Jump to content
Not connected, Your IP: 18.118.252.38
AirVPN
Sign in to follow this  
Followers 0
mcampbell

question on port forwarding and dd-wrt

By mcampbell, ... in General & Suggestions

Recommended Posts

mcampbell    0

mcampbell
Posted ...

I'm not a subscriber yet, but airvpn seems to have the right mix of features I want, so I want to make sure what I'm wanting to do will work.

I have a router with dd-wrt on it. Assuming I get airvpn going through the router, and I use a port forward on the airvpn site, how does this all work? Will AirVPN forward requests to my *router*, then I'll set up the port-forwarding on my router to the port on the individual server behind the NAT that I want it to go to?

For example (I'm going to use all different port numbers here, only to make it clearer what I want to do)... if I run my ssh server on port 4444 on my home server, which has a NAT'ed address of 192.168.2.10. If I port forward AirVPN Port 13000 to local port 6666, I would then have to port forward 6666 on my router's port forward screen to 192.168.2.10, port 4444? And then to ssh to my home server, I'd ssh to <MyAirVPN IP>:13000, right?

"=>" means port forwarded

AirVPN <----> Router <----> 192.168.2.10

13000 => 6666 => 4444

Something like that?

Share this post

Link to post

Staff    9894

Staff
Posted ...

I'm not a subscriber yet, but airvpn seems to have the right mix of features I want, so I want to make sure what I'm wanting to do will work.

I have a router with dd-wrt on it. Assuming I get airvpn going through the router, and I use a port forward on the airvpn site, how does this all work? Will AirVPN forward requests to my *router*, then I'll set up the port-forwarding on my router to the port on the individual server behind the NAT that I want it to go to?

For example (I'm going to use all different port numbers here, only to make it clearer what I want to do)... if I run my ssh server on port 4444 on my home server, which has a NAT'ed address of 192.168.2.10. If I port forward AirVPN Port 13000 to local port 6666, I would then have to port forward 6666 on my router's port forward screen to 192.168.2.10, port 4444? And then to ssh to my home server, I'd ssh to :13000, right?

"=>" means port forwarded

AirVPN Router 192.168.2.10

13000 => 6666 => 4444

Something like that?

Hello!

Yes, you're right. In a few words, in the DD-WRT router you will see two network interfaces. The tun interface will be used by OpenVPN in client mode. Once the incoming packets are unencrypted you're totally free to forward them as you prefer.

Just a side note: when you contact a service listening behind a VPN server, keep in mind that you have to reach it on the exit-IP address:port of the server you're connected to (each server has separate entry and exit-IP addresses to prevent some correlation attacks).

Kind regards

Share this post

Link to post

mcampbell    0

mcampbell
Posted ...

Thanks.

On that "side note"...

I'm running a server behind my NAT router, which is using the tunnel. How can I find which IP to hit from the internet to get to it? I can go to any of a number of websites to see what it thinks my IP is while on the VPN, but if I'm understanding you correctly, that's not the IP I need to use to "call back" to my router (which will be forwarded to my server).

Also, if I am *NOT* Using DD-WRT, but rather using airvpn on a client machine, and that machine is running a server I need to get to, how do I find my "call me" IP?

Share this post

Link to post

Staff    9894

Staff
Posted ...

Thanks.

On that "side note"...

I'm running a server behind my NAT router, which is using the tunnel. How can I find which IP to hit from the internet to get to it? I can go to any of a number of websites to see what it thinks my IP is while on the VPN, but if I'm understanding you correctly, that's not the IP I need to use to "call back" to my router (which will be forwarded to my server).

Hello!

Yes, yes, that's the exit-IP, it's the IP you need to point to when you want to reach your router from the Internet. We wanted to point out that it is not the "entry-IP" (that is, the IP you reach on our servers to establish an OpenVPN connection and that you can see on the configuration file).

Also, if I am *NOT* Using DD-WRT, but rather using airvpn on a client machine, and that machine is running a server I need to get to, how do I find my "call me" IP?

Just as above. Our web pages also report the IP address you're visible on the Internet (central bottom box).

Kind regards

Share this post

Link to post

mcampbell    0

mcampbell
Posted ...

Ah hah, I see.

Last question, I think =)

I've read that on other VPN services, as soon as the tunnel is established the client was subject to port scans at login/hack attempts. These would normally be blocked by the NAT router, but when using a VPN tunnel that attack vector is no longer blocked by the router.

Would this happen with Air? I would think not since you are not forwarding any ports to the client, any unsolicited attempt to hit the tunnel IP that the client is on would not be forwarded and would stop there. Or am I misunderstanding? I don't mind having to harden my client if going through the tunnel exposes my client to the internet where it would normally be protected behind the router, but I want to get that done before I start, of course.

Share this post

Link to post

Staff    9894

Staff
Posted ...

Ah hah, I see.

Last question, I think =)

I've read that on other VPN services, as soon as the tunnel is established the client was subject to port scans at login/hack attempts. These would normally be blocked by the NAT router, but when using a VPN tunnel that attack vector is no longer blocked by the router.

Would this happen with Air? I would think not since you are not forwarding any ports to the client, any unsolicited attempt to hit the tunnel IP that the client is on would not be forwarded and would stop there. Or am I misunderstanding? I don't mind having to harden my client if going through the tunnel exposes my client to the internet where it would normally be protected behind the router, but I want to get that done before I start, of course.

Hello!

You're right. The router firewall/NAT can't block or analyze anything because it sees only encrypted traffic on one port and from one single IP address. By default, all accounts are provided with NO open ports. When you remotely forward a port, you must be sure to secure the service listening to that port and also make sure that you do NOT forward that port on your router. Furthermore, just forward the ports you really need. A software firewall on the destination device is a good idea.

Kind regards

Share this post

Link to post

mcampbell    0

mcampbell
Posted ...

Thank you very much.

Your attentiveness to my silly questions is much appreciated, and I will be ordering your service by the end of the day.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...