Jump to content
Not connected, Your IP: 100.24.122.228

Recommended Posts


Hello all,

 

If I read and understand the forum correctly, I’m not the only one who is unable to set up a port forwarding with vpn.

 

Because I have tried all sorts of things and cannot find a solution, I’m curious if there is someone who can help me out on this.

 

What I want to do:

I want to acces my NASserver and my Webcam from outside my network. This requires three ports. I chose Air vpn because they support port forwarding and I bought an Asus router (RT-AC66U) that has a vpn-server and that also has a vpn-client.

 

My network configuration is set as follows:

- modem / router from ISP (iprange 192.168.xxx.xxx)

- behind it the Asus router (iprange 192.169.xxx.xxx)

- WAN port Asus router is connected to LAN port of ISP

- behind Asus router an additional router (sitecom) that serves as an "amplifier". These routers are connected by a cable between LAN. The sitecom router has a fixed IP address within the range of the Asus router.

- DHCP from sitecom is switched off. Asus router controls the allocation of IP addresses and handling of internet traffic.

 

This setup has always worked great (without VPN). After setting up a vpn-client, all computers, phones etc can acces the internet without any problems. The NASserver is able to make a backup via a built-in SSH to a server at a different location (outside LAN).

It is no longer possible to access the NAS server from outside the LAN via http / ftp / sftp.

 

I tried the following to get it working:

- vpn server enabled / vpn client disabled
- vpn server enabled & vpn client enabled
- nasserver provided with ipadress within range of vpn-server

- routes

- Port forwarding set from VPN server to LAN and vice versa I don't get it working.

 

Thanks in advance for your tips and help

Kind regards, 

Ivo

Share this post


Link to post

Okay, little nested network you got there. Double NAT is your pitfall here, I think. Some remarks about your network first, because I see problems.
 

5 hours ago, Air-Ghost said:
behind it the Asus router (iprange 192.169.xxx.xxx)

Why do you use a publically routable IP address range here? If you truly need more than 65.000 addresses, consider the other private IP ranges 172.16.0.0/12 or 10.0.0.0/8, otherwise subnet in 192.168.0.0/16, like 192.168.0.0/24 for one and 192.168.1.0/24 for the other or so.
 
5 hours ago, Air-Ghost said:

The sitecom router has a fixed IP address within the range of the Asus router.


Does the DHCP server on ASUS know it's static within its range? If not, a new device can easily get the same IP address assigned which is, well, very subpar for reachability.
Also, define the Sitecom router's role as "amplifier", please. Doesn't make sense so far.
 
5 hours ago, Air-Ghost said:
- vpn server enabled / vpn client disabled
- vpn server enabled & vpn client enabled

What exactly do you mean with the server part? It appears senseless here, since vpn-client seems to be configured to connect to AirVPN.

What I see is that, while you correctly can connect to a host outside your network due to the functionality of NAT, you can't reach hosts in ASUS' network, and the most probable explanation is that there is no port forwarded from ISP router to ASUS router.
  • The easiest solution would be to simply make ASUS an Exposed Host in the ISP router (a host to which you forward all the ports from all the protocols). Then let the ASUS router do the forwards to the actual devices. Then your NAS will be reachable. This will of course require a proper firewall on ASUS.
  • The other solution is to forward ports you need from ISP to ASUS and then forward these ports to the actual devices on ASUS, which is effectively a redundancy.
  • A third solution could be to simply get rid of the ISP router. I know this is sometimes not an option, for example when you are on a DOCSIS or FTTH connection.

Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post
On 9/13/2019 at 7:29 PM, giganerd said:

Okay, little nested network you got there. Double NAT is your pitfall here, I think. Some remarks about your network first, because I see problems.
 


Why do you use a publically routable IP address range here? If you truly need more than 65.000 addresses, consider the other private IP ranges 172.16.0.0/12 or 10.0.0.0/8, otherwise subnet in 192.168.0.0/16, like 192.168.0.0/24 for one and 192.168.1.0/24 for the other or so.
 
Does the DHCP server on ASUS know it's static within its range? If not, a new device can easily get the same IP address assigned which is, well, very subpar for reachability.
Also, define the Sitecom router's role as "amplifier", please. Doesn't make sense so far.
 
What exactly do you mean with the server part? It appears senseless here, since vpn-client seems to be configured to connect to AirVPN.

What I see is that, while you correctly can connect to a host outside your network due to the functionality of NAT, you can't reach hosts in ASUS' network, and the most probable explanation is that there is no port forwarded from ISP router to ASUS router.
  • The easiest solution would be to simply make ASUS an Exposed Host in the ISP router (a host to which you forward all the ports from all the protocols). Then let the ASUS router do the forwards to the actual devices. Then your NAS will be reachable. This will of course require a proper firewall on ASUS.
  • The other solution is to forward ports you need from ISP to ASUS and then forward these ports to the actual devices on ASUS, which is effectively a redundancy.
  • A third solution could be to simply get rid of the ISP router. I know this is sometimes not an option, for example when you are on a DOCSIS or FTTH connection.
 

