VPN Split Tunnel port forwarding
|
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Sep 05, 2016, 06:25 PM
(This post was last modified: Sep 05, 2016, 06:37 PM by drake.)
(Sep 05, 2016, 06:00 PM)gjosang Wrote: No worries
Well I tried adding the port to iptables.. The problem is now every time I restart openvpn the port from PIA changes..
Yes, I faced the same problem. PIA says they don't change port number on each reconnect, but my experience was that they do. And if I remember correctly, they even change the port number while you are connected.
Anyway, we should try to add the new rule to iptables manually. Always make sure that something works manually, then we can go to the next step to make automation.
The "-A" adds the rule at the end of the chain, in our case after the REJECT/DROP rule. We should add it before.
I assume you have the iptables set according to the guide. First list the rule numbers:
Code:
sudo iptables -nL --line-numbers
Look at the INPUT section, it probably looks like this:
Code:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
2 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
As you see, line 2 is the REJECT line, therefore we need to add the open ports before line 2. The exisitng rule will shift down.
Code:
sudo iptables -I INPUT 2 -i tun0 -p tcp --dport your_forwarded_port -j ACCEPT
Code:
sudo iptables -I INPUT 2 -i tun0 -p udp --dport your_forwarded_port -j ACCEPT
Check again with
Code:
sudo iptables -nL --line-numbers
the two INPUT rules you just added should be before the REJECT rule.
Let me know if this works!
EDIT: Sorry, I updated the iptables lines, when you add the rules manually then you should use the interface name, in our case tun0
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
[Not Solved]
Sep 05, 2016, 07:23 PM
(Sep 05, 2016, 06:25 PM)drake Wrote: (Sep 05, 2016, 06:00 PM)gjosang Wrote: No worries
Well I tried adding the port to iptables.. The problem is now every time I restart openvpn the port from PIA changes..
Yes, I faced the same problem. PIA says they don't change port number on each reconnect, but my experience was that they do. And if I remember correctly, they even change the port number while you are connected.
Anyway, we should try to add the new rule to iptables manually. Always make sure that something works manually, then we can go to the next step to make automation.
The "-A" adds the rule at the end of the chain, in our case after the REJECT/DROP rule. We should add it before.
I assume you have the iptables set according to the guide. First list the rule numbers:
Code:
sudo iptables -nL --line-numbers
Look at the INPUT section, it probably looks like this:
Code:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
2 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
As you see, line 2 is the REJECT line, therefore we need to add the open ports before line 2. The exisitng rule will shift down.
Code:
sudo iptables -I INPUT 2 -i tun0 -p tcp --dport your_forwarded_port -j ACCEPT
Code:
sudo iptables -I INPUT 2 -i tun0 -p udp --dport your_forwarded_port -j ACCEPT
Check again with
Code:
sudo iptables -nL --line-numbers
the two INPUT rules you just added should be before the REJECT rule.
Let me know if this works!
EDIT: Sorry, I updated the iptables lines, when you add the rules manually then you should use the interface name, in our case tun0
Yeah seems like they change ports quite often..
Well I tried to add the rules manually, seems like its not working..
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:29747
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:29747
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 owner UID match 1001
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 owner UID match 1001
3 REJECT all -- !10.0.20.105 0.0.0.0/0 reject-with icmp-port-unreachable
Not sure why transmission wont see the port..
Cant seem to telnet the PIA vpn ip with the fetch port either.
Have you gotten it to work?
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Sep 05, 2016, 07:58 PM
I did managed to make it work, but since I don't use VPN with open ports, it was long time ago.
I do remember it was not easy, had many difficulties. Unfortunately I didn't make notes (stupid me) and I can't recall now what was needed.
Not sure if you need to allow kernel to forwarding between interfaces.
Check if it is enabled (1) or disabled (0). Replace interface name to match yours:
Code:
cat /proc/sys/net/ipv4/conf/tun0/forwarding
cat /proc/sys/net/ipv4/conf/eth0/forwarding
If it return 0, then try to enable
Code:
sysctl net.ipv4.conf.eth0.forwarding=1
sysctl net.ipv4.conf.tun0.forwarding=1
Not sure if the OUTPUT part of the iptables script need any modification (I think not). Perhaps try to disable line
Code:
# reject connections from predator IP going over $NETIF
But be careful to not brake VPN security.
