Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Forward all ports down a VPN
Forward all ports down a VPN
My ISP has CGNAT, so no public IP and thus no port forwarding available. I have applications that need port forwarding. I have therefore bought a router that allows a VPN as its Internet connection, and hired a VPS with a static public IP. I have installed Debian 10 Server on it.
My intent is to set the VPS up with L2TP/IPSec. (My router accepts PPTP, L2TP/IPSEC or OpenVPN, but PPTP is filtered out by my ISP and my router only has partial support for OpenVPN.) There will only be 1 client: my router. The VPS will do NAT for outgoing connections and replies. For unsolicited incoming traffic on any TCP or UDP port except those used for SSH or VPN, it forwards it all down the VPN to the equivalent port and protocol on my router.
I am moderately experienced at Debian, enough to configure a server with the help of the many handholding tutorials helpful people have put online (I.e. I'm by no means a trained or experienced sysadmin.) So I can do all the above with the exception of the last bit. I have used UFW and am aware of IPTables, but I have no idea how to set such up to forward all the traffic down the VPN to my router.
Much Googling hasn't helped. So I'm wondering please if any of you very helpful people please have any useful tutorials you could link to, or any useful pointers or resources similarly.
Thank you ever so much.
My intent is to set the VPS up with L2TP/IPSec. (My router accepts PPTP, L2TP/IPSEC or OpenVPN, but PPTP is filtered out by my ISP and my router only has partial support for OpenVPN.) There will only be 1 client: my router. The VPS will do NAT for outgoing connections and replies. For unsolicited incoming traffic on any TCP or UDP port except those used for SSH or VPN, it forwards it all down the VPN to the equivalent port and protocol on my router.
I am moderately experienced at Debian, enough to configure a server with the help of the many handholding tutorials helpful people have put online (I.e. I'm by no means a trained or experienced sysadmin.) So I can do all the above with the exception of the last bit. I have used UFW and am aware of IPTables, but I have no idea how to set such up to forward all the traffic down the VPN to my router.
Much Googling hasn't helped. So I'm wondering please if any of you very helpful people please have any useful tutorials you could link to, or any useful pointers or resources similarly.
Thank you ever so much.
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Forward all ports down a VPN
Assuming the VPS external network interface is eth0 and the internal VPN address of the router is 192.0.2.3
Code: Select all
iptables -t nat -A PREROUTING -i eth0 -p ah -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p esp -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 500 -j ACCEPT # IKE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j ACCEPT # NAT-T
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j ACCEPT # SSH
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.0.2.3
Re: Forward all ports down a VPN
Thank you very much for this.
I've tried what you have kindly written but I can't get it to work. I suspect that this may be because the script that sets up the VPN does some things with IPTables also.
The VPS's Ethernet device is called "ens192", I have set SSH to use port 22222, and the address that Strongswan gives my router is 192.168.42.2, so I tried running at the command prompt:
The FAQ for the script I used to set up the L2TP/IPSec VPN says:
I am very wary of abusing your generosity of time and expertise, and that of other members; but I wonder if you would mind please giving any final pointers to make this work for me? or another member? I really would be very grateful indeed.
Thank you
Doug
I've tried what you have kindly written but I can't get it to work. I suspect that this may be because the script that sets up the VPN does some things with IPTables also.
The VPS's Ethernet device is called "ens192", I have set SSH to use port 22222, and the address that Strongswan gives my router is 192.168.42.2, so I tried running at the command prompt:
That didn't result in any noticeable change: the VPN connects and I have Internet access, but I don't have any port forwarding (according to ShieldsUp / testing via another device on another Internet connection.)sudo iptables -t nat -A PREROUTING -i ens192 -p ah -j ACCEPT
sudo iptables -t nat -A PREROUTING -i ens192 -p esp -j ACCEPT
sudo iptables -t nat -A PREROUTING -i ens192 -p udp --dport 500 -j ACCEPT # IKE
sudo iptables -t nat -A PREROUTING -i ens192 -p udp --dport 4500 -j ACCEPT # NAT-T
sudo iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 22222 -j ACCEPT # SSH
sudo iptables -t nat -A PREROUTING -i ens192 -j DNAT --to 192.168.42.2
The FAQ for the script I used to set up the L2TP/IPSec VPN says:
/etc/iptables/ doesn't exist, so I had a guess at what to add to /etc/iptables.rules. Here's the file with my attempted addition in bold:If you want to modify the IPTables rules after install, edit /etc/iptables.rules and/or /etc/iptables/rules.v4 (Ubuntu/Debian), or /etc/sysconfig/iptables (CentOS/RHEL). Then reboot your server.
On rebooting, I discovered my guess was wrong; however - when connecting my router to the VPN, I have no Internet access at all.# Modified by hwdsl2 VPN script
# Generated by xtables-save v1.8.2 on Sun Jun 6 17:23:22 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i ens192 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o ens192 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o ens192 -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Sun Jun 6 17:23:22 2021
# Generated by xtables-save v1.8.2 on Sun Jun 6 17:23:22 2021
*nat
: PREROUTING ACCEPT [0:0]
-A PREROUTING -i ens192 -p ah -j ACCEPT
-A PREROUTING -i ens192 -p esp -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 500 -j ACCEPT # IKE
-A PREROUTING -i ens192 -p udp --dport 4500 -j ACCEPT # NAT-T
-A PREROUTING -i ens192 -p tcp --dport 22222 -j ACCEPT # SSH
-A PREROUTING -i ens192 -j DNAT --to 192.168.42.2
:INPUT ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o ens192 -m policy --dir out --pol none -j MASQUERADE
COMMIT
I am very wary of abusing your generosity of time and expertise, and that of other members; but I wonder if you would mind please giving any final pointers to make this work for me? or another member? I really would be very grateful indeed.
