Issues with OpenVPN & Port Forwarding.

Discussion in 'Tomato Firmware' started by Kanth, Sep 14, 2012.

  1. Kanth

    Kanth Serious Server Member

    I apologize in advance. I am not an iptables expert, and only have a rudimentary grasp of what is going on here in my configuration. I have worked with routers before, but never much with iptables and how they work.

    I have an Asus RT-N16. I flashed it with Shibby's recent build of Tomato v1.28.0000 MIPSR2-101 K26 USB Big-VPN.

    After flashing it, clearing the NVRAM, and such. I went into the GUI and added some port forwarding rules. Examples are

    "Forward port 22 to"
    "Forward port 25 to"
    "Forward port 80 to"
    "Forward port 4242 to"

    I went externally and tested these rules, hitting the WAN address on the router. They worked.

    I signed up for a client vpn service. Specifically from ""
    I used the instructions given here: https://www.privateinternetaccess.c...-setup-for-newer-branches-including-tomatousb

    When I turn on the VPN, and hit a "What's my IP" webpage or the like. I see that it no longer shows my WAN address. So that all works great.

    My issue is that when I turn the vpn ON. Then the port forwarding that I had going on, stops working. I can no longer reach port 22 or 80 on my internal machine of I am still hitting my WAN address and not what the VPN gives me.. so I thought these rules would still work.

    I am kinda bewildered at what is going on here, and how to fix it. I spoke with a network engineer today and he believes what is going on is that I hit my WAN, and it probably is forwarding the traffic to However, after it hits sends back a response to make a socket (that sound right?).. but since I'm behind a VPN that packet is going out the VPN address and that's not allowed? This engineer is more cisco and doesn't have as great a grasp of iptables. He told me to do an tcpdump on the box and send the packets through and watch if it gets in. I'll probably see one come in and one leave and then nothing.

    I guess I'm a bit confused because I would think this would be a common thing. Someone is hosting a web page or email or ssh. Decides they want to be a little more protected on the internet and decides to hide behind a VPN. But they still need to be able to reach the services they were originally hosting obviously.

    Can anyone shed some light on what is going on and the steps I would have to do to fix this?

  2. PBandJ

    PBandJ Addicted to LI Member

    It's easy to see if your Cisco engineer is correct or not: check advanced->routing for the default gateway. If it's your WAN IP he's wrong. If it's your VPN tunnel interface - he's right.
    Even though the tutorial says to uncheck redirect internet traffic (you did that, right?), a server may push the client configuration commands to change its settings.
    More about redirect:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice