OpenVPN Support Forum

Posted: **Tue Feb 01, 2022 1:02 pm**

Is there a graphic way (or easy way) or script for enabling port forwarding

If you don't know what is port forwarding is:
Internet => VPN server:port => client:port

Posted: **Tue Feb 01, 2022 1:51 pm**

Hello mahdig,

In OpenVPN Access Server you can use the DMZ function for this. Go to the Admin UI, go to User Permissions, look up a users and click on the more settings button. In the DMZ section input the IP address, protocol, and port, on the Access Server that you want to open up a port on. That port will then be redirected to this VPN client when it is connected.

For example if your Access Server is on 96.54.32.11 and you want port TCP 80 to go to the VPN client, then input something like:
96.54.32.11:tcp/80

Any incoming requests on port TCP 80 on 96.54.32.11 will then be forwarded to this particular VPN client, when it is connected.

Kind regards,
Johan

Posted: **Tue Feb 01, 2022 2:40 pm**

openvpn_inc wrote: ↑
Tue Feb 01, 2022 1:51 pm

In OpenVPN Access Server you can use the DMZ function for this. Go to the Admin UI, go to User Permissions, look up a users and click on the more settings button. In the DMZ section input the IP address, protocol, and port, on the Access Server that you want to open up a port on. That port will then be redirected to this VPN client when it is connected.

Now I did that and pressed update server buttom. But it didn't happen. Here server's iptables during client connection. The port to be forwarded is 37969:

Code: Select all

$ sudo iptables -t nat -L #The SSH access of my VPS is not root by defualt
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
AS0_NAT_PRE_REL_EST  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_DNAT_PRE  all  --  anywhere             anywhere             mark match 0x1000000/0x1000000

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
AS0_NAT_POST_REL_EST  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_NAT_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_DNAT_POST  all  --  anywhere             anywhere             mark match 0x1000000/0x1000000

Chain AS0_DNAT_POST (1 references)
target     prot opt source               destination         
SNAT       all  --  anywhere             anywhere             to:172.27.224.1

Chain AS0_DNAT_PRE (1 references)
target     prot opt source               destination         
DNAT       all  --  anywhere             anywhere             mark match 0x1000100/0x1ffff00 to:172.27.232.3
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT (3 references)
target     prot opt source               destination         
SNAT       all  --  anywhere             anywhere             to:172.27.135.28
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT_POST_REL_EST (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT_PRE (1 references)
target     prot opt source               destination         
AS0_NAT    all  --  anywhere             anywhere             mark match 0x8000000/0x8000000
AS0_NAT_TEST  all  --  anywhere             169.254.0.0/16      
AS0_NAT_TEST  all  --  anywhere             192.168.0.0/16      
AS0_NAT_TEST  all  --  anywhere             172.16.0.0/12       
AS0_NAT_TEST  all  --  anywhere             10.0.0.0/8          
AS0_NAT    all  --  anywhere             anywhere            

Chain AS0_NAT_PRE_REL_EST (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT_TEST (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             mark match 0x4000000/0x4000000
ACCEPT     all  --  anywhere             172.27.224.0/20     
AS0_NAT    all  --  anywhere             anywhere

Posted: **Tue Feb 01, 2022 3:04 pm**

mahdig wrote: ↑
Tue Feb 01, 2022 2:40 pm

openvpn_inc wrote: ↑
Tue Feb 01, 2022 1:51 pm

In OpenVPN Access Server you can use the DMZ function for this. Go to the Admin UI, go to User Permissions, look up a users and click on the more settings button. In the DMZ section input the IP address, protocol, and port, on the Access Server that you want to open up a port on. That port will then be redirected to this VPN client when it is connected.

Now I did that and pressed update server too. But it didn't happen.

What didn't happen? How did you test?

mahdig wrote: ↑
Tue Feb 01, 2022 2:40 pm
Here server's iptables during client connection (I'm noob):

Yes, iptables -L is mostly useless. Use

Code: Select all

iptables-save -c

to see your rules. But anyway, there is it, in the AS0_DNAT_PRE chain:

mahdig wrote: ↑

Tue Feb 01, 2022 2:40 pm

Code: Select all

Chain AS0_DNAT_PRE (1 references)
target     prot opt source               destination         
DNAT       all  --  anywhere             anywhere             mark match 0x1000100/0x1ffff00 to:172.27.232.3
ACCEPT     all  --  anywhere             anywhere

Access Server did what you told it to do. But to test a DNAT rule for DMZ, you have to test from outside your VPN and (usually) your local network.

regards, rob0

Posted: **Tue Feb 01, 2022 5:08 pm**

I used https://canyouseeme.org/ for testing, when running app on the client that listening on port 37969

Posted: **Wed Feb 09, 2022 11:25 am**

Hello mahdig,

The procedure that I described forwards the port specified for the protocol specified just fine. But you may have an external firewall blocking things before it reaches the Access Server. Also the VPN client could have its own firewall that blocks access. Or it (whatever server you're running on the VPN client) may not even be listening on the VPN interface on the specified port. These are things to check.

From my end I can assure you that this functionality does work, and your iptables result shows that there is at least a rule implemented. You'll have to use test tools like tcpdump and telnet and such to do some tests to find out where your traffic is being blocked. I am pretty sure it is not being blocked by the Access Server itself, from what I can see and test here.

Kind regards,
Johan

OpenVPN Support Forum

Graphic / Script way for port forwarding

Graphic / Script way for port forwarding

Re: Graphic / Script way for port forwarding

Re: Graphic / Script way for port forwarding

Re: Graphic / Script way for port forwarding

Re: Graphic / Script way for port forwarding

Re: Graphic / Script way for port forwarding