Jump to content
Not connected, Your IP: 3.145.65.133
Timmehh

AirVPN Port Forwards with DD-WRT Profile

Recommended Posts

Posted ... (edited)
I think I'm really close to getting this figured out but I couldn't quite get it to work. I run a Plex and an Ark server that others on the internet connect to. Plex requires 32400 and Ark requires 7779 and 27016. So I ssh'd into my router that I put the vpn profile on and ran the following commands:
 
iptables -I FORWARD -i tun1 -p udp -d 192.168.50.67 --match multiport --dports 7779,36731 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.50.67 --match multiport --dports 7779,36731 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p udp --match multiport --dports 7779,36731 -j DNAT --to-destination 192.168.50.67
iptables -t nat -I PREROUTING -i tun1 -p tcp --match multiport --dports 7779,36731 -j DNAT --to-destination 192.168.50.67
iptables -I FORWARD -i tun1 -p udp -d 192.168.50.67 --match multiport --dports 27016,36732 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.50.67 --match multiport --dports 27016,36732 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --match multiport --dports 27016,36732 -j DNAT --to-destination 192.168.50.67
iptables -t nat -I PREROUTING -i tun1 -p udp --match multiport --dports 27016,36732 -j DNAT --to-destination 192.168.50.67
 
The ports in those commands that aren't the ones I listed as needed earlier are the public ports that I set up in the AirVPN webportal that are supposed to forward to the ones I need.
 
When I print the IPtable I get this:
 
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.50.67multiport dports 27016,36732
ACCEPT udp -- anywhere 192.168.50.67multiport dports 27016,36732
ACCEPT tcp -- anywhere 192.168.50.67multiport dports 7779,36731
ACCEPT udp -- anywhere 192.168.50.67multiport dports 7779,36731
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.50.70multiport dports 36730,32400
ACCEPT udp -- anywhere 192.168.50.70multiport dports 36730,32400
 
So I see the ACCEPTS I made, but I can't find any reference to the DNATs I made.
 
Did I do something wrong? Should I see the DNATs somewhere in the table?
 
Also, is that random "ACCEPT all - anywhere anywhere" that ended up in the middle of the table dangerous? It looks like it is. Any idea what I would have done to make that show up?

I'm only going down this rabbit hole because something is wrong with AT&T Fiber's routing in Atlanta, GA right now and pings to almost everything is 1000ms. Now I've bought 3 years of AirVPN, am excited to finally be encrypted traffic, but I'm stuck on providing my servers to the internet.

EDIT: I should add that the reason I say that it still didn't work after all this is because the Plex server wasn't reachable outside of my network, and the port checker tool on AirVPN couldn't see the port being open. One of my concerns is that the AT&T box has to sit between the fiber jack and my router. But I do have the AT&T box set to IP passthrough mode, which is supposed to send all WAN traffic straight to the Asus router un-touched.
Edited ... by Timmehh

Share this post


Link to post
9 hours ago, Timmehh said:

So I see the ACCEPTS I made, but I can't find any reference to the DNATs I made.

Did I do something wrong? Should I see the DNATs somewhere in the table?


DNAT jobs are in the PREROUTING chain, as correctly seen in the commands you posted. You posted the FORWARD chain here. If you want to list the PRE- and POSTROUTING chains, don't forget the -t nat option.

iptables-legacy -t nat -L

 
9 hours ago, Timmehh said:

Also, is that random "ACCEPT all - anywhere anywhere" that ended up in the middle of the table dangerous? It looks like it is. Any idea what I would have done to make that show up?


There are no commands indicating you set the policy of any chain to DROP. I'm not entirely sure which one needs to be set to it, so I won't recommend you anything to not break it for you. But the command would be:

iptables-legacy -P CHAIN DROP


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
31 minutes ago, giganerd said:

DNAT jobs are in the PREROUTING chain, as correctly seen in the commands you posted. You posted the FORWARD chain here. If you want to list the PRE- and POSTROUTING chains, don't forget the -t nat option.

iptables-legacy -t nat -L

 
There are no commands indicating you set the policy of any chain to DROP. I'm not entirely sure which one needs to be set to it, so I won't recommend you anything to not break it for you. But the command would be:

iptables-legacy -P CHAIN DROP


Ok. So I just didn't see the DNAT because I didn't add that flag. I'd run it now and post the result, but I had to revert the router back to pre-VPN for at least last night so ARK and Plex could be used again.

With what you see that I've done though, did I do something wrong or miss a step? Any reason why the port check wouldn't show green with everything I did?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...