[Solved] Inbound port forwarding problem - Linux policy based routing

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
HerrOtto
OpenVpn Newbie
Posts: 2
Joined: Wed Mar 11, 2015 6:53 pm

[Solved] Inbound port forwarding problem - Linux policy based routing

Post by HerrOtto » Wed Mar 11, 2015 6:55 pm

Hi I have a Problem it would be great if anyone can help me. I try since two days get this running but had no luck ;-(

My Problem: Inbound port forwardings from my Internet-Router when running OpenVPN.

When I am away from home I usualy use SSH to log into my machine. So I "dial" in by SSH to my public static IP on port 2222. This Port forwards to my Linux Desktop port 22.

If I start OpenVPN this stops working. I guess that inbound traffic comes from eth0 (192.168.220.1) and outbound traffic goes through vpns tun0. Is there a way to keep local net running?

Network Configuration:

{ Internet } -> [Router] -> [LinuxDesktop]
11.11.11.11 -> 192.168.220.1 -> 192.168.220.174
-> Port 2222 -> Port 22

VPN client Configuration:

client
dev tun
daemon
auth-retry nointeract
proto udp
remote de1.vpn.goldenfrog.com 1194
resolv-retry infinite
nobind
comp-lzo
reneg-sec 0
keepalive 10 60
persist-key
persist-tun
<ca>
...
</ca>

ifconfig:

eth0 Link encap:Ethernet Hardware Adresse 00:0d:b9:33:76:82 * inet Adresse:192.168.220.174 Bcast:192.168.220.255 Maske:255.255.255.0 * UP BROADCAST RUNNING MULTICAST MTU:1492 Metrik:1 * RX packets:517 errors:0 dropped:0 overruns:0 frame:0 * TX packets:492 errors:0 dropped:0 overruns:0 carrier:0 * Kollisionen:0 Sendewarteschlangenlänge:1000 * RX bytes:54426 (53.1 KiB) TX bytes:44948 (43.8 KiB) * Interrupt:30

tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-* 00 * inet Adresse:10.24.2.56 P-z-P:10.24.2.56 Maske:255.255.0.0 * UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1 * RX packets:6 errors:0 dropped:0 overruns:0 frame:0 * TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 * Kollisionen:0 Sendewarteschlangenlänge:100 * RX bytes:469 (469.0 B) TX bytes:293 (293.0 B)

route with openvpn on:

138.199.67.146 192.168.220.1 255.255.255.255 UGH 0 0 0 eth0
192.168.220.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.24.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
0.0.0.0 10.24.0.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.24.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.220.1 0.0.0.0 UG 0 0 0 eth0

Any idea?

Tim

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Inbound port forwarding problem

Post by maikcat » Thu Mar 12, 2015 7:22 am

if you search the forum this is common situation when you redirect all traffic via your server
then try to access it using its public ip,

answer you have to use policy based routing on your server (if its linux its relatively easy)

Michael.

HerrOtto
OpenVpn Newbie
Posts: 2
Joined: Wed Mar 11, 2015 6:53 pm

Re: Inbound port forwarding problem

Post by HerrOtto » Thu Mar 12, 2015 10:59 am

Hi Michael,

yes its a comnon situation but I've searched and tested a lot but found nothing. I cannot change the settings of my VPN provider. Any public VPN-Providers I've tested handle it like this. Most of them use NAT too so external IP is no solution.

Is there a way to change route metrik or by using iptables SNAT or DNAT to override this?

Tim

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Inbound port forwarding problem

Post by maikcat » Thu Mar 12, 2015 12:53 pm

typo error on my behalf,
answer you have to use policy based routing on your server (if its linux its relatively easy)
on your client i meant..

search for policy based routing on linux,

basic you use kernels multiple routing table feature and using iptables mangle table
you mark the packets you want to go outside the vpn,in your case
the responses to incoming ssh sessions

Michael.

thumbdriven
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 05, 2015 12:53 am

Re: Inbound port forwarding problem

Post by thumbdriven » Mon Oct 05, 2015 1:22 am

Yes, there is a way.

Micheal is right. Its an issue of routing. The following commands should fix it right up.

Code: Select all

sudo ip rule add from 192.168.220.174 table 128
sudo ip route add table 128 to 192.168.220.0/24 dev eth0
sudo ip route add table 128 default via 192.168.220.1

CyberInferno
OpenVpn Newbie
Posts: 1
Joined: Tue May 17, 2016 11:40 am

Re: Inbound port forwarding problem

Post by CyberInferno » Tue May 17, 2016 11:41 am

thumbdriven wrote:Yes, there is a way.

Micheal is right. Its an issue of routing. The following commands should fix it right up.

Code: Select all

sudo ip rule add from 192.168.220.174 table 128
sudo ip route add table 128 to 192.168.220.0/24 dev eth0
sudo ip route add table 128 default via 192.168.220.1
Thank you very much for this response. This is much simpler than the other methods which require marking traffic and specifying individual ports, and it got the job done.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Inbound port forwarding problem

Post by Traffic » Tue May 17, 2016 11:55 am

The Linux Documentation Project has a policy based routing example:
http://www.tldp.org/HOWTO/Adv-Routing-H ... imple.html

Locked