Allow incoming connections to (non-VPN) ports with nftables on Linux

[hinuiiik 0]

Hello, I recently switched to AirVPN from Mullvad and my experience has been great so far. The only part of my previous setup that I have not been able to recreate is allowing incoming traffic on ports through the VPN, so I can use moonlight/sunshine to connect to my computer and turn my VPN on or off if necessary while staying connected.
My previous nftables rule was this:

table inet excludeTraffic {
  chain allowIncoming {
    type filter hook input priority -100; policy accept;
    tcp dport { 47984, 47989, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    udp dport { 47998-48000, 48002, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    tcp dport 15132 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }

  chain allowOutgoing {
    type route hook output priority -100; policy accept;
    tcp sport { 47984, 47989, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    udp sport { 47998-48000, 48002, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    tcp sport 15132 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

I'm using Eddie 2.24.6, and I have tried fiddling away with Eddie's settings to see if anything would work, but I've had no luck so far.
 

[Staff 10080]

On 2/15/2025 at 5:53 AM, hinuiiik said:

I'm using Eddie 2.24.6, and I have tried fiddling away with Eddie's settings to see if anything would work, but I've had no luck so far.

Hello!

Thank you for your great feedback. If you enable Eddie's "Network Lock" with default settings, Eddie will set firewall rules that allow any incoming and unsolicited packet from (and only from) the VPN tunnel. No need to modify your nft rules in this case.  Do you have a different purpose which requires a modification to this behavior?

Kind regards

 

[hinuiiik 0]

On 2/20/2025 at 6:22 AM, Staff said:

Hello!

Thank you for your great feedback. If you enable Eddie's "Network Lock" with default settings, Eddie will set firewall rules that allow any incoming and unsolicited packet from (and only from) the VPN tunnel. No need to modify your nft rules in this case.  Do you have a different purpose which requires a modification to this behavior?

Kind regards

 

Thank you for the reply! The intended behavior I want is for Eddie to allow some incoming packets from outside the VPN tunnel, which is what the nft rules were for.

[Staff 10080]

13 hours ago, hinuiiik said:

The intended behavior I want is for Eddie to allow some incoming packets from outside the VPN tunnel, which is what the nft rules were for.

Hello!

OK. However you need to set the rules after (and every time) Eddie has enforced the Network Lock, because previous rules will be overwritten each time Eddie enables Network Lock. You also need to bind the listening software to the physical network interface.

Maybe a more practical solution is running AirVPN Suite 2.0.0 beta version and run the listening software outside the VPN tunnel. For this purpose just enable Bluetit's traffic splitting, connect via Bluetit, and finally run the listening software through cuckoo (an utility included in the Suite). You can keep using Network Lock even with this setup: Network Lock will prevent leaks from anything except the program(s) whose traffic must go outside the VPN tunnel.
https://airvpn.org/forums/topic/66706-linux-airvpn-suite-200-preview-available/

In this way the listening software remains reachable from outside the VPN tunnel as long as Bluetit is not shut down and port forwarding on the router is properly set.

Kind regards