Port forwarding through VPN

Started by jafinn, June 25, 2019, 11:01:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 25, 2019, 11:01:32 PM
Port forward behind VPN

I made a similar post a while back when I used PIA and couldn't get it to work. I switched to Mullvad (they let you keep a fixed port) and got it working straight off the bat. I had some computer issues (non OPNsense related) and had to set everything up from scratch. Now I can't get it working anymore..


I've set up the VPN client, assigned it an interface and that works as it should. I've set up a rule on the LAN interface:

Code Select
Pass
LAN Interface
IPv4
Any protocol
VPN alias source
Any destination
Any port
VPN Gateway


I've got a rule below that on the LAN interface to block traffic when the VPN client is down:

Code Select
Block
LAN interface
IPv4
Any protocol
VPN alias source
Any destination
Any port
Default gateway

So far so good, when I down the VPN client the traffic is blocked.


I then have manual outbound NAT:

Code Select
VPN interface
IPv4
Any protocol
VPN alias source
Any destination
Translation/target interface address


For the port forwarding I've tried multiple ways but this is the current one


Firewall: NAT: Port forward

Code Select
VPN interface
IPv4
TCP/UDP
Any destination
Destination port alias (Port opened at Mullvad)
Redirect to single host IP
Redirect to targe port HTTP
NAT reflection on
Add associated filter rule


I've set up an Nginx server listening at the end just to make it as simple as possible. Locally it works (with the NAT reflection) but no response from external network or remote port checkers. I can see the packets being allowed through the firewall directed to the correct LAN IP but it's like they don't get routed back out the correct way.


I've tried making a manual rule for NAT under the VPN interface and as a floating rule. Any suggestions would be highly appreciated.
June 28, 2019, 10:51:28 AM #1
Does any of this help?

Packet capture showing that the packets hit the firewall so that the port forwarding at the VPN providers side is working.
Code Select
Capture output
10:32:21.481369 AF IPv4 (2), length 52: (tos 0x0, ttl 118, id 50601, offset 0, flags [none], proto UDP (17), length 48)
    41.220.30.38.17052 > 10.11.0.7.31353: [udp sum ok] UDP, length 20
10:32:21.481451 AF IPv4 (2), length 52: (tos 0x0, ttl 117, id 50601, offset 0, flags [none], proto UDP (17), length 48)
    41.220.30.38.17052 > 192.168.1.211.31353: [udp sum ok] UDP, length 20
10:32:22.128435 AF IPv4 (2), length 64: (tos 0x0, ttl 58, id 20939, offset 0, flags [DF], proto TCP (6), length 60)
    34.73.85.159.57694 > 10.11.0.7.31353: Flags [S], cksum 0x7efc (correct), seq 145608005, win 28400, options [mss 1357,sackOK,TS val 170368142 ecr 0,nop,wscale 7], length 0
10:32:22.128506 AF IPv4 (2), length 64: (tos 0x0, ttl 57, id 20939, offset 0, flags [DF], proto TCP (6), length 60)
    34.73.85.159.57694 > 192.168.1.211.31353: Flags [S], cksum 0xc692 (correct), seq 145608005, win 28400, options [mss 1357,sackOK,TS val 170368142 ecr 0,nop,wscale 7], length 0
10:32:22.240453 AF IPv4 (2), length 64: (tos 0x0, ttl 56, id 55812, offset 0, flags [DF], proto TCP (6), length 60)
    69.136.134.174.31886 > 10.11.0.7.31353: Flags [S], cksum 0xb8bb (correct), seq 2722786196, win 65535, options [mss 1357,sackOK,TS val 49000848 ecr 0,nop,wscale 8], length 0
10:32:22.240523 AF IPv4 (2), length 64: (tos 0x0, ttl 55, id 55812, offset 0, flags [DF], proto TCP (6), length 60)
    69.136.134.174.31886 > 192.168.1.211.31353: Flags [S], cksum 0x0052 (correct), seq 2722786196, win 65535, options [mss 1357,sackOK,TS val 49000848 ecr 0,nop,wscale 8], length 0

