HOW TO FORWARD PORTS TO YOUR DEVICES WITH IPTABLES
You need to create a basic DNAT on your router. Remember that the router GUI forwards ports from the WAN to LAN. When connected to the VPN you must forward ports from TUN to LAN. Therefore, it is imperative that you do NOT forward ports in the GUI of the router.
- destIP is the IP address of the destination device
- port is the port you wish to forward to that device
- tun1 is the tun interface of your router (please check! on some routers it can be tun0, on Tomato it can be tun11)
- you need to forward both TCP and UDP packets
you need to add the following rules. Please note that the following rules do NOT replace your already existing rules, you just have to add them.
iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP
Note: if your router firmware iptables supports the multiport module you can use --match option to make your rules set more compact. Please see here, thanks to Mikeyy https://airvpn.org/topic/14991-asuswrt-merlin-multiple-ports/#entry31221