (removing) this IPTables rule:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.42.100

with the following:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.42.100

Change eth0 to the network interface name of your server. Similarly, perform these steps for TCP port 80.

Does this solve the issue for you?

[R44VC0RP]

@hwdsl2 Thank you for your response, but unfortunately that did not work either. This iss my port forwarding setup according to the status. The same issue occurs, the website is working and reachable from the outside but internally it is not working.

Current Port Forwarding Status:
Chain PREROUTING (policy ACCEPT 839 packets, 81559 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   26  1340 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.43.200
  413 21748 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.43.200

Chain INPUT (policy ACCEPT 82 packets, 18464 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19 packets, 1368 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 454 packets, 24248 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    192.168.42.0/24      0.0.0.0/0           
  685 56080 MASQUERADE  all  --  *      eth0    192.168.43.0/24      0.0.0.0/0            policy match dir out pol none

and this is my rc.local:

netif=$(ip -4 route list 0/0 | grep -m 1 -Po '(?<=dev )(\S+)')
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i "$netif" -p tcp --dport 80 -j DNAT --to 192.168.43.200
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i "$netif" -p tcp --dport 443 -j DNAT --to 192.168.43.200

I am still experiancing the issue.

[hwdsl2]

@R44VC0RP Please try adding ! -s 192.168.43.0/24, so that your rc.local contains this part instead:

netif=$(ip -4 route list 0/0 | grep -m 1 -Po '(?<=dev )(\S+)')
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i "$netif" ! -s 192.168.43.0/24 -p tcp --dport 80 -j DNAT --to 192.168.43.200
iptables -I FORWARD 2 -i "$netif" -d 192.168.43.0/24 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i "$netif" ! -s 192.168.43.0/24 -p tcp --dport 443 -j DNAT --to 192.168.43.200

Reboot your server and test to see if this resolves the issue.

[R44VC0RP]

@hwdsl2 That does appear to have worked! Thank you!