And to make it even more complicated, I'm not sure if I had to use PRE- and POSTROUTING rules.
Sorry for not being of too much help. Since the port goes over the VPN tunnel, I think the port doesn't need to be forwarded in the router.
Let us know if you manage to make it work!
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
[Not Solved]
Sep 05, 2016, 08:50 PM
(Sep 05, 2016, 07:58 PM)drake Wrote: I did managed to make it work, but since I don't use VPN with open ports, it was long time ago.
I do remember it was not easy, had many difficulties. Unfortunately I didn't make notes (stupid me) and I can't recall now what was needed.
Not sure if you need to allow kernel to forwarding between interfaces.
Check if it is enabled (1) or disabled (0). Replace interface name to match yours:
Code:
cat /proc/sys/net/ipv4/conf/tun0/forwarding
cat /proc/sys/net/ipv4/conf/eth0/forwarding
If it return 0, then try to enable
Code:
sysctl net.ipv4.conf.eth0.forwarding=1
sysctl net.ipv4.conf.tun0.forwarding=1
Not sure if the OUTPUT part of the iptables script need any modification (I think not). Perhaps try to disable line
Code:
# reject connections from predator IP going over $NETIF
But be careful to not brake VPN security.
And to make it even more complicated, I'm not sure if I had to use PRE- and POSTROUTING rules.
Sorry for not being of too much help. Since the port goes over the VPN tunnel, I think the port doesn't need to be forwarded in the router.
Let us know if you manage to make it work!
So I got it working, thanks a bunch drake
Had to allow kernel to forward between interfaces and disable "iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT"
So now I have to figure out a way to automate this...
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Sep 05, 2016, 09:17 PM
You are welcome, glad it works now.
I'm not sure if it is safe to leave out the OUTPUT REJECT rule, we will need to test this. Perhaps add an OUTPUT rule for the forwarded port before the REJECT line will do the thing, could you please try that?
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Sep 06, 2016, 04:39 AM
(This post was last modified: Sep 06, 2016, 03:11 PM by drake.)
@gjosang Could you please test the ip with curl for both regural user and vpn user, and make sure you check the Torgard ipcheck in Transmission and see if it return your or the vpn ip?
Of course, all this with port forwarding enabled.
Edit: could you post exactly how you get the port now and your iptables script?
Do you need to change the INPUT lines too if the port number chabges?
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
[Not Solved]
Sep 10, 2016, 07:43 AM
I am not home until next week..
Will continue testing then, and post an update on how things are going.
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Sep 10, 2016, 07:56 AM
Great, let us know once you are back home. I just want to make sure that we have a setup that has port forwarding working, and doesn't leak your real ip.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Sep 12, 2016, 07:10 PM
Some good news: I think I managed to get it work properly, I have active port both in Transmission and Deluge, while keeping the OUTPUT REJECT rule. I need to do some more testing, and then to see how to automate all this. However, now it looks to me that PIA doesn't change the port for a given server. Need to figure out how often they change port.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Not Solved]
Sep 12, 2016, 07:41 PM
(This post was last modified: Sep 12, 2016, 07:42 PM by Mike.)
Great work @drake I think we can automate this pretty easily by adding the port grabbing script in the OpenVPN up script.
The flow as I see it would be something like this
- OpenVPN connects to PIA
- up script is called which gets the port to forward from PIA
- Stop Transmisssion server
- Use sed to replace the port inline for the peer listening port value
- Add the port forwarded to any iptables
- Start Transmission service
Optionally we can use another script that runs as a cronjob to check for errors in torrents and restart OpenVPN to get a new port
https://help.ubuntu.com/community/Transm...l_torrents
|
|
Recent Posts
|
About Swap
jonescelinaa Apr 10, 2024, 06:58 AM
|
Tracker Status: Error Connection Time Out
jonesPhedra Apr 04, 2024, 08:17 AM
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Latest unread posts | Unanswered posts |
|