First of all, thanks for your response.

 

All devices in my network are provided with a static IP address. That is why the DHCP can be switched off and this works fine, with or without a VPN client.

 

At this time only the vpn client is activated. I started to try the VPN server for the following reason:

 

Air-VPN offers the option of remote port forwarding in the client areat. The external port is mapped to a public ip (vpn client) and is forwarded to internal server 10.x.x.x.

This explanation triggered me to look for a possible solution in the vpn-server settings of the Asus router. Unfortunately without result.

I expected this method of port forwarding would be easy to setupt. In addition, Ari-vpn says that this is the safest method because all traffic remains "in the tunnel" and that no further port forwarding is necessary in the router.

 

Finally, you propose three options:

Option 1: I understand this effect.

 

Option 2: this was my configuration and worked perfectly while the VPN client was being activated. If I turn off the vpn client, this option will work as usual.

With this option, the request comes in via the ISP (outside the tunnel), but the Nasserver response probably to the vpn client (in the tunnel). That is why this option does not work but I am not sure how to set it up. If you have tips, I'd love to hear them.

 

Option 3: unfortunately this is not possible in my country.

Kind regards,

Ivo

 

Share this post


Link to post
15 hours ago, Air-Ghost said:

The external port is mapped to a public ip (vpn client) and is forwarded to internal server 10.x.x.x.


The external port is mapped to the public IP of an AirVPN server (but internally) and forwarded to the internal IP of a client on 10.x.0.0/16. The VPN client never gets to know the AirVPN server's public IP and will get connections from your IP address on 10.x.0.0/16. So you need to forward them from 10.x to ASUS in case of option 2.
 
15 hours ago, Air-Ghost said:

With this option, the request comes in via the ISP (outside the tunnel), but the Nasserver response probably to the vpn client (in the tunnel). That is why this option does not work but I am not sure how to set it up. If you have tips, I'd love to hear them.


Why exactly would a request come in from the ISP line? After connection you need to use AirVPN server's public IP to connect to your NAS, of course. To make it easier, DDNS exists, where you type in a name when forwarding a port and after this you'd reach your NAS with name.airdns.org:port.

Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post
On 9/16/2019 at 11:34 AM, giganerd said:

The external port is mapped to the public IP of an AirVPN server (but internally) and forwarded to the internal IP of a client on 10.x.0.0/16. The VPN client never gets to know the AirVPN server's public IP and will get connections from your IP address on 10.x.0.0/16. So you need to forward them from 10.x to ASUS in case of option 2.
 
Why exactly would a request come in from the ISP line? After connection you need to use AirVPN server's public IP to connect to your NAS, of course. To make it easier, DDNS exists, where you type in a name when forwarding a port and after this you'd reach your NAS with name.airdns.org:port.

I understand the first part. But from this part I don't understand it anymore: “So you need to forward them from 10.x to ASUS in case or option 2.

 

When setting up port forwarding in the Asus router I have the following fields:

External port: “portnumber”

Internal port: “portnumber”

Client ip: NAS ip

Source ip (external ip = optional, not required)

 

What is meant by the internal IP of a client on 10.x.x.x. ?? Is this the internal ip of the NAS or source ip or is it perhaps the “source ip”?

 

I just tried it but I don't get it working. It's more difficult than I thought

 

 

Share this post


Link to post

External port: You know.
Internal port: The same.
Client IP: NAS in this case.
Source IP: The 10.x.x.x IP your VPN network interface got from the VPN server. I'm not even sure if you can view it somehow. It can be a VPN address, tun address, etc. You need to do some research here. Also, with this approach, you'd need to set that IP address everytime you reconnect which is a pain. Is there really not an option to select an interface?
And I don't see why that should not be required. If not set, it assumes any or what's the logic? -> Documentation.


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post
On 9/18/2019 at 11:04 PM, giganerd said:

External port: You know.
Internal port: The same.
Client IP: NAS in this case.
Source IP: The 10.x.x.x IP your VPN network interface got from the VPN server. I'm not even sure if you can view it somehow. It can be a VPN address, tun address, etc. You need to do some research here. Also, with this approach, you'd need to set that IP address everytime you reconnect which is a pain. Is there really not an option to select an interface?
And I don't see why that should not be required. If not set, it assumes any or what's the logic? -> Documentation.

Thanks for your comment. I currently care for a sick relative so I don't have time to test things now. I will try and test your options next weekend.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...