Results 1 to 2 of 2
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default Port forward through VPN tunnel

    This seems pretty straight forward. But I can't get it to work.

    I have a VPN tunnel setup on the Untangle box with PrivateInternetAccess. I've written a script to the PIA API to open a forwarded port. I've configured my rules like this...

    For the tunnel rule, I have all IPs with source 192.168.1.31 tunneled.

    For the port forward rule, I have tried all different combinations, but have tried the most obvious combinations of settings:
    - Destined Local, Source Interface = VPN Tunnel, Destination Port = 29308, Protocol = TCP

    I've also tried other combinations, like removing "Destined Local", and removing source interface - so I tried using Destination Port = 29308, Protocol = TCP. With this combination, as soon as the tunnel goes offline the online port test works.

    No matter what I do, I cannot pass an online port test with the tunnel connected.

    I've confirmed the system at 192.168.1.31 is listening and I can connect locally to port 29308.
    I've made sure no firewall or anything on the system at 192.168.1.31 is blocking anything.
    I've confirmed PIA is issuing the forward port in the API request successfully.

    What am I doing wrong? I have no eyes in to what PIA does, but according to their documentation this is how it is done.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    You've got your forward backwards, you're trying to match traffic impacting a NAT enabled IP address and pass it to an internal device, the fact that internal device is across a VPN tunnel is irrelevant.

    Therefore, Source Interface isn't VPN, that would be destination interface VPN, since you're describing traffic on the way in from an Internet connection, the source interface is External or whatever WAN interface it's landing on originally. Destined local, destination port, and protocol are sufficient alone assuming the new destination field at the bottom of the rule is set to 192.168.1.31, just remove the source interface flag and you'll likely find things working.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2