Air-Ghost 0 Posted ... Hello all, If I read and understand the forum correctly, I’m not the only one who is unable to set up a port forwarding with vpn. Because I have tried all sorts of things and cannot find a solution, I’m curious if there is someone who can help me out on this. What I want to do: I want to acces my NASserver and my Webcam from outside my network. This requires three ports. I chose Air vpn because they support port forwarding and I bought an Asus router (RT-AC66U) that has a vpn-server and that also has a vpn-client. My network configuration is set as follows: - modem / router from ISP (iprange 192.168.xxx.xxx) - behind it the Asus router (iprange 192.169.xxx.xxx) - WAN port Asus router is connected to LAN port of ISP - behind Asus router an additional router (sitecom) that serves as an "amplifier". These routers are connected by a cable between LAN. The sitecom router has a fixed IP address within the range of the Asus router. - DHCP from sitecom is switched off. Asus router controls the allocation of IP addresses and handling of internet traffic. This setup has always worked great (without VPN). After setting up a vpn-client, all computers, phones etc can acces the internet without any problems. The NASserver is able to make a backup via a built-in SSH to a server at a different location (outside LAN). It is no longer possible to access the NAS server from outside the LAN via http / ftp / sftp. I tried the following to get it working: - vpn server enabled / vpn client disabled - vpn server enabled & vpn client enabled - nasserver provided with ipadress within range of vpn-server - routes - Port forwarding set from VPN server to LAN and vice versa I don't get it working. Thanks in advance for your tips and help Kind regards, Ivo Quote Share this post Link to post
OpenSourcerer 1441 Posted ... Okay, little nested network you got there. Double NAT is your pitfall here, I think. Some remarks about your network first, because I see problems. 5 hours ago, Air-Ghost said: behind it the Asus router (iprange 192.169.xxx.xxx) Why do you use a publically routable IP address range here? If you truly need more than 65.000 addresses, consider the other private IP ranges 172.16.0.0/12 or 10.0.0.0/8, otherwise subnet in 192.168.0.0/16, like 192.168.0.0/24 for one and 192.168.1.0/24 for the other or so. 5 hours ago, Air-Ghost said: The sitecom router has a fixed IP address within the range of the Asus router. Does the DHCP server on ASUS know it's static within its range? If not, a new device can easily get the same IP address assigned which is, well, very subpar for reachability. Also, define the Sitecom router's role as "amplifier", please. Doesn't make sense so far. 5 hours ago, Air-Ghost said: - vpn server enabled / vpn client disabled - vpn server enabled & vpn client enabled What exactly do you mean with the server part? It appears senseless here, since vpn-client seems to be configured to connect to AirVPN. What I see is that, while you correctly can connect to a host outside your network due to the functionality of NAT, you can't reach hosts in ASUS' network, and the most probable explanation is that there is no port forwarded from ISP router to ASUS router. The easiest solution would be to simply make ASUS an Exposed Host in the ISP router (a host to which you forward all the ports from all the protocols). Then let the ASUS router do the forwards to the actual devices. Then your NAS will be reachable. This will of course require a proper firewall on ASUS. The other solution is to forward ports you need from ISP to ASUS and then forward these ports to the actual devices on ASUS, which is effectively a redundancy. A third solution could be to simply get rid of the ISP router. I know this is sometimes not an option, for example when you are on a DOCSIS or FTTH connection. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Air-Ghost 0 Posted ... On 9/13/2019 at 7:29 PM, giganerd said: Okay, little nested network you got there. Double NAT is your pitfall here, I think. Some remarks about your network first, because I see problems. Why do you use a publically routable IP address range here? If you truly need more than 65.000 addresses, consider the other private IP ranges 172.16.0.0/12 or 10.0.0.0/8, otherwise subnet in 192.168.0.0/16, like 192.168.0.0/24 for one and 192.168.1.0/24 for the other or so. Does the DHCP server on ASUS know it's static within its range? If not, a new device can easily get the same IP address assigned which is, well, very subpar for reachability. Also, define the Sitecom router's role as "amplifier", please. Doesn't make sense so far. What exactly do you mean with the server part? It appears senseless here, since vpn-client seems to be configured to connect to AirVPN. What I see is that, while you correctly can connect to a host outside your network due to the functionality of NAT, you can't reach hosts in ASUS' network, and the most probable explanation is that there is no port forwarded from ISP router to ASUS router. The easiest solution would be to simply make ASUS an Exposed Host in the ISP router (a host to which you forward all the ports from all the protocols). Then let the ASUS router do the forwards to the actual devices. Then your NAS will be reachable. This will of course require a proper firewall on ASUS. The other solution is to forward ports you need from ISP to ASUS and then forward these ports to the actual devices on ASUS, which is effectively a redundancy. A