Portforward and how to access via vpn cli adress
Moderator: Moderators
Portforward and how to access via vpn cli adress
Hi, i have set up a network running openvpn server and openvpn clients. all my clients are running same subnet on lan side, so only option i have is to use port forwarding. on the clients i have several devices on the lan side i want to access. so far i have not been able to access the forwarded ports coming from the default vpn 10.8.0.0/24 network. is there a neat trick for adding this via iptables?
Re: Portforward and how to access via vpn cli adress
something does not sound right
can you draw a network diagram?
can you draw a network diagram?
Re: Portforward and how to access via vpn cli adress
unable to upload picture, quota issue. will try to paint a picture with words 
1. gargoyle router running openvpn server wan, static public ip, unike subnet on lan
2. multiple gargoyle routers running openvpn client, all with same subnet on lan side for homogenius architecture.
all have port forward active to the internal lan address on its correct port, works like a charm when testet directly on wan interface, but on when atemted accessed via the vpn client ip.
im almost 100% sure there is limitation in the iptables, not forwarding packets comming from the tun0 as it does from wan, but i cant figure out what code to add
1. gargoyle router running openvpn server wan, static public ip, unike subnet on lan
2. multiple gargoyle routers running openvpn client, all with same subnet on lan side for homogenius architecture.
all have port forward active to the internal lan address on its correct port, works like a charm when testet directly on wan interface, but on when atemted accessed via the vpn client ip.
im almost 100% sure there is limitation in the iptables, not forwarding packets comming from the tun0 as it does from wan, but i cant figure out what code to add
Last edited by karljboe on Sat May 27, 2017 3:45 am, edited 2 times in total.
Re: Portforward and how to access via vpn cli adress
on the client here is what i get by typing iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1798 packets, 125K bytes)
pkts bytes target prot opt in out source destination
1804 126K delegate_prerouting all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 99 packets, 5936 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 204 packets, 14494 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
332 22716 delegate_postrouting all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
Chain delegate_postrouting (1 references)
pkts bytes target prot opt in out source destination
332 22716 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_postrouting all -- * eth0 0.0.0.0/0 0.0.0.0/0
332 22716 zone_vpn_postrouting all -- * tun0 0.0.0.0/0 0.0.0.0/0
Chain delegate_prerouting (1 references)
pkts bytes target prot opt in out source destination
1804 126K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
174 11571 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0
1588 112K zone_wan_prerouting all -- eth0 * 0.0.0.0/0 0.0.0.0/0
42 2354 zone_vpn_prerouting all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain pf_loopback_A (0 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9600 to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9600 to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21845 to:192.168.250.1:21845
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 to:192.168.250.1:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:800 to:192.168.250.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3322 to:192.168.250.127:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3322 to:192.168.250.127:22
Chain pf_loopback_C (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.2 tcp dpt:9600
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.2 udp dpt:9600
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:21845
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.1 tcp dpt:80
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:80
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.127 tcp dpt:22
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.127 udp dpt:22
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 pf_loopback_C all -- * br-lan 0.0.0.0/0 0.0.0.0/0
Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.2 tcp dpt:9600 /* PLC (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.2 udp dpt:9600 /* PLC (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:21845 /* HMI_Display (reflection) */ to:192.168.250.250
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.1 tcp dpt:80 /* HMI_Http (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:80 /* HMI_Http (reflection) */ to:192.168.250.250
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.127 tcp dpt:22 /* raspberry (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.127 udp dpt:22 /* raspberry (reflection) */ to:192.168.250.250
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
174 11571 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:9600 /* PLC (reflection) */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:9600 /* PLC (reflection) */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:21845 /* HMI_Display (reflection) */ to:192.168.250.1:21845
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:800 /* HMI_Http (reflection) */ to:192.168.250.1:80
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:800 /* HMI_Http (reflection) */ to:192.168.250.1:80
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:3322 /* raspberry (reflection) */ to:192.168.250.127:22
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:3322 /* raspberry (reflection) */ to:192.168.250.127:22
Chain zone_vpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
332 22716 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
332 22716 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
42 2354 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
1585 112K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 redir ports 22
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 80
1588 112K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9600 /* PLC */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9600 /* PLC */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21845 /* HMI_Display */ to:192.168.250.1:21845
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 /* HMI_Http */ to:192.168.250.1:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:800 /* HMI_Http */ to:192.168.250.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3322 /* raspberry */ to:192.168.250.127:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3322 /* raspberry */ to:192.168.250.127:22
