search

peacey / split-vpn

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.
GNU General Public License v3.0
817 stars 56 forks source link

Port forwarding does not work #203

Open hydazz opened 1 year ago

hydazz commented 1 year ago

I have setup split-vpn on my udm pro, on VLAN 69, and all traffic on that vlan does indeed go through that VLAN, qbittorrent is setup listening on TCP/UDP port 54913, but the port is not showing as open:

image

VPN side port forwarding: image

split-vpn config:

root@Enterprise:/data/split-vpn/nexthop/torguard# cat vpn.conf
### SPLIT VPN OPTIONS ###
# Enter multiple entries separated by spaces.
# Do not enter square brackets around the entries.

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE="br69"

# Exempt these destinations from the VPN.
# Format: [IP/nn]
EXEMPT_DESTINATIONS_IPV4="192.168.0.0/16"
EXEMPT_DESTINATIONS_IPV6=""

# VPN port forwards.
# Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]
PORT_FORWARDS_IPV4="both-54913-192.168.69.2-54913"
PORT_FORWARDS_IPV6=""

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0

# Enable this if you added blackhole routes in the Unifi Settings to prevent Internet
# access at system startup before the VPN script runs. This option removes the blackhole
# routes to restore Internet access after the killswitch has been enabled.
# If you do not set this to 1, openvpn will not be able to connect at startup, and your
# Internet access will never be enabled until you manually remove the blackhole routes.
# Set this to 0 only if you did not add any blackhole routes.
REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="nexthop"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="192.168.3.69"
VPN_ENDPOINT_IPV6=""

# Set this to the route table that contains the gateway route, "auto", or "disabled".
# The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and
# "203" for U-LTE.
# Default is "auto" which works with WAN failover and automatically changes the endpoint
# via gateway route when the WAN or gateway routes changes.
# Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN.
GATEWAY_TABLE="disabled"

# Set this to the timer to use for the rule watcher (in seconds).
# The script will wake up every N seconds to re-add rules if they're deleted by
# the system, or change gateway routes if they changed. Default is 1 second.
WATCHER_TIMER=1

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_"
PREF=99
DEV=br3

traceroute on the container in question (qbittorrent):

root@12ad3c96eb22:/# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 46 byte packets
 1  192.168.69.1 (192.168.69.1)  0.286 ms  0.222 ms  0.168 ms
 2  192.168.3.69 (192.168.3.69)  0.273 ms  0.253 ms  0.247 ms
 3  10.13.0.1 (10.13.0.1)  12.270 ms  11.907 ms  12.357 ms
 4  93.115.35.97 (93.115.35.97)  12.735 ms  12.731 ms  12.994 ms
 5  217.138.223.132 (217.138.223.132)  49.086 ms  26.600 ms  29.825 ms
 6  gr-4-0-0-0.core1.fra2.de.m247.com (193.27.15.90)  13.219 ms  217.138.223.72 (217.138.223.72)  12.948 ms  12.860 ms
 7  13335.syd.equinix.com (45.127.172.154)  13.607 ms  193.27.15.88 (193.27.15.88)  13.010 ms  13335.syd.equinix.com (45.127.172.154)  24.167 ms
 8  13335.syd.equinix.com (45.127.172.154)  22.980 ms  13.540 ms  172.69.60.3 (172.69.60.3)  13.599 ms
 9  one.one.one.one (1.1.1.1)  12.394 ms  12.683 ms  12.666 ms

everything appears to be setup correctly, and the port were open when i was using another solution with the same wireguard config. any ideas?