Jump to content
Not connected, Your IP: 3.143.214.78
hinuiiik

Allow incoming connections to (non-VPN) ports with nftables on Linux

Recommended Posts

Hello, I recently switched to AirVPN from Mullvad and my experience has been great so far. The only part of my previous setup that I have not been able to recreate is allowing incoming traffic on ports through the VPN, so I can use moonlight/sunshine to connect to my computer and turn my VPN on or off if necessary while staying connected.
My previous nftables rule was this:

table inet excludeTraffic {
  chain allowIncoming {
    type filter hook input priority -100; policy accept;
    tcp dport { 47984, 47989, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    udp dport { 47998-48000, 48002, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    tcp dport 15132 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }

  chain allowOutgoing {
    type route hook output priority -100; policy accept;
    tcp sport { 47984, 47989, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    udp sport { 47998-48000, 48002, 48010 } ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
    tcp sport 15132 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}
I'm using Eddie 2.24.6, and I have tried fiddling away with Eddie's settings to see if anything would work, but I've had no luck so far.
 

Share this post


Link to post
On 2/15/2025 at 5:53 AM, hinuiiik said:

I'm using Eddie 2.24.6, and I have tried fiddling away with Eddie's settings to see if anything would work, but I've had no luck so far.


Hello!

Thank you for your great feedback. If you enable Eddie's "Network Lock" with default settings, Eddie will set firewall rules that allow any incoming and unsolicited packet from (and only from) the VPN tunnel. No need to modify your nft rules in this case.  Do you have a different purpose which requires a modification to this behavior?

Kind regards

 

Share this post


Link to post
On 2/20/2025 at 6:22 AM, Staff said:

Hello!

Thank you for your great feedback. If you enable Eddie's "Network Lock" with default settings, Eddie will set firewall rules that allow any incoming and unsolicited packet from (and only from) the VPN tunnel. No need to modify your nft rules in this case.  Do you have a different purpose which requires a modification to this behavior?

Kind regards

 
Thank you for the reply! The intended behavior I want is for Eddie to allow some incoming packets from outside the VPN tunnel, which is what the nft rules were for.

Share this post


Link to post
13 hours ago, hinuiiik said:

The intended behavior I want is for Eddie to allow some incoming packets from outside the VPN tunnel, which is what the nft rules were for.


Hello!

OK. However you need to set the rules after (and every time) Eddie has enforced the Network Lock, because previous rules will be overwritten each time Eddie enables Network Lock. You also need to bind the listening software to the physical network interface.

Maybe a more practical solution is running AirVPN Suite 2.0.0 beta version and run the listening software outside the VPN tunnel. For this purpose just enable Bluetit's traffic splitting, connect via Bluetit, and finally run the listening software through cuckoo (an utility included in the Suite). You can keep using Network Lock even with this setup: Network Lock will prevent leaks from anything except the program(s) whose traffic must go outside the VPN tunnel.
https://airvpn.org/forums/topic/66706-linux-airvpn-suite-200-preview-available/

In this way the listening software remains reachable from outside the VPN tunnel as long as Bluetit is not shut down and port forwarding on the router is properly set.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...