Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Untanglit
    Join Date
    Apr 2019
    Posts
    22

    Default AirVPN Port Forwarding

    Hi,
    I am trialling AirVPN with Untangle configured using Tunnel VPN
    I have a server which I have tagged and outbound traffic is routing very nicely.
    AirVPN allows an inbound port to be forwarded, and I am trying to configure this - I have put an entry into the Port Forwarding table in untangle which seems to be matched (traffic appears in the port forwarded sessions) yet connections cannot be properly established.
    For this testing I have tried disabling firewalls, intrusion protection.

    Screenshot 2020-08-05 at 11.20.29.pngScreenshot 2020-08-05 at 11.20.07.png

    I see some other people have had problems with this on the forums, but not sure if anyone has succeeded in getting it working
    Last edited by Jabes; 08-05-2020 at 07:44 AM.

  2. #2
    Untanglit
    Join Date
    Apr 2019
    Posts
    22

    Default

    I should point out that in the screenshot above, 10.15.104.176 is the client IP address assigned by AirVPN on connection, which will vary (along with the external address) on a reconnect - 10.1.1.120 is my internal server

  3. #3
    Untanglit
    Join Date
    Apr 2019
    Posts
    22

    Default

    This is how the AirVPN help suggests it would be configured with a standard linux based router if it helps

    iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT
    iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
    iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
    iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

  4. #4
    Untanglit
    Join Date
    Apr 2019
    Posts
    22

    Default

    Have had a support call open with Untangle support who have been quite diligent in helping investigate this.
    It appears that the SYN packet is received through the tunnel and is passed to the internal host. However, the SYN/ACK response does not get routed to the source interface (the VPN) but rather the external interface.

    This is extremely odd behaviour, but unfortunately using the tunnel VPN in this way is apparently not what it is designed for.

    Any suggestions how to get the routing to work properly gratefully received

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Show us your Current Routes, please?

  6. #6
    Untanglit
    Join Date
    Apr 2019
    Posts
    22

    Default

    10.0/10.2/10.3/10.4/10.5 are local vlans
    Two tunnel VPNs set up (Nord, and trialling AirVPN), they will have the local range 10.8 and 10.11 I would guess looking at this
    10.128 is an ipsec vpn I have elsewhere (currently not connected)


    I have no custom routes, this is all auto.
    200/201/202 are the three vpns I have configured (only two set to active)

    Code:
     = IPv4 Rules = 
    0:	from all lookup local 
    100:	from all fwmark 0xfe00/0xff00 lookup 1000 
    220:	from all lookup ipsec 
    32766:	from all lookup main 
    32767:	from all lookup default 
    50000:	from 46.247.20.55 lookup uplink.1 
    70001:	from all fwmark 0x100/0xff00 lookup uplink.1 
    70200:	from all fwmark 0xc800/0xff00 lookup uplink.200 
    70201:	from all fwmark 0xc900/0xff00 lookup uplink.201 
    70202:	from all fwmark 0xca00/0xff00 lookup uplink.202 
    900000:	from all lookup balance 
    1000000:	from all lookup uplink.1 
    
     = IPv4 Table main = 
    10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.1.1 
    10.1.0.0/16 dev eth1.11 proto kernel scope link src 10.1.0.1 
    10.2.0.0/16 dev eth1.20 proto kernel scope link src 10.2.0.1 
    10.3.0.0/16 dev eth1.10 proto kernel scope link src 10.3.0.1 
    10.4.0.0/16 dev eth1.21 proto kernel scope link src 10.4.0.1 
    10.8.0.0/24 dev tun200 proto kernel scope link src 10.8.0.7 
    10.8.0.1 dev tun200 scope link 
    10.11.200.0/24 dev tun201 proto kernel scope link src 10.11.200.52 
    10.11.200.1 dev tun201 scope link 
    46.247.20.54 dev eth0 scope link 
    46.247.20.54/31 dev eth0 proto kernel scope link src 46.247.20.55 
    192.0.2.0/30 dev br.lxc proto kernel scope link src 192.0.2.1 
    192.0.2.200/30 dev utun proto kernel scope link src 192.0.2.200 
    
     = IPv4 Table balance = 
    
     = IPv4 Table default = 
    
     = IPv4 Table local = 
    broadcast 10.0.0.0 dev eth1 proto kernel scope link src 10.0.1.1 
    local 10.0.1.1 dev eth1 proto kernel scope host src 10.0.1.1 
    broadcast 10.0.255.255 dev eth1 proto kernel scope link src 10.0.1.1 
    broadcast 10.1.0.0 dev eth1.11 proto kernel scope link src 10.1.0.1 
    local 10.1.0.1 dev eth1.11 proto kernel scope host src 10.1.0.1 
    broadcast 10.1.255.255 dev eth1.11 proto kernel scope link src 10.1.0.1 
    broadcast 10.2.0.0 dev eth1.20 proto kernel scope link src 10.2.0.1 
    local 10.2.0.1 dev eth1.20 proto kernel scope host src 10.2.0.1 
    broadcast 10.2.255.255 dev eth1.20 proto kernel scope link src 10.2.0.1 
    broadcast 10.3.0.0 dev eth1.10 proto kernel scope link src 10.3.0.1 
    local 10.3.0.1 dev eth1.10 proto kernel scope host src 10.3.0.1 
    broadcast 10.3.255.255 dev eth1.10 proto kernel scope link src 10.3.0.1 
    broadcast 10.4.0.0 dev eth1.21 proto kernel scope link src 10.4.0.1 
    local 10.4.0.1 dev eth1.21 proto kernel scope host src 10.4.0.1 
    broadcast 10.4.255.255 dev eth1.21 proto kernel scope link src 10.4.0.1 
    broadcast 10.8.0.0 dev tun200 proto kernel scope link src 10.8.0.7 
    local 10.8.0.7 dev tun200 proto kernel scope host src 10.8.0.7 
    broadcast 10.8.0.255 dev tun200 proto kernel scope link src 10.8.0.7 
    broadcast 10.11.200.0 dev tun201 proto kernel scope link src 10.11.200.52 
    local 10.11.200.52 dev tun201 proto kernel scope host src 10.11.200.52 
    broadcast 10.11.200.255 dev tun201 proto kernel scope link src 10.11.200.52 
    local 46.247.20.55 dev eth0 proto kernel scope host src 46.247.20.55 
    broadcast 46.255.255.255 dev eth0 proto kernel scope link src 46.247.20.55 
    broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 
    local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 
    local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 
    broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 
    broadcast 192.0.2.0 dev br.lxc proto kernel scope link src 192.0.2.1 
    local 192.0.2.1 dev br.lxc proto kernel scope host src 192.0.2.1 
    broadcast 192.0.2.3 dev br.lxc proto kernel scope link src 192.0.2.1 
    local 192.0.2.200 dev utun proto kernel scope host src 192.0.2.200 
    broadcast 192.0.2.200 dev utun proto kernel scope link src 192.0.2.200 
    broadcast 192.0.2.203 dev utun proto kernel scope link src 192.0.2.200 
    
