how to forward ports from client network side

[yatkha]

Hi all,

I have the problem, how to expose on public IP (on router, server openvpn, ddwrt) device/s from client network side.
My current configuration of network looks like:


All devices: dev1-dev3 are accessible from Internet, but dev4 is unreachable.
What need to be add? Please, help, I am newbie.

Configuration on server side:
----------------------------------------------------------------------------------------------------------------------
root@gate01:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1172 138K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6799 760K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
169 13070 invalid 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/0 state INVALID
3 207 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
4221 359K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
3 232 ACCEPT 0 -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
6 276 logdrop icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop 2 -- * * 0.0.0.0/0 0.0.0.0/0
2 878 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
0 0 DROP udp -- vlan2 * 0.0.0.0/0 239.255.255.0/24 udp dpt:1900
35583 2396K logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8258 501K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
215K 97M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 invalid 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
5775 381K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- tun0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 tun0 0.0.0.0/0 0.0.0.0/0
19 6340 ACCEPT 0 -- * * 192.168.66.0/24 0.0.0.0/0
0 0 ACCEPT 47 -- * vlan2 192.168.7.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.7.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- tun0 * 0.0.0.0/0 0.0.0.0/0
34 2024 ACCEPT 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.7.42 tcp dpt:8081
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.7.42 udp dpt:8081
18 1152 logaccept tcp -- * * 0.0.0.0/0 192.168.7.44 tcp dpt:8082
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.7.44 udp dpt:8082
4 256 logaccept tcp -- * * 0.0.0.0/0 192.168.7.46 tcp dpt:8083
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.7.46 udp dpt:8083
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.11.100 tcp dpt:80
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.11.100 udp dpt:80
0 0 logaccept 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 11517 packets, 3304K bytes)
pkts bytes target prot opt in out source destination
----------------------------------------------------------------------------------------------------------------------
root@gate01:~# ifconfig
br0 Link encap:Ethernet HWaddr 20:CF:30:CE:11:9C
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:275952 errors:0 dropped:0 overruns:0 frame:0
TX packets:133159 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:106069112 (101.1 MiB) TX bytes:84309061 (80.4 MiB)

br0:0 Link encap:Ethernet HWaddr 20:CF:30:CE:11:9C
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 20:CF:30:CE:11:9C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:332160 errors:2 dropped:0 overruns:0 frame:1
TX packets:198026 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111399660 (106.2 MiB) TX bytes:73152077 (69.7 MiB)
Interrupt:4 Base address:0x2000

eth1 Link encap:Ethernet HWaddr 20:CF:30:CE:11:9E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122467 errors:0 dropped:0 overruns:0 frame:1896103
TX packets:137636 errors:234 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:80275864 (76.5 MiB) TX bytes:112322857 (107.1 MiB)
Interrupt:3 Base address:0x1000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:173 errors:0 dropped:0 overruns:0 frame:0
TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25189 (24.5 KiB) TX bytes:25189 (24.5 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.66.1 P-t-P:192.168.66.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:824 errors:0 dropped:0 overruns:0 frame:0
TX packets:780 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:60625 (59.2 KiB) TX bytes:204999 (200.1 KiB)

vlan1 Link encap:Ethernet HWaddr 20:CF:30:CE:11:9C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82446 errors:0 dropped:0 overruns:0 frame:0
TX packets:93370 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17785845 (16.9 MiB) TX bytes:52947038 (50.4 MiB)

vlan2 Link encap:Ethernet HWaddr 20:CF:30:CE:11:9D
inet addr:yyy.yyy.yyy.yyy Bcast:yyy.yyy.yyy.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:249714 errors:0 dropped:0 overruns:0 frame:0
TX packets:104656 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:87634935 (83.5 MiB) TX bytes:20205039 (19.2 MiB)
----------------------------------------------------------------------------------------------------------------------
root@gate01:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.12.1 * 255.255.255.255 UH 0 0 0 vlan2
192.168.66.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.7.0 * 255.255.255.0 U 0 0 0 br0
192.168.66.0 192.168.66.2 255.255.255.0 UG 0 0 0 tun0
10.0.12.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.11.0 192.168.66.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.0.12.1 0.0.0.0 UG 0 0 0 vlan2
----------------------------------------------------------------------------------------------------------------------
push "route 192.168.7.0 255.255.255.0"
server 192.168.66.0 255.255.255.0
port 443
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
client-to-client
client-config-dir /opt/etc/openvpn
route 192.168.11.0 255.255.255.0
push "route 192.168.11.0 255.255.255.0"

[maikcat]

hi there,

if you want lan-to-lan connectivity you must create a ccd
file for client and add the following statement
iroute 192.168.x.0 255.255.255.0 <--where x is the remote network..


Michael.

[yatkha]

Hi,
many thanks for support.

But I have ccd in server config file:

Code: Select all

client-to-client
client-config-dir /opt/etc/openvpn
route 192.168.11.0 255.255.255.0

In ccd for client2 (192.168.11.0/24 side2)

Code: Select all

iroute 192.168.11.0 255.255.255.0

Connectivity side1(192.168.7.0/24)-to-side2(192.168.11.0/24) wokrs OK.
My only problem is, how to expose device's ports from siede2 on router's (server openvpn in side1) public IP.
I done this for devices from side1, but I can not from side2.

[janjust]

how did you expose the ports of PCs on side1? did you use iptables NATting ? that's what I would use , or I'd use some port forwarding application . If all you're interested in is some TCP port forwarding I would not even use a VPN at all - I'd set up a redundant SSH link to the remote end with the appropriate port forwarding.

[yatkha]

I have done this in GUI on my router (DD-WRT), Port Forwarfing tab.
It woks ok for side1 devices, for side2 does not.

In console, I guess, it can looks like:

Code: Select all

iptables -t nat -I PREROUTING -p tcp --dport <EXTERNAL_PORT> -j DNAT --to <INTERNAL_IP>:<INTERNAL_PORT>
iptables -I FORWARD -p tcp -d <INTERNAL_IP> --dport <INTERNAL_PORT> -j ACCEPT [-s <EXTERNAL_IP>]