Accessing forwarded ports on client

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
karljboe
OpenVpn Newbie
Posts: 1
Joined: Fri May 26, 2017 5:57 pm

Accessing forwarded ports on client

Post by karljboe » Fri May 26, 2017 6:32 pm

Hi, i have set up a network running openvpn server on tp-link archer and several openvpn client on tp-link archer.
My design is that when ever a client tp-link gets internet access, behind however many routers, it will connect to my server.
all my clients are running same subnet on lan side, so only option i have is to use port forwarding.
on the clients i have several devices on the lan side i want to access on spesific ports.
so far i have not been able to access the forwarded ports coming from the default vpn 10.8.0.0/24 network.
is there a neat trick for adding this via iptables?
would love to add some screenshots, but its not allowed
here is what i get by typing iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 1798 packets, 125K bytes)
pkts bytes target prot opt in out source destination
1804 126K delegate_prerouting all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 99 packets, 5936 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 204 packets, 14494 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
332 22716 delegate_postrouting all -- * * 0.0.0.0/0 0.0.0.0/0

Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination

Chain delegate_postrouting (1 references)
pkts bytes target prot opt in out source destination
332 22716 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_postrouting all -- * eth0 0.0.0.0/0 0.0.0.0/0
332 22716 zone_vpn_postrouting all -- * tun0 0.0.0.0/0 0.0.0.0/0

Chain delegate_prerouting (1 references)
pkts bytes target prot opt in out source destination
1804 126K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
174 11571 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0
1588 112K zone_wan_prerouting all -- eth0 * 0.0.0.0/0 0.0.0.0/0
42 2354 zone_vpn_prerouting all -- tun0 * 0.0.0.0/0 0.0.0.0/0

Chain pf_loopback_A (0 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9600 to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9600 to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21845 to:192.168.250.1:21845
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 to:192.168.250.1:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:800 to:192.168.250.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3322 to:192.168.250.127:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3322 to:192.168.250.127:22

Chain pf_loopback_C (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.2 tcp dpt:9600
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.2 udp dpt:9600
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:21845
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.1 tcp dpt:80
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:80
0 0 MASQUERADE tcp -- * * 192.168.250.0/24 192.168.250.127 tcp dpt:22
0 0 MASQUERADE udp -- * * 192.168.250.0/24 192.168.250.127 udp dpt:22

Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 pf_loopback_C all -- * br-lan 0.0.0.0/0 0.0.0.0/0

Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination

Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination

Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.2 tcp dpt:9600 /* PLC (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.2 udp dpt:9600 /* PLC (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:21845 /* HMI_Display (reflection) */ to:192.168.250.250
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.1 tcp dpt:80 /* HMI_Http (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.1 udp dpt:80 /* HMI_Http (reflection) */ to:192.168.250.250
0 0 SNAT tcp -- * * 192.168.250.0/24 192.168.250.127 tcp dpt:22 /* raspberry (reflection) */ to:192.168.250.250
0 0 SNAT udp -- * * 192.168.250.0/24 192.168.250.127 udp dpt:22 /* raspberry (reflection) */ to:192.168.250.250

Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
174 11571 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:9600 /* PLC (reflection) */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:9600 /* PLC (reflection) */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:21845 /* HMI_Display (reflection) */ to:192.168.250.1:21845
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:800 /* HMI_Http (reflection) */ to:192.168.250.1:80
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:800 /* HMI_Http (reflection) */ to:192.168.250.1:80
0 0 DNAT tcp -- * * 192.168.250.0/24 192.168.8.105 tcp dpt:3322 /* raspberry (reflection) */ to:192.168.250.127:22
0 0 DNAT udp -- * * 192.168.250.0/24 192.168.8.105 udp dpt:3322 /* raspberry (reflection) */ to:192.168.250.127:22

Chain zone_vpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
332 22716 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
332 22716 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain zone_vpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
42 2354 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
1585 112K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 redir ports 22
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 80
1588 112K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9600 /* PLC */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9600 /* PLC */ to:192.168.250.2:9600
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21845 /* HMI_Display */ to:192.168.250.1:21845
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 /* HMI_Http */ to:192.168.250.1:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:800 /* HMI_Http */ to:192.168.250.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3322 /* raspberry */ to:192.168.250.127:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3322 /* raspberry */ to:192.168.250.127:22

Any help is appreciated, thank you very much

Karl

Post Reply