Asus Merlin Router AirVPN Portforwarding Instructions

[Similiar 0]

In regards of https://airvpn.org/ports/ , https://airvpn.org/faq/port_forwarding/ and

In case your are looking to forward a port within your Router while using AirVPN within your Router you can follow these Steps.

1. First of all make sure you have the Asus Merlin Firmware installed on your Asus Router (https://www.asuswrt-merlin.net/) and AirVPN setup on it

 

also make sure the VPN is working and Connected

2. Open https://airvpn.org/ports/ and add a Port.

3. Next step is to download PuTTy and PuTTyGen (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) because we need to access the router over SSH
Direct Links for Windows
PuTTy: https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
PuTTyGen: https://the.earth.li/~sgtatham/putty/latest/w64/puttygen.exe

4. Startup PuTTyGen.exe and click the button "Generate" (it will ask you to move a little over the window with your mouse).
Once generated click the "Save private key" button (dont set a password). Save the key somewhere and open up the .ppk file with a text editor, we need the content further down.

5. Open your Asus Router Interface and go to "VPN" -> "VPN Client" and set the Option "Inbound Firewall" to "Allow". Finish by pressing "Apply"

6. Go to "Administration" -> "System" and enable "Enable SSH".
A couple more options will show up. Keep them as default (you can change them later if you like).
Now switch back to your text editor where you have your .ppk file opened up. Select everything and Copy it to the field next to "Authorized Keys"
Once done click the "Apply" Button.

7. Now open up PuTTy.exe
Within the field "Host name or IP adress" type the IP adress of your router (usually 192.168.1.1) and hit the "Open" Button at the Bottom.
If PuTTy could connect to your Router over SSH it will ask you for a Username and afterwards your password, these are the same as these when you open the router interface through your browser.
Once logged in you see something like this: "admin@RT-AC2900-49E8:/tmp/home/root#"

8. Switch back to your Router Interface in the Web browser. Go To "System Log" -> "Routing Table". On the very right you see "iface" which stands for interface. Look up if you can see tun1 or tun11 in the list. Take a note which of both your router shows you.

9. Now take a look atdown below you see a couple of lines

Quote

iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

Copy them to a text editor. We gonna modify these now.
In each and every line you see "tun1" change that to what you found in step 8. In my case its tun11.
Next step is to define the IP of the computer you have the server running on which you wanna open up to the internet.
If you dont know your IP open up the console, (Win + R, type cmd and hit enter), type "ipconfig" and hit enter. You gonna see it there. Should be something like 192.168.1.XX.

In the lines above now replace every "destIP" to your computers ip.
Lastly replace every "port" to the port your server is listeing too. Not the port from Step 2, atleast not if its not the same as your server port.

So in the end you changed the interace "tun1" the "destIP" and the "port".

10. Switch back to PuTTy.exe
Select the first line from above you just changed, copy it and paste it into the PuTTy console (rightclick pastes). Then press Enter. Do that for every Line.

11. Once done open up a port check tool like https://www.yougetsignal.com/tools/open-ports/ and check the port from Step 2
If you did everything right you now see a Open port, if you dont then make sure your Server is running and listening to the port specified in step 9.

Keep one thing in mind: You cannot connect from your VPN network to your VPN network. So if you set the VPN IP and forwarded port in your client which is in the same network as your Server then you wont get any Connection. This is also said in https://airvpn.org/faq/port_forwarding/

Troubleshoot.
- If you encounter any Issue check that your Server would also be visible to the internet without the VPN enabled (of course you have to forward the port the usual way then).
- Check your computers firewall
- Try to restart the Router
- DONT DISABLE SSH IN YOUR ROUTER AGAIN. idk why, but once disabled seemingly all made changes are reset. So you need to keep it running.

[DARR1 0]

8. Switch back to your Router Interface in the Web browser. Go To "System Log" -> "Routing Table". On the very right you see "iface" which stands for interface. 

[Giddy169 0]

I did this but everytime my router reboots I have to SSH back to the router and input all the commands. How do I get them to stay after a reboot?

[reversevpn 4]

Either put them in /etc/rc.local, or install the iptables-persistent package.

[Giddy169 0]

Thanks, I ended up putting putting a Jffs script here and that seems to have worked. /jffs/scripts/nat-start

Are your options better?

[reversevpn 4]

If the distro that your router runs supports iptables-persistent, then iptables-persistent is the canonical way of making iptables rules survive past reboot. As for /etc/rc.local, that is the generic way of running commands at startup if your distro doesn't have systemd. However, if jffs is idiomatic for Asus Merlin, then you've probably done the right thing. Depends on the idioms of your distro.