     = IPv4 Dynamic Routing = 
    
     = IPv4 Table uplink.1 = 
    default via 46.247.20.54 dev eth0 
    
     = IPv4 Table uplink.200 = 
    default via 10.8.0.1 dev tun200 
    
     = IPv4 Table uplink.201 = 
    default via 10.11.200.1 dev tun201 
    
     = IPv4 Table uplink.202 = 
    
     = IPv4 Route Rules = 
    
    
    
     = IPv6 Rules = 
    0:	from all lookup local 
    220:	from all lookup ipsec 
    32766:	from all lookup main 
    
     = IPv6 Table main = 
    ::1 dev lo proto kernel metric 256 pref medium
    ::/3 dev tun201 metric 1024 pref medium
    2000::/4 dev tun201 metric 1024 pref medium
    3000::/4 dev tun201 metric 1024 pref medium
    fde6:7a:7d20:7c8::/64 dev tun201 proto kernel metric 256 pref medium
    fc00::/7 dev tun201 metric 1024 pref medium
    fe80::/64 dev utun proto kernel metric 256 pref medium
    fe80::/64 dev br.lxc proto kernel metric 256 pref medium
    fe80::/64 dev tun200 proto kernel metric 256 pref medium
    fe80::/64 dev tun201 proto kernel metric 256 pref medium
    
     = IPv6 Table default = 
    
     = IPv6 Table local = 
    local ::1 dev lo proto kernel metric 0 pref medium
    local fde6:7a:7d20:7c8::1032 dev tun201 proto kernel metric 0 pref medium
    anycast fe80:: dev utun proto kernel metric 0 pref medium
    local fe80::2c41:6dcf:7ec5:cc0 dev tun200 proto kernel metric 0 pref medium
    local fe80::7807:ffff:feb8:2fb8 dev br.lxc proto kernel metric 0 pref medium
    local fe80::a764:d1f3:660e:5f35 dev tun201 proto kernel metric 0 pref medium
    local fe80::e8e5:5dff:feee:78c3 dev utun proto kernel metric 0 pref medium
    ff00::/8 dev utun metric 256 pref medium
    ff00::/8 dev br.lxc metric 256 pref medium
    ff00::/8 dev tun200 metric 256 pref medium
    ff00::/8 dev tun201 metric 256 pref medium
    
     = IPv6 Table uplink.1 = 
    
     = IPv6 Table uplink.200 = 
    
     = IPv6 Table uplink.201 = 
    
     = IPv6 Table uplink.202 = 
    
    
    
    
     = IPsec Rules = 
    10.128.0.0/16 via 46.247.20.54 dev eth0 proto static src 10.0.1.1

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    I can only describe this in fuzzy terms, and it is dependent on being able to configure the client side of things.

    Get a route on the client host that states the next hop for the server's address to be the VPN
    That may also have more to do with NAT?

    The next is a somewhat related concept, but I can't get screenshots right now.

    Now, I have an IoT setup that I want to be Isolated from the Internet. On the OpenVPN client if I make the default gateway the VPN so all traffic goes out there, the VPN connection falls apart. But if I add a specific route for the VPN server IP address with the next hop to be the client's router WAN address (or interface), the VPN connects succesfully (the OpenVPN also has the server IP address 'hard-coded'), and all other traffic merrily goes through the VPN tunnel.

    I hope this serves as food for thought.
    Last edited by Jim.Alles; 08-28-2020 at 11:54 AM.

  8. #8
    Untanglit
    Join Date
    Apr 2019
    Posts
    22

    Default

    The problem is that the external and internal addresses change on every VPN reconnection I think? Is there a way you can pin the internal address?

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Yes, I didn't mention that I did get a static IP address from the ISP at the OpenVPN server for this reason. That takes care of the external address with a private network.

    A service like AirVPN is likely to consider the random internal IP address a privacy 'feature'. OpenVPN seems to be pretty consistent in itself. Then again, I don't run many clients.

    This link doesn't apply to NGFW:
    https://openvpn.net/vpn-server-resources/assigning-a-static-vpn-client-ip-address-to-a-user/

  10. #10
    Newbie
    Join Date
    May 2017
    Posts
    13

    Default

    I was told via support it wasn't possible some time ago. Iptable commands posted early in the thread should be enough to get it to work.

    Unfortunately it is possible, just not on Untangle.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2