OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Port Forwarding

https://forums.openvpn.net/viewtopic.php?t=7821

Page 1 of 1

Port Forwarding

Posted: Tue Mar 22, 2011 4:58 pm
by clinton
Hello,

I have a OpenVPN on debian server. And one of my friends have some traffic on port 12000:12200 (uPnP)

How I have to forward a part of his traffic through port 12000:12200?

Thanks a lot!

Re: Port Forwarding

Posted: Tue Mar 22, 2011 7:50 pm
by Bebop
Here's the hardcoded method. For this method you need to know the IPs. This is the not recommended method. In the following example, its assumed that '124.66.90.100' is the WAN IP of the VPN server, and '10.0.0.2' is the IP assigned to the client from the VPN.

Code: Select all

iptables -A FORWARD -p tcp -i eth0 -d 124.66.90.100 --dport 12000 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 --dport 12000 -j DNAT --to-destination 124.66.90.100:12000
Below is the softcoded method, and using an up-script. Below is the recommended method.

Add to server.conf:

Code: Select all

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh

script-security 2
You need to create these two files manually (clientconnect.sh and clientdisconnect.sh [remember to make them executable - 755]), and in the clientconnect.sh you put the following code:

Code: Select all

PORT = 12000

iptables -A FORWARD -p tcp -i eth0 -d $ifconfig_pool_remote_ip --dport $PORT -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d $ifconfig_local --dport $PORT -j DNAT --to-destination $ifconfig_pool_remote_ip:$PORT
Since this topic is raised occasionally, there is now a proper how-to.

See: Board index » Scripting and Customizations » Routing and Firewall Scripts » IPTABLES - Portforwarding

Re: Port Forwarding

Posted: Thu Mar 24, 2011 4:37 pm
by clinton
Thanks a lot for your reply!

I don't understand your second method? All the clients will get they traffic on port 12000?

With each connection (for each client) the file clientconnect.sh will generate:

iptables -A FORWARD -p tcp -i eth0 -d some_ip_1 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_2 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_3 --dport 12000 -j ACCEPT

?

Thanks

Re: Port Forwarding

Posted: Fri Mar 25, 2011 5:20 am
by Bebop
clinton wrote:Thanks a lot for your reply!

I don't understand your second method? All the clients will get they traffic on port 12000?

With each connection (for each client) the file clientconnect.sh will generate:

iptables -A FORWARD -p tcp -i eth0 -d some_ip_1 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_2 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_3 --dport 12000 -j ACCEPT

?

Thanks
I left some notes the the linked page about it:
You can only forward a port such as "12000 tcp" to a single client at any one time. You will need to get creative with your port management when you have multiple clients. A simple line such as "PORT 12000" wont be sufficient for a setup with many clients who need ports forwarded. A suggestion would be to look at using a database or flat-file with client/port allocations.
So basically, if you have multiple clients you need to dynamically alter the 'PORT' for each client connect, so 1st client receives 12000, 2nd client 12001, 3rd client 12003, etc. No two clients can share a forwarded port.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/