search

lixuewei / rt-n56u

Automatically exported from code.google.com/p/rt-n56u
0 stars 0 forks source link

Port forwarding fails with OpenVPN client #1296

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi again,

I'm running 3.0.3.8-081 base on RT-N56U and I've made a port forwarding rule to 
an OpenSSH server on the LAN (port 8080 WAN --> port 8080 LAN). It works fine 
to connect to that SSH server from outside/another computer.

When I connect to my VPN service through the OpenVPN client and then try to 
connect to the SSH server (but this time to my assigned VPN "WAN" IP instead of 
course) it doesn't work ("Server unexpectedly closed network 
connection"/"Connection refused").

Do I have to make any changes to get the VPN "WAN" IP to work with my port 
forwarding rules to the LAN or should it work as soon as I'm connected?

Could it have something to do with my previous IPv6 problem/workaround which 
you helped me with in this thread:

https://code.google.com/p/rt-n56u/issues/detail?id=1294

I also tried to connect to my "not-showing/private" WAN IP when connected with 
OpenVPN but that (of course?) gave me "Connection timed out".

PS. I hope it's OK to ask these kind of questions even though it perhaps isn't 
a firmware issue/bug.

Original issue reported on code.google.com by viR...@gmail.com on 24 Jul 2014 at 9:14

GoogleCodeExporter commented 9 years ago 
I'm a total newbie to Linux/iptables but I understood that the manual port 
forwarding rules doesn't apply on the VPN connection/tun interface. After some 
Googling I found out this way of forwarding ports (through the tun interface) 
when the VPN connection is established. Pasted this into the WebUI setting "Run 
after Firewall Rules restarted":

iptables -I FORWARD -i tun0 -p udp -d *.*.*.* --dport 8080 -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d *.*.*.* --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 8080 -j DNAT 
--to-destination *.*.*.*
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 8080 -j DNAT 
--to-destination *.*.*.*

Are there any downsides to this solution?

Original comment by viR...@gmail.com on 25 Jul 2014 at 7:08

GoogleCodeExporter commented 9 years ago 
It seems that the rule
-A FORWARD -i tun0 -j ACCEPT
already exists. This allows to forward all incoming traffic to tun0.
You do not need udp traffic, as ssh session use tcp.
So you need to add only 3rd line:
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 8080 -j DNAT 
--to-destination *.*.*.*:8080

Original comment by d...@soulblader.com on 28 Jul 2014 at 1:10

GoogleCodeExporter commented 9 years ago

Original comment by d...@soulblader.com on 30 Jul 2014 at 12:38