Port Forwarding

[lehmanjo]

Hi,

it would be great if you could add a simple example of how to add port-forwarding through the firewall.

Thanks

J.

[lehmanjo]

Should the following be enough?

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:8080
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8080 -j ACCEPT

from https://www.systutorials.com/816/port-forwarding-using-iptables/

Modified to use your script's variable for the VPN interface ($VPN_INTERFACE) and $SRC_PORT, $DST_IP and $DST_PORT to describe forwarding.

iptables -A PREROUTING -t nat -i $VPN_INTERFACE -p tcp --dport $SRC_PORT -j DNAT --to $DST_IP:$DST_PORT
iptables -A FORWARD -p tcp -d $DST_IP --dport $DST_PORT -j ACCEPT

I was thinking of adding it after the section...

# add rule chain for forwarding via LAN

Is that all it would take?

J.

[lehmanjo]

Implemented a function to generate the above but it doesn't seem sufficient.

https://pastebin.com/rpeCgH5s

[mr-canoehead]

Can you please describe from a high level what you are trying to accomplish, e.g. a use case for the setup you envision?

[lehmanjo]

• I have your great software running on a raspberry pi (A) on my home network with tunnel to PureVPN.
• I have a server (B) running on my home network as well. I've configured its default route to go via the raspberry pi (A).
• I am using a dynamic DNS provider to capture the external IP.

I'd now like to be able to be able to access the http server hosted on my internal server (B) from the internet. Given my raspberry pi (A) acts as VPN client, firewall and default gateway to the internet, I would like to configure port forwarding to forward traffic to port 80 on the external interface on the raspberry pi (A) to port 8080 on my http server running on my internal server (B).

Internets - PureVPN Server - Internet Router - Raspberry Pi and PureVPN Client - Internal HTTP Server

[mr-canoehead]

Thanks for the extra info, this helps me understand your goal. My VPN provider (Private Internet Access) supports port forwarding, so I should be able to test a similar setup on my network. I hope to do this within the next week.

[lehmanjo]

Thanks.

My provider PureVPN seems to not offer any protection for the established VPN tunnel. They have a separate add-on which can be purchased which adds a "NAT Firewall" on their end. That's good for me since your VPN client gateway provides me with NAT and a Firewall on my end of the VPN tunnel. Double NAT would be unnecessarily complicated.

[mr-canoehead]

I've got a test setup working with port forwarding via my provider (Private Internet Access). Also using a dynamic DNS provider so that I can access via hostname rather than IP address. The Pi is forwarding incoming TCP connections from the VPN (on the port assigned by PIA, e.g. 43691) to a web server running on another box (10.1.2.10) and listening on port 8080.

I can access a simple page on my internal web server by accessing a url, e.g.: http://myddnshost.myddnsprovider.net:43691

I added the following rules to my fw-script (the script generated by fw-config), right below the VPN forwarding rules. You can check out the full firewall script via this pastebin link: https://pastebin.com/tRChJsH3

I created a separate rule chain for the port forwarding rule so that it can easily be flushed and updated whenever the external port changes (that would have to be managed by a custom script developed by the user) without clobbering other rules in the FORWARD chain. This new rule chain is linked to the VPN forwarding rule chain. Since there is only one prerouting rule I put that in the PREROUTING chain, that too would need to be flushed and updated whenever the external port changes.

############### port forwarding rules

# prerouting rule:
iptables -A PREROUTING -t nat -i tun+ -p tcp --dport 43691 -j DNAT --to 10.1.2.10:8080

# create port forwarding rule chain:
iptables -N port_forwarding_vpn
iptables -t filter -A port_forwarding_vpn -i tun+ -p tcp -d 10.1.2.10 --dport 8080 -j ACCEPT

# add port forwarding rule chain to the vpn forwarding rule chain
iptables -A forward_rules_vpn -j port_forwarding_vpn

###############

Since there are too many variables involved in setting up port forwarding I'm not comfortable with adding logic to fw-config to interact with the user and configure port forwarding that way. I'd much rather just include a static example that gets added to the resulting fw-script (but is commented out) and add an 'Additional Information' page to the Wiki explaining the example.

[lehmanjo]

Hi,

thanks. Will try that out later. I need to do a bit more reading about OpenVPN servers and ports.

The Pi is forwarding incoming TCP connections from the VPN (on the port assigned by PIA, e.g. 43691) to a web server running on another box

How did you determine the port that PIA used for your tunnel?

[mr-canoehead]

Private Internet Access has a simple API for requesting port forwarding, a call to the API turns on port forwarding and returns a JSON file containing your port number. They provide a script to do this, you can check out their script here: https://privateinternetaccess.com/installer/port_forwarding.sh

Some scripting work would be required to automate the process of updating the firewall rules whenever the port changes, and for some applications it gets a little more complicated - e.g. transmission-daemon is configured with a peer-port that would need to be changed, and the transmission-daemon service needs to be restarted to pick up that change.

[lehmanjo]

Thanks. Have been browsing PureVPN's support documentation. Haven't found much actionable content yet :)

[lehmanjo]

If anyone is interesting in port-forwarding, I would suggest you go with a VPN provider like PIA that seems to have official support for it. My current provider, PureVPN, seems to not official support it or even understand it.

"...we do not have client for port forwarding or any information regarding it..."

[mr-canoehead]

I have added examples for port forwarding using Private Internet Access, there are now two scripts included with the project for configuring port forwarding using a local static port (e.g. for an internal web server) and a dynamic port (transmission-daemon for seeding torrents). You can check out the new wiki page here: Port forwarding

Let me know if we can close this issue on the basis of having added these example scripts and documentation to the project.

Thanks, Chris

[mr-canoehead]

Closing this issue based on having provided port forwarding examples + scripts for use with Private Internet Access.