[SOLVED] VPN port forward - no return traffic

[JoopB]

I have an AirVPN OpenVPN (UDP ipv4) interface and a local HIDEME vlan with a torrent client in it. When i initiate traffic from the client on HIDEME traffic goes out through the VPN and i get reply back, no issues there. For torrent uploading (BSD and Linus iso's) i have port forward setup on AirVPN side. The port is 23407 all the way from AirVPN through NAT port forward and torrent client. Firewall rules have the default reply-to active and i do not specify a gateway on the incoming firewall rules. I can reach my client on HIDEME vlan through AirVPN exit ip:port, but traffic does not seem to be returned. 0 upload. When i do the same on my WAN, everything works fine, full upload speed.

I ran TCPDUMP and noticed incoming packet length is 0 (TCP) on the AirVPN where WAN has >0. The traffic does reach the torrent client, who wants to send something back, but it doesn't show up in the interface for AirVPN_Torrent. Is the 0 packet size causing this or is return traffic ending up somewhere else?

# is to prevent markup here from the letter before it

AirVPN_Torrent
11:26:13.119590 IP 39.40.78.209.51929 > 10.17.130.46.23407: Flags [S#], seq 1279553544, win 64240, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0

HIDEME TCPDUMP
11:26:13.119608 IP 39.40.78.209.51929 > torrent.home.23407: Flags [S#], seq 1279553544, win 64240, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
11:26:13.119711 IP torrent.home.23407 > 39.40.78.209.51929: Flags [S#], seq 4011136359, ack 1279553545, win 64240, options [mss 1460], length 0



YOUFONE (WAN)
11:35:12.939709 IP 185.107.44.124.59288 > 77-172-30-35.fixed.kpn.net.23407: Flags [P.], seq 2212:2221, ack 3196540, win 12284, options [nop,nop,TS val 3854412952 ecr 1074413978], length 9
11:35:13.181938 IP 185.107.44.124.59288 > 77-172-30-35.fixed.kpn.net.23407: Flags [P.], seq 2221:3241, ack 3196540, win 12284, options [nop,nop,TS val 3854413194 ecr 1074413984], length 1020
11:35:13.209111 IP 77-172-30-35.fixed.kpn.net.23407 > 185.107.44.124.59288: Flags [.], seq 3307924:3309352, ack 3259, win 501, options [nop,nop,TS val 1074414252 ecr 3854413205], length 1428

HIDEME
11:35:13.181951 IP 185.107.44.124.59288 > torrent.home.23407: Flags [P.], seq 35:1055, ack 1, win 12284, options [nop,nop,TS val 3854413194 ecr 1074413984], length 1020
11:35:13.207906 IP torrent.home.23407 > 185.107.44.124.59288: Flags [.], seq 1:1429, ack 1073, win 501, options [nop,nop,TS val 1074414252 ecr 3854413205], length 1428

[zan]

On your AirVPN interface pass rule, set the reply-to to AirVPN gateway.

[JoopB]

Awesome, i thought i had tried that, but i just had set the regular Gateway to AirVPN_Torrent.
Now there is traffice returning and the port shows open.

Is this a bug or is expected in these kind of configurations that the default "reply-to" does not work?
The setup worked before with the default reply-to

[zan]

Do you have any rule in OpenVPN group Firewall rules list? Remember group rules are evaluated first.

Awesome, i thought i had tried that, but i just had set the regular Gateway to AirVPN_Torrent.

This is forcing all traffic to AirVPN though, not just return traffic.

[JoopB]

Yes, i noticed that broke things rather than improve them. I was just shooting blind and hoping to hit.
No Group rules, the issue was the "reply-to" set to default. Changing that to the interace through which the traffic came in fixed it. The weird thing is, it used to work with reply-to set to default and that still works on my WAN. So maybe something changed where a VPN is on another interface, WAN in my case.

[zan]

reply-to set to default is only works on single WAN. If you have multiple WANs you always need to set reply-to to its intended gateway for return traffic to work properly.

[JoopB]

Clear, thanx!