Do i need to manually forward non standard ports on the OpenVPN server?

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Do i need to manually forward non standard ports on the OpenVPN server?

Post by postcd » Mon Jun 12, 2017 4:32 pm

Hello,

i am having CentOS Linux on which is installed OpenVPN server.

OpenVPN client is on the Windows 10 PC. And a developer of the computer software (PC game) that i am running on the client PC recommends forwarding UDP ports 27000-30000 on my home firewall/router to my PC in order for the SW to work well.

Question is if i need to setup port forwarding on my home router or also on my remote linux openvpn server? Which Linux command should i run on the vpn server?

I am using OpenVPN client on my home PC (Windows based), the PC itself is the client, router is not used to setup the VPN.

Thank you

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by TinCanTech » Mon Jun 12, 2017 4:45 pm

What has this got to do with openvpn ?

postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by postcd » Mon Jun 12, 2017 5:03 pm

As a noob i do not know the background of how OpenVPN forwards traffic or handle it.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by TinCanTech » Mon Jun 12, 2017 5:13 pm


postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by postcd » Mon Jun 12, 2017 8:27 pm

Thx, here is the server.conf:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
openvpn --version
OpenVPN 2.3.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 23 2016
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
tail /var/log/messages
Jun 12 16:21:18 vps openvpn[819]: event_wait : Interrupted system call (code=4)
Jun 12 16:21:18 vps openvpn[819]: OpenVPN CLIENT LIST
Jun 12 16:21:18 vps openvpn[819]: Updated,Mon Jun 12 16:21:18 2017
Jun 12 16:21:18 vps openvpn[819]: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Jun 12 16:21:18 vps openvpn[819]: ROUTING TABLE
Jun 12 16:21:18 vps openvpn[819]: Virtual Address,Common Name,Real Address,Last Ref
Jun 12 16:21:18 vps openvpn[819]: GLOBAL STATS
Jun 12 16:21:18 vps openvpn[819]: Max bcast/mcast queue length,0
Jun 12 16:21:18 vps openvpn[819]: END
The server is CentOS 6.7 Linux x64 OpenVZ (virtual) server, the network interface is venet0, iptables firewall, i hope it helps to understand whether any or which additional configuration is needed to make the VPN server properly "forward/redirect" traffic at the port range i mentioned.

postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by postcd » Thu Jul 06, 2017 11:30 am

No solution yet.
By the way, how can i tell openvpn server not to proxy/forward traffic from ceretain host (or in another words block it)?
i tried to add "ALL: hostname.com" inside /etc/hosts but not luck, 1.2.3.4.hostname.com can still connect thru the openvpn

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by TinCanTech » Thu Jul 06, 2017 12:07 pm

You need to use iptables to filter packets and forward ports.

postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by postcd » Sat Feb 24, 2018 10:48 am

In iptables (on the VPN server) i already have policy to allow everything except what is denied and i do not deny any port/ranges. What else should i do to achieve what i asked in my initial post please?

postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Re: Do i need to manually forward non standard ports on the OpenVPN server?

Post by postcd » Tue Apr 07, 2020 7:58 pm

No one helped me in this topic, but a few years later i found the solution finally.

On the server,
Enable IP forwarding in /etc/sysctl.conf on server: net.ipv4.ip_forward=1
Execute following for the changes to take effect: sysctl -p

iptables rules to be executed on the server to opening its port - forward incoming traffic to the tunnel:
iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 1234 -j DNAT --to 10.8.0.2:1234

Before executing, read following and adjust above commands.
1234 - port to open, properly forward its connections into the tunnel. Range can be defined like this: --dport 1234:1240 and the "--to" would miss the port and only IP possibly.
10.8.0.2 - local IP address of the OpenVPN client network interface/adapter (shown by the OpenVPN client software and also in "ipconfig" Windows command output)
venet0 - Linux server network interface name (usually one with most traffic reported by "ifconfig" command, often "eth0")
tcp - connection type. there is also for example "udp", it may be needed to add one more rule separately for udp if is needed

If added wrong rule, you may delete rule for example: iptables -t nat -D POSTROUTING RuleNumber (number discovered by command "service iptables status")

On the OpenVPN client, add new firewall rule that says something like:
Allow INcoming connections to port 1234 and place the rule somewhere on the top of the list as top rules usually has higher priority.
You may check the open port: https://www.ecosia.org/search?q=open+port+check

If it is closed, then try disabling firewall (not ideal) to see if the firewall causing the block.

If port was opened successfully, then save server iptables rules, so it is not lost on reboot: service iptables save
Some servers does not use iptables, but firewalld for example, so the command would be different.

Post Reply