Portforward and how to access via vpn cli adress

[karljboe]

for now im just running rpi on lan side with the openvpn client

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.250.1:80
iptables -t nat -A PREROUTING -p tcp --dport 21845 -j DNAT --to-destination 192.168.250.1:21845
iptables -t nat -A PREROUTING -p tcp --dport 9600 -j DNAT --to-destination 192.168.250.2:9600

iptables -t nat -A POSTROUTING -p tcp -d 192.168.250.1 --dport 80 -j SNAT --to-source 10.8.0.3
iptables -t nat -A POSTROUTING -p tcp -d 192.168.250.1 --dport 21845 -j SNAT --to-source 10.8.0.3
iptables -t nat -A POSTROUTING -p tcp -d 192.168.250.2 --dport 9600 -j SNAT --to-source 10.8.0.3

# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.250.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -s 192.168.250.0/24 -d 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth0 -s 192.168.250.0/24 -j MASQUERADE

i will get some more routers and test in a smaller scale and see if i can add the missing rules connecting tun0 to eth0\br-lan

[ispyisail]

Keep us updated

I finally figured out what you are trying to do.

If you can do testing and leg work somebody might do some thing with the GUI.

[karljboe]

Just got my new batch of routers, this time the first one i try has the infamous 18005 error when trying to upload new firmware, tried all the alternatives i could find listed in this forum, short of the tftp solution. is that the only way to go, or did someone make a better solution?

[ispyisail]

I have the same problem. I broke my new router so bad that a serial recovery did not work. I got a new replacement under warranty.

I waiting for a better firmware or better instructions.

Be careful.

[karljboe]

For now, i have addded my needed rules to forward from tun0 to br-lan in a script activated at boot via crontab.
would be awsom to have that option on the gui, being able to chose while making tha nat in firewall.

[ispyisail]

Can you post what you have done. I might help others?

[karljboe]

In the end what i did, was to try add in crontab /etc/crontabs/root
@reboot /location/filename.sh
that did not work, seems the firewall rules are applied later in the boot process, so it overwrites whatever i added @ boot
so i actually just added my rules in /etc/rc.local

sleep 20
iptables -t nat -a preroute something
iptables -t nat -a postrouting something
iptable - forward something

found that if i added the sleep on top, it will add my additional rules after the gargoyle initialization is done

all this can be avoided if we get it as an option on the firewall page next to where we chose tcp or udp, there we can have the option to whose interface as well

[ispyisail]

Thanks