Any help is appreciated, thank you very much
Chain PREROUTING (policy ACCEPT 1798 packets, 125K bytes)
pkts bytes target prot opt in out source destination
1804 126K delegate_prerouting all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 99 packets, 5936 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 204 packets, 14494 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
332 22716 delegate_postrouting all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
Chain delegate_postrouting (1 references)
pkts bytes target prot opt in out source destination
332 22716 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_postrouting all -- * eth0 0.0.0.0/0 0.0.0.0/0
332 22716 zone_vpn_postrouting all -- * tun0 0.0.0.0/0 0.0.0.0/0
Chain delegate_prerouting (1 references)
pkts bytes target prot opt in out source destination
1804 126K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
174 11571 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0
1588 112K zone_wan_prerouting all -- eth0 * 0.0.0.0/0 0.0.0.0/0
42 2354 zone_vpn_prerouting all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain pf_loopback_A (0 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9600 to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9600 to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21845 to:192.168.250.1:21845
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 to:192.168.250.1:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:800 to:192.168.250.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3322 to:192.168.250.127:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3322 to:192.168.250.127:22
Chain pf_loopback_C (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.2 tcp dpt:9600
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.2 udp dpt:9600
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:21845
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.1 tcp dpt:80
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:80
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.127 tcp dpt:22
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.127 udp dpt:22
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 pf_loopback_C all -- * br-lan 0.0.0.0/0 0.0.0.0/0
Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.2 tcp dpt:9600 /* PLC (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.2 udp dpt:9600 /* PLC (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:21845 /* HMI_Display (reflection) */ to:192.168.250.250
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.1 tcp dpt:80 /* HMI_Http (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:80 /* HMI_Http (reflection) */ to:192.168.250.250
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.127 tcp dpt:22 /* raspberry (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.127 udp dpt:22 /* raspberry (reflection) */ to:192.168.250.250
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
174 11571 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:9600 /* PLC (reflection) */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:9600 /* PLC (reflection) */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:21845 /* HMI_Display (reflection) */ to:192.168.250.1:21845
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:800 /* HMI_Http (reflection) */ to:192.168.250.1:80
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:800 /* HMI_Http (reflection) */ to:192.168.250.1:80
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:3322 /* raspberry (reflection) */ to:192.168.250.127:22
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:3322 /* raspberry (reflection) */ to:192.168.250.127:22
Chain zone_vpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
332 22716 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
332 22716 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
42 2354 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
1585 112K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 redir ports 22
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 80
1588 112K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9600 /* PLC */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9600 /* PLC */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21845 /* HMI_Display */ to:192.168.250.1:21845
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 /* HMI_Http */ to:192.168.250.1:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:800 /* HMI_Http */ to:192.168.250.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3322 /* raspberry */ to:192.168.250.127:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3322 /* raspberry */ to:192.168.250.127:22
Any help is appreciated, thank you very much
Re: Portforward and how to access via vpn cli adress
why?on lan side for homogenius architecture.
Re: Portforward and how to access via vpn cli adress
Is this your network map?
If so why?
If so why?
Re: Portforward and how to access via vpn cli adress
This is a better set up
Re: Portforward and how to access via vpn cli adress
as reference to your picture (that i cant figure out how to upload) the text says "This is a better set up"
That is exactly how it is set up.
All my clients connect to my server through the internet as you have depicted. problem i have is that im unable to access the services via nat on client side. and all my clients use same subnet on lan side, this is for ease of maintenance and production.
That is exactly how it is set up.
All my clients connect to my server through the internet as you have depicted. problem i have is that im unable to access the services via nat on client side. and all my clients use same subnet on lan side, this is for ease of maintenance and production.
Re: Portforward and how to access via vpn cli adress
figured out a way to add pictures. here is some of my config
Re: Portforward and how to access via vpn cli adress
Port forwarding and manual editing of IPtables is not necessary. (In fact discouraged )
If you have manually edited IPTables I would re-flash and start again. (maybe you should do it anyway).
Can you draw a network map with all IP Address and subnets
You need to be careful with subnet IP address
If you have manually edited IPTables I would re-flash and start again. (maybe you should do it anyway).
Can you draw a network map with all IP Address and subnets
You need to be careful with subnet IP address