When I enable the OpenVPN client on my Tomato-based router, port forwarding seems to not work anymore. I have an Asus RT-N16 router with this firmware installed:
Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB VPN (shibby build)
I recently signed up for a VPN service, and followed the guide they provide to set up the VPN on my router: http://www.ipvanish.com/visualguides/OpenVPN/Tomato/
After following the guide, all my traffic is tunneled, which is great. However, I have a ubuntu server connected this router that hosts apache (on ports 80 and 443) that I cannot access externally anymore. I'm new to the VPN world, so please correct me if I have the theory wrong. I was hoping that when WAN requests come in outside the VPN, they would be responded to this way due to the port forwarding. My uneducated guess is that the requests are coming in, but the responses are disappearing into the tunnel.
I've seen multiple postings elsewhere that suggest the need to add additional rules to the router's iptables like this:
iptables -t nat -A PREROUTING -p tcp --dport <your_port_number> -j DNAT --to-destination <your_destination_IP_address>
iptables -A FORWARD -s <your_VPN_IP> -p tcp --dport <your_port_number> -j ACCEPT
However, I've had no success implementing this. Is it possible to do what I'm attempting? If so, what steps am I missing? Below is the output of ifconfig and iptables on my router after the VPN client is enabled. Thanks.
br0 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:72
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4906280 errors:0 dropped:0 overruns:0 frame:0
TX packets:6593105 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3320899619 (3.0 GiB) TX bytes:3055186673 (2.8 GiB)
eth0 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:72
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12317339 errors:0 dropped:0 overruns:0 frame:0
TX packets:11550871 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2602762531 (2.4 GiB) TX bytes:2190393333 (2.0 GiB)
Interrupt:4 Base address:0x2000
eth1 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:74
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:141603 errors:0 dropped:0 overruns:0 frame:12229612
TX packets:253818 errors:17 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11473501 (10.9 MiB) TX bytes:323350737 (308.3 MiB)
Interrupt:3 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3675 (3.5 KiB) TX bytes:3675 (3.5 KiB)
tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.20.25.181 P-t-P:172.20.25.181 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1649 errors:0 dropped:0 overruns:0 frame:0
TX packets:1186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1808407 (1.7 MiB) TX bytes:129251 (126.2 KiB)
vlan1 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:72
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:5125335 errors:0 dropped:0 overruns:0 frame:0
TX packets:6732029 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3654686593 (3.4 GiB) TX bytes:3092936664 (2.8 GiB)
vlan2 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:73
inet addr:98.228.254.52 Bcast:98.228.255.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7190398 errors:0 dropped:0 overruns:0 frame:0
TX packets:4818842 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3021257256 (2.8 GiB) TX bytes:3392423965 (3.1 GiB)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
119 10231 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
14 1470 DROP all -- br0 * 0.0.0.0/0 98.228.254.52
393 163K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
19219 6264K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
11 861 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
42101 2556K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
4974 1716K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3269 2974K ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
11M 11G all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
13009 5871K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
122 5288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
37051 2152K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
11M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5081 302K wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
20195 1208K wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
20300 1216K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3994 packets, 1258K bytes)
pkts bytes target prot opt in out source destination
Chain wanin (1 references)
pkts bytes target prot opt in out source destination
2186 125K ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:49151
1054 79129 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.132 udp dpt:49151
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:8112
172 10288 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:443
5 358 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:993
1 52 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:5222
2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:5269
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:110
4 240 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:26
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.115 tcp dpt:49491
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.115 udp dpt:49491
1610 83944 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:32400
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:587
3 168 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:22
29 1704 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.136 udp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.136 tcp dpt:3074
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.136 udp dpt:3074
1 44 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.136 tcp dpt:53
14 1143 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.136 udp dpt:53
Chain wanout (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 625 packets, 97194 bytes)
pkts bytes target prot opt in out source destination
5625 364K WANPREROUTING all -- * * 0.0.0.0/0 98.228.254.52
0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
Chain POSTROUTING (policy ACCEPT 174 packets, 10820 bytes)
pkts bytes target prot opt in out source destination
142 9572 MASQUERADE all -- * tun11 192.168.1.0/24 0.0.0.0/0
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:49151 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.132 udp dpt:49151 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:8112 to:98.228.254.52
333 17356 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:443 to:98.228.254.52
63 5305 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:993 to:98.228.254.52
2 230 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:5222 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:5269 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:25 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:110 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:26 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.115 tcp dpt:49491 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.115 udp dpt:49491 to:98.228.254.52
10 600 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:32400 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:465 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:587 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:22 to:98.228.254.52
111 6084 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:80 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.136 udp dpt:88 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.136 tcp dpt:3074 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.136 udp dpt:3074 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.136 tcp dpt:53 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.136 udp dpt:53 to:98.228.254.52
29907 1817K MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 180 packets, 11182 bytes)
pkts bytes target prot opt in out source destination
Chain WANPREROUTING (1 references)
pkts bytes target prot opt in out source destination
4 172 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
2103 120K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:49151 to:192.168.1.132
834 57491 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49151 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8112 to:192.168.1.132
505 27636 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.132
68 5663 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:192.168.1.132
3 282 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:192.168.1.132
2 120 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:192.168.1.132
4 240 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:26 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:49491 to:192.168.1.115
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49491 to:192.168.1.115
1633 85204 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32400 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:192.168.1.132
3 168 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.132
140 7788 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.132
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 to:192.168.1.136
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3074 to:192.168.1.136
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 to:192.168.1.136
1 40 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:192.168.1.136
14 1143 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:192.168.1.136
Best Answer
It's not true that port forwarding does not work any more. Rather, what is happenng is that the reply from your Ubuntu server is routed through the VPN, so that, when it reaches the pc that was trying to contact the Ubuntu server, it will be coming from a different IP address than the one the initial message was written to. All pcs, for obvious questions of security, are instructed to drop these fake (?) reply packets.
So that the basic idea is to oblige your LAN to allow replies (from the Ubuntu server) outside the VPN. That requires policy routing, i.e., the simultaneous use of two routing tables according to the source (not the destination!) IP address. Policy routing is sometimes referred to as source routing.
You can find clear instructions on how to do that on a Tomato route on the serverfault site, here. It is the contribution starting with: I finally did it. I believe that thread was unjustly closed, the contribution is instead quite useful. Come back if you have specific problems with following the instructions.