6

Set up an openvpn server but having trouble getting ports forwarded to the client.

Below is what I am trying to do:

WAN: 123.45.67.89:4444 -> [OpenVPN Server] -> CLIENT: 192.168.1.10:4444

Seen many different answers on how to do this but no matter what I try it doesn't seem to work and port tests always show the port as closed.

Red Spider
  • 61
  • 1
  • 1
  • 2

3 Answers3

4

I assume you're using OpenVPN in routed mode and are NATting its clients onto the WAN. If so, you'll want to do the following:

iptables -t nat -A PREROUTING -i eth0 -d 123.45.67.89 -p tcp --dport 4444 -j DNAT --to-destination 192.168.1.10 (change eth0 to whatever interface your WAN is actually on).

If you're not using NAT, then it's just a matter of making sure the host you're trying to connect from knows to route packets destined for 192.168.1.10 through 123.45.67.89 (which obviously won't work to an RFC1918 IP over the Internet). In any case, the only other requirements are that you have IPv4 routing enabled (I'd assume that the VPN wouldn't be working at all if you didn't) and that you don't have any other firewall rules that would block this traffic.

Joseph Sible-Reinstate Monica
  • 336
  • 1
  • 2
  • 14
  • Thanks for the reply. Tried the above but still [port tests](http://www.yougetsignal.com/tools/open-ports/) still show port is closed. Made sure to `iptables -A INPUT -p tcp --dport 4444 -j ACCEPT` so port should be able on the OpenVPN server. – Red Spider Feb 24 '17 at 23:12
  • You need to use the FORWARD chain, not the INPUT chain. – Joseph Sible-Reinstate Monica Feb 25 '17 at 00:28
  • i needed to add `-A POSTROUTING -p tcp -d 192.168.1.10 --dport 4444 -j MASQUERADE` rule as well – ptica Sep 26 '17 at 10:41
  • @ptica that rule would only be needed for NAT reflection (and its scope could be made a bit narrower). – Joseph Sible-Reinstate Monica Sep 27 '17 at 19:43
  • hi @JosephSible, thanks for the remark, i couldn't telnet into `123.45.67.89:4444` without that POSTROUTING rule, however I still do not understand the need for it as I already route 192.168.1.0/24 to openvpn's gateway 10.8.0.2 – ptica Sep 28 '17 at 05:34
0

  • OpenVPN Server can work behind the Router at private IP address if only 1194_UDP port forward from router to your OpenVPN Server. Example: Public IP of ROUTER 1.1.1.1 (WAN Interface) LAN Interface of ROUTER 192.168.10.1 OpenVPN Server IP 192.168.10.10

  • Create a port forward rule at ROUTER Internal_port External_port Internal_Server_ip 1194 1194 192.168.10.10

  • When installing and configuring OpenVPN Server, set its IP as 192.168.10.10

  • In client.ovpn set remote ip & port as 1.1.1.1 1194 (ROUTER public IP).
Yolem
  • 1
0

So this was our solution in iptables. You still need to set ip_forward in linux. 

 *nat
:PREROUTING ACCEPT [56:16971]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [31:2256]
:POSTROUTING ACCEPT [31:2256]
-A POSTROUTING -s 10.2.0.0/24 -o enp1s0 -j MASQUERADE
-A PREROUTING -i enp1s0 -p tcp --dport 9000 -j DNAT --to-destination 10.2.0.22
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5618:4419840]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.2.0.0/24 -j ACCEPT
-A FORWARD -i enp1s0 -o tun1 -p tcp --dport 9000 --syn -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i enp1s0 -o tun1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i tun1 -o enp1s0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Dec 20 18:30:08 2017
Kevin Parker
  • 144
  • 5