Thank you
Doug
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Forward all ports down a VPN
The rules in the FORWARD chain do not allow the forwarded connections from the ethernet interface to the ppp interface. You need either to delete the last rule (DROP) or insert this rule before :
Code: Select all
iptables -A FORWARD -i ens192 -o ppp+ -j ACCEPT
Re: Forward all ports down a VPN
Thank you!
I commented out the DROP instruction and rebooted, however I am still unable to access anything on the Internet via the VPN. Traceroutes work:
If I comment out the PREROUTING instructions I added (in bold in an earlier message in this thread) the VPN goes back to working, but the port forwarding obviously doesn't work.
All the best and thank you
I commented out the DROP instruction and rebooted, however I am still unable to access anything on the Internet via the VPN. Traceroutes work:
But nothing actually works. All connection attempts time out; Web, Mail, FTP, everything I attempt to do.tracert 208.67.220.220
Tracing route to resolver2.opendns.com [208.67.220.220]
over a maximum of 30 hops:
1 3 ms 3 ms 4 ms KQ-SYNOLOGY [192.168.1.1]
2 36 ms 44 ms 35 ms 136.22.68.129
3 41 ms 36 ms 34 ms 72.14.216.106
4 36 ms 35 ms 37 ms 74.125.242.113
5 39 ms 43 ms 35 ms lonap.rtr1.lon.opendns.com [5.57.80.198]
6 40 ms 32 ms 35 ms resolver2.opendns.com [208.67.220.220]
Trace complete.
If I comment out the PREROUTING instructions I added (in bold in an earlier message in this thread) the VPN goes back to working, but the port forwarding obviously doesn't work.
All the best and thank you
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Forward all ports down a VPN
IPSec packet handling is tricky, try to add this rule before DNAT :
Note : I am not sure # comments are allowed at the end of lines in iptables.rules.
Code: Select all
iptables -t nat -A PREROUTING -i ens192 -p udp --dport 1701 -j ACCEPT # L2TP
Re: Forward all ports down a VPN
p.H, you utter genius, you've done it.
I can connect via VPN, get the static IP and then port forwarding Just Works.
I quote my iptables.rules below in case it may benefit anybody else is in a similar position.
I am incredibly grateful; I recognise your time and expertise that has made this work for me.
I would love to donate some money, to you or to a charity of your choice - could you let me know which?
Thank you!
I can connect via VPN, get the static IP and then port forwarding Just Works.
I quote my iptables.rules below in case it may benefit anybody else is in a similar position.
I am incredibly grateful; I recognise your time and expertise that has made this work for me.
I would love to donate some money, to you or to a charity of your choice - could you let me know which?
Thank you!
Code: Select all
# L2TP/IPSEC with Port Forwarding
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i ens192 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o ens192 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o ens192 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i ens192 -p ah -j ACCEPT
-A PREROUTING -i ens192 -p esp -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 500 -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 4500 -j ACCEPT
-A PREROUTING -i ens192 -p tcp --dport 22222 -j ACCEPT
-A PREROUTING -i ens192 -p udp --dport 1701 -j ACCEPT
-A PREROUTING -i ens192 -j DNAT --to 192.168.42.2
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o ens192 -m policy --dir out --pol none -j MASQUERADE
COMMIT
Last edited by kingqueen on 2021-06-09 12:13, edited 1 time in total.
- sunrat
- Administrator
- Posts: 6462
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 116 times
- Been thanked: 472 times
Re: Forward all ports down a VPN
You should use code tags rather than quotes for code type posting. It won't change certain characters to emojis!
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: Forward all ports down a VPN
Thank you; good point. I went for the Quote tag earlier because it allowed me to Bold certain lines, which the Code tag didn't.
I've replaced that Quote with Code.
I've replaced that Quote with Code.
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Forward all ports down a VPN
One comment about the ruleset : since you removed the final DROP rule in the FORWARD chain whose default policy is ACCEPT, the ACCEPT rules in the FORWARD chain are useless.kingqueen wrote:I quote my iptables.rules below in case it may benefit anybody else is in a similar position.
Thank you for your kind offer, but I participate to this forum and others in my spare time as a hobby, learning things in the process is enough as a reward. If you like you can donate to the charity of your choice on my behalf, or to this forum (if they accept donations), Debian, a free software project or service you appreciate...kingqueen wrote:I would love to donate some money, to you or to a charity of your choice - could you let me know which?
Re: Forward all ports down a VPN
oh well, it seems to work, so I'll let sleeping dogs lie, imperfect code can be subsumed to practicalityp.H wrote: One comment about the ruleset : since you removed the final DROP rule in the FORWARD chain whose default policy is ACCEPT, the ACCEPT rules in the FORWARD chain are useless.
I'll pay your kindness forward in some way Thanks again.p.H wrote:Thank you for your kind offer, but I participate to this forum and others in my spare time as a hobby, learning things in the process is enough as a reward. If you like you can donate to the charity of your choice on my behalf, or to this forum (if they accept donations), Debian, a free software project or service you appreciate...