NMAP showing that the port is filtered
Code Select

$ nmap -p 31353 185.65.134.166

Starting Nmap 7.40 ( https://nmap.org ) at 2019-06-28 08:32 UTC
Nmap scan report for 185.65.134.166
Host is up (0.093s latency).
PORT      STATE    SERVICE
31353/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds

If I remove the firewall rule I can see that the packets are blocked but with a rue under floating or the VPN interface they show as pass



Any ideas? Or suggestions to what would be useful to look at? I suspect the problem is the reply-to address but I'm not sure how to troubleshoot it
June 28, 2019, 11:06:31 AM #2
My VPN client settings in case that has something to do with it

June 30, 2019, 09:57:48 PM #3
Since this seems to be a difficult issue, would it be a viable solution to set up a second OPNsense instance that routes all traffic over the VPN? Would the double NAT be an issue after the tunnel is established?
July 03, 2019, 01:27:34 PM #4 Last Edit: July 03, 2019, 02:17:39 PM by JhonnyMnemonic
Hi,

I have the same issue in forwanding a specific port trought the VPN.

I'm using OPNsense 19.1.9-amd64 FreeBSD 11.2-RELEASE-p10-HBSD OpenSSL 1.0.2s 28 May 2019

My VPN provider is AirVPN. I opened the port on the AirVPN web site then tried to configure OPNsense in this way:

Firewall-NAT-Port Forward


Firewall-NAT-Outbound


Firewall-Rules-AirVPN1

(this rule is autogenerated, but I tried also the same rule manually with "disable reply-to" checked)

Firewall-Rules-LAN


If I try to use AirVPN tool to check open port (on AirVPN website) it says the port is closed.
If I use this site https://www.yougetsignal.com/tools/open-ports/ it says the port is closed.

I don't find anywhere a guide to port forwarding over VPN with OPNsense.
I hope someone can help to understand where is the problem and if there is an OPNsense bug somewhere.
Thanks
July 06, 2019, 10:32:25 AM #5
Updated to OPNsense 19.1.10. Port Forwarding trought VPN stil not working for me.
July 06, 2019, 03:00:29 PM #6
I just configured pfSense 2.4.4-RELEASE-p3 (amd64) with these same rules and port-forwarding throught VPN is working: green light from AirVPN site and yougetsignal.com.
I really don't understand where is the problem with OPNsense.
July 06, 2019, 07:29:31 PM #7
Thanks for letting us know, I've also looked into migrating to pfsense but haven't found the time yet. I had port forwarding working on 18.something so it did work in the past. Not sure when it broke.
July 09, 2019, 03:45:18 AM #8
Having the same issue, with same setup (and same vpn!)
July 09, 2019, 09:38:01 AM #9
@jafinn One thing you could test is to check "Disable force gateway" in the advanced settings, which would disable automatic "reply-to" rules (https://github.com/opnsense/core/blob/e224771ce0e53618b88feecf3383638066fb9739/src/etc/inc/filter.lib.inc#L571-L603)
July 10, 2019, 12:22:03 PM #10
At the end I solved using OPNsense 18.1.

In fact while in OPNsense 19.1 port forwarding throught VPN didn't work, in pfSense 2.4.4 I had issue with port forwarding throught WAN.
July 10, 2019, 12:44:21 PM #11
If you compare  the contents of  /tmp/rules.debug in both versions with the same ruleset, it should be pretty easy to find the configuration change. Although I would start with the option I mentioned earlier.
August 05, 2019, 08:17:28 AM #12
Changing to pfsense pretty much solved all my issues.

It took me under an hour to set up pfsense with
- IPv6RD (broken again in opnsense)
- Port forwarding (for some reason one of my rules stopped working when upgrading to 19.7 and I've been unable to get it working again)
- Port forwarding through a VPN provider (unable ot get that working through several iterations of opnsense, worked first attempt on pfsense)

I'm sorry to leave as I very much prefer opnsense, unfortunately one of my requirements is that my firewall should work. I think the last time I had everything working without issues was on 17.X. Even tried a fresh install without joy.
Print
Go Up Pages1
User actions