third solution could be to simply get rid of the ISP router. I know this is sometimes not an option, for example when you are on a DOCSIS or FTTH connection. First of all, thanks for your response. All devices in my network are provided with a static IP address. That is why the DHCP can be switched off and this works fine, with or without a VPN client. At this time only the vpn client is activated. I started to try the VPN server for the following reason: Air-VPN offers the option of remote port forwarding in the client areat. The external port is mapped to a public ip (vpn client) and is forwarded to internal server 10.x.x.x. This explanation triggered me to look for a possible solution in the vpn-server settings of the Asus router. Unfortunately without result. I expected this method of port forwarding would be easy to setupt. In addition, Ari-vpn says that this is the safest method because all traffic remains "in the tunnel" and that no further port forwarding is necessary in the router. Finally, you propose three options: Option 1: I understand this effect. Option 2: this was my configuration and worked perfectly while the VPN client was being activated. If I turn off the vpn client, this option will work as usual. With this option, the request comes in via the ISP (outside the tunnel), but the Nasserver response probably to the vpn client (in the tunnel). That is why this option does not work but I am not sure how to set it up. If you have tips, I'd love to hear them. Option 3: unfortunately this is not possible in my country. Kind regards, Ivo Quote Share this post Link to post
OpenSourcerer 1441 Posted ... 15 hours ago, Air-Ghost said: The external port is mapped to a public ip (vpn client) and is forwarded to internal server 10.x.x.x. The external port is mapped to the public IP of an AirVPN server (but internally) and forwarded to the internal IP of a client on 10.x.0.0/16. The VPN client never gets to know the AirVPN server's public IP and will get connections from your IP address on 10.x.0.0/16. So you need to forward them from 10.x to ASUS in case of option 2. 15 hours ago, Air-Ghost said: With this option, the request comes in via the ISP (outside the tunnel), but the Nasserver response probably to the vpn client (in the tunnel). That is why this option does not work but I am not sure how to set it up. If you have tips, I'd love to hear them. Why exactly would a request come in from the ISP line? After connection you need to use AirVPN server's public IP to connect to your NAS, of course. To make it easier, DDNS exists, where you type in a name when forwarding a port and after this you'd reach your NAS with name.airdns.org:port. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Air-Ghost 0 Posted ... On 9/16/2019 at 11:34 AM, giganerd said: The external port is mapped to the public IP of an AirVPN server (but internally) and forwarded to the internal IP of a client on 10.x.0.0/16. The VPN client never gets to know the AirVPN server's public IP and will get connections from your IP address on 10.x.0.0/16. So you need to forward them from 10.x to ASUS in case of option 2. Why exactly would a request come in from the ISP line? After connection you need to use AirVPN server's public IP to connect to your NAS, of course. To make it easier, DDNS exists, where you type in a name when forwarding a port and after this you'd reach your NAS with name.airdns.org:port. I understand the first part. But from this part I don't understand it anymore: “So you need to forward them from 10.x to ASUS in case or option 2. When setting up port forwarding in the Asus router I have the following fields: External port: “portnumber” Internal port: “portnumber” Client ip: NAS ip Source ip (external ip = optional, not required) What is meant by the internal IP of a client on 10.x.x.x. ?? Is this the internal ip of the NAS or source ip or is it perhaps the “source ip”? I just tried it but I don't get it working. It's more difficult than I thought Quote Share this post Link to post
OpenSourcerer 1441 Posted ... External port: You know. Internal port: The same. Client IP: NAS in this case. Source IP: The 10.x.x.x IP your VPN network interface got from the VPN server. I'm not even sure if you can view it somehow. It can be a VPN address, tun address, etc. You need to do some research here. Also, with this approach, you'd need to set that IP address everytime you reconnect which is a pain. Is there really not an option to select an interface? And I don't see why that should not be required. If not set, it assumes any or what's the logic? -> Documentation. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Air-Ghost 0 Posted ... On 9/18/2019 at 11:04 PM, giganerd said: External port: You know. Internal port: The same. Client IP: NAS in this case. Source IP: The 10.x.x.x IP your VPN network interface got from the VPN server. I'm not even sure if you can view it somehow. It can be a VPN address, tun address, etc. You need to do some research here. Also, with this approach, you'd need to set that IP address everytime you reconnect which is a pain. Is there really not an option to select an interface? And I don't see why that should not be required. If not set, it assumes any or what's the logic? -> Documentation. Thanks for your comment. I currently care for a sick relative so I don't have time to test things now. I will try and test your options next weekend. 1 OpenSourcerer reacted to this Quote Share this post Link to post