1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port forwarding issue with OpenVPN on secondary router?

Discussion in 'Tomato Firmware' started by ChuckHL, Aug 30, 2013.

  1. ChuckHL

    ChuckHL Serious Server Member

    I currently have a E1200v2 running Tomato 1.28 Shibby v112. I want to know if its possible to host an OpenVPN server and at the same time have the rouer connect to another OpenVPN server somewhere else?

    I was able to host a OpenVPN server but the moment I enabled the OpenVPN client and had my router connect to another server, the OpenVPN server on my router stopped working and the listening port was closed. Once I stopped the OpenVPN client, the OpenVPN server started listening again and the service was restored.

    Is there a way to have both client and server running at the same time?
  2. Malitiacurt

    Malitiacurt Networkin' Nut Member

    It works. I had a client and server running on one. Are you using the same ports? I didn't try running on the same, had them on different ports.
  3. ChuckHL

    ChuckHL Serious Server Member

    My apologies. Just found out the real problem (still no clue how to solve it).

    I have two routers. One E1500 and another E1200 both with Tomato 1.28 Shibby V112. The main router is my E1500 and hosts the whole network. I have two OpenVPN servers on this router both TUN, one on TCP and one on UDP.

    Then I have the other router, the E1200, that is connected to one of the LAN ports on my E1500. The E1200 connects to a OpenVPN server from PIA so that I can watch Hulu and other TV services. I want to also host another OpenVPN server on this E1200 in TAP (regardles of TCP or UDP).

    The problem is in the forwarding of the port on the E1500 to E1200. I forwarded the port I am using for this OpenVPN server on my E1500 to the ip of the E1200. When I have the E1200 host an OpenVPN server and not be connected as a client to PIA, my E1500 forwards the port properly to my E1200 and I can connect from the outside. But when my E1200 connects to PIA as a client, my E1500 wont forward properly to my E1200 and claim that the port is blocked. But I can see the port open from my inner network.

    Another thing to mention is that my E1500 is in Gateway mode since its the main router and the line of defense from the outside, and my E1200 is in Router Mode so that each of my networks can see each other.

    Any ideas?
    Last edited: Aug 30, 2013
  4. ChuckHL

    ChuckHL Serious Server Member

    I have even tried to forward the port with iptables scripts but it does not work.

    I tried the following script:
    iptables -t nat -A WANPREROUTING -p tcp --dport <openvpnport> -j DNAT --to-destination <ipofsecondaryrouter>:<listeningport>
    iptables -A wanin -p tcp -m tcp -d <ipofsecondaryrouter> --dport <listeningport> -j ACCEPT

    And it works only when the E1200 router is hosting an OpenVPN server but not connected as a OpenVPN client. Once I have the E1200 host and act as a client, it will no longer work and claim the port is blocked. However, when I try to connect from a computer in the E1500 network to the E1200 OpenVPN server, it shows the port is open and responding properly.

    Edit 1:

    After further testing, it seems the problem is not on the E1500 but rather on the E1200. I removed the E1500 out of the picture by using a standard linksys router temporarily and it seems the issue is that once the E1200 connects as a OpenVPN client, it enables some more strict firewall rules that block my OpenVPN server port if the source ip is not originating from the same subnetwork.

    Edit 2:
    Will update soon. So far the problem seems to be on my ISP modem and not the Tomato routers. Once I get more info, I will update.

    Edit 3:
    So far I have not found any solution, but I have a better diagnostic to provide all the info I can at the moment. My network consists of three routers.

    The first router is one provided by my ISP which at the moment I have not found a replacement for it. Its crappy and I hate it. It is an Alcatel-Lucent ONT fiber optic modem-router. I tried to disabled the router part and make it work as a modem only but it did not work. There is no option to enable this router to receive my PPPoE credentials from another router like tomato. The only thing I was able to do was to enable DMZ to my E1500 tomato router and I did some port forwarding just in case DMZ did not fully work. I mainly use this router for my guests. This router hosts network

    The second router is my E1500 which I treat as my main router since I enable DMZ on the other router and everything should be forwarded to this router. This router connects directly to my ISP crappy router by cable. All my computers and NAS drives are hooked to this network. This router hosts network

    (Before anyone says I should not use that IP range, I use it because its not a public ip range. IP range is also a reserved ip range for internal use for internet companies. I use this range because many hostpots zones I visit use all other three well known ranges.)

    My E1500 hosts two OpenVPN servers both in TUN mode, one in TCP and the other in UDP, both in port 30000 and all is working fine from the outside. I can connect to them without issues. This router operates in Gateway mode.

    The third router is a E1200 and sits behind my E1500 router. This router hosts network Since this router is part of my main network and I want networks and to see each other fine, this router works in router mode rather than gateway mode. The reason this router is in a network of its own rather than extending my main network, is because this router connects as an OpenVPN client to PIA so that I can watch hulu and other tv show sites.

    The problem, I am trying to solve is to have my E1200 host also an OpenVPN server in TAP mode so that I can bridge other networks. I have enabled port forwarding of port 30300 on both my ISP router and my E1500 router so that all incoming connections will reach my E1200 OpenVPN server.

    The issue here is that when I enable the OpenVPN server on my E1200 and disable the OpenVPN client on this same router, I can connect to the OpenVPN hosted by this router just fine without any issues. I can ping port 30300 from the internet side, from network and reaching my E12000 OpenVPN server. When I enable the OpenVPN client on my E1200 and also leave the OpenVPN server running, the problems start. I can no longer connect at port 30300 from the internet side, but I can still reach it from networks and However, I can still reach port 30000 from the internet side which is the port used to reach my OpenVPN server on my E1500.

    If i disable the OpenVPN client on my E1200 and make my E1500 act as an OpenVPN client and server (which is not what I want to do but I did just for testing purposes), I can no longer reach any of the ports 30000 or 30300 from the internet side, but I can reach both ports from network

    I am not sure if this is some sort of firewall issue but I have no clue how to solve it.

    Any ideas?
    Last edited: Aug 30, 2013
  5. MassiveCollision

    MassiveCollision Reformed Router Member

Share This Page