OpenWrt Forum Archive

Topic: Port forwarding not working when openvpn client is started

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Umberto
22 Oct 2017, 09:03

I've installed LEDE/OpenWRT on my TP-Link TL-WR1043N/ND v4 router. Behind that router is a Synology NAS (LAN: 192.168.101.119) with an OpenVPN Server which I use to connect to my home from the outside world (WAN). Reason is that I can access my home nas and have safe internet browsing when I'm abroad.
I've added the following port forwarding to the /etc/config/firewall :
config redirect
    option name 'OpenVPN (Port change!)'
    option src 'wan'
    option proto 'tcpudp'
    option src_dport '443'
    option dest_ip '192.168.101.119'
    option dest_port '8194'
    option target 'DNAT'
    option dest 'lan'
(note: I've configured 8194 as OpenVPN Server port on my Synology NAS)
Everything works fine with this configuration.

On this router I've just installed a OpenVPN Client. This client connects to my VPN Provider (NordVPN).
Goal is to have all trafic routed through this VPN connection for anonymous internet access.
I've used the following instruction to setup the VPN client connection:
nordvpn.com/tutorials/openwrt/openvpn/
Using this manual, I can connect to NordVPN and all internet trafic is routed through that tunnel.

The problem is that when the openvpn client is started, the port forwarding does not work anymore.
What I want to achieve is that I can connect to my home via an OpenVPN Client (on e.g. my phone) to access my home NAS. And that all my internet browsing is also routed through the NordVPN tunnel.

Openvpn Client --WAN--> TP-Link Router    --LAN--> Synology NAS   --LAN--> TP-Link Router --VPN--> NordVPN Server

I've googled a lot on how to fix the problem that port forwarding is not working when an openvpn client is started. But I've found no clear answer.
Please help!

Umberto

Post #2
ulmwind
22 Oct 2017, 10:13

Umberto, do you understand the reason, why port forwarding stops to work? It works, but response goes not via WAN, but via OpenVPN connection. I recommend you to set up routes for NAS IP via WAN. See https://forum.openwrt.org/viewtopic.php?id=72112, https://forum.openwrt.org/viewtopic.php?id=72132
You can also try to disable Reverse Path Filtering, the issue is that router itself by default blocks responses not via the same interface, what takes place in your case. You can also try to configure source routing.

(Last edited by ulmwind on 22 Oct 2017, 13:54)

Post #3
Umberto
22 Oct 2017, 18:39

Thanks for your quick response. I'll take a look at what you're suggesting.

Post #4
Umberto
27 Oct 2017, 07:48

Many thanks ulmwind for pointing to the right direction! I was able to fix my problem using Policy Routing ( see tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html ). Let me share my knowledge...

I checked that packages from my OpenVPN Server was indeed routed via the OpenVPN connection using tcpdump:

root@LEDE:~# tcpdump -i br-lan -n  src port 8194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
06:30:58.277007 IP 192.168.101.119.8194 > 84.241.195.224.45399: Flags [S.], seq 3551492110, ack 3677136094, win 14480, options [mss 1460,sackOK,TS val 50956704 ecr 851434136,nop,wscale 7], length 0
06:30:58.421250 IP 192.168.101.119.8194 > 84.241.195.224.45399: Flags [P.], seq 1:17, ack 1, win 114, options [nop,nop,TS val 50956719 ecr 851434738], length 16
06:30:58.832792 IP 192.168.101.119.8194 > 84.241.195.224.45399: Flags [.], ack 17, win 114, options [nop,nop,TS val 50956760 ecr 851434738], length 0
06:30:59.046733 IP 192.168.101.119.8194 > 84.241.195.224.45399: Flags [P.], seq 17:45, ack 17, win 114, options [nop,nop,TS val 50956781 ecr 851434881], length 28
06:30:59.300599 IP 192.168.101.119.8194 > 84.241.195.224.45399: Flags [.], ack 45, win 114, options [nop,nop,TS val 50956807 ecr 851434883], length 0
...

Doing a traceroute showed me that the packaged are routed through the VPN connection:

root@LEDE:~# traceroute 84.241.195.224
traceroute to 84.241.195.224 (84.241.195.224), 30 hops max, 38 byte packets
 1  10.8.8.1 (10.8.8.1)  5.837 ms  5.985 ms  5.897 ms
 2  185.212.171.65 (185.212.171.65)  6.235 ms  6.489 ms  6.245 ms
...

To have these specific packages (coming from port 8194) routed back through my WAN (and not the VPN connection) using Policy Routing:

1. Mark all the packages with source port 8194 coming from my OpenVPN Server 

iptables -A PREROUTING -i br-lan -t mangle -p tcp --sport 8194 -j MARK --set-mark 1

2. Create a routing table specific for these marked packages

echo 30 vpn_server >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table vpn_server

3. You can check if the rule is correctly set:

ip rule ls

4. Add a default route to the WAN interface (and not the VPN interface tun0)

/sbin/ip route add default via 109.72.40.165 dev eth0.2 table vpn_server

(the 109.72.40.165 dev eth0.2 is my WAN interface)
5. Et voila!

Post #5
ulmwind
27 Oct 2017, 23:38

I think, tcpdump doesn't reveal routing in your case.

Congratulations, you've felt power of our teaching!

The discussion might have continued from here.