[JonArmy]

First thanks to everyone that has helped out while I got my OpenVPN up and running.

Before we lost our connection we had one computer that has about 5 ports forwarded due to a program we run on the computer.

I've looked through Google and other forms and might of missed it in this form. By what I've read you loose the port forwarding rules, however the computer I have running on the server OpenVPN has ports forward and they work.

Currently in the router that is the server under Administration > Commands I have only rules for Firewall and the only script that's in there is for the OpenVPN. On the router that runs as a client I have are:

iptables -t net -A POSTROUTING -j MASQUERADE

Which is under the firewall command.

On the router that is running as client we still have the IP address and ports that we have forward, of course there using the IP address that the client router has for them.

Is there a script to place either on the client or server router that will allow the ports that we want forward to be forwarded.

[JonArmy]

Yes from the client side is were the computer(s) that has ports that need to be forwarded, currently we have on the client side router under NAT/QoS > Port Forwarding we have the following:

Application Protocol Source Net Port from IP Address Port to

Telnet Both 23 192.168.1.100 23

BPQ AXIP 10093 192.168.1.100 10093

BPQ Telnet 8011 192.168.1.100 8011

BPQ HTTP 81 192.168.1.100 81

BPQ VNC 5910 192.168.1.100 5910

BPQ RDP 3389 192.168.1.100 3389

As you can see we have the application name, port from, IP address on client side and port to

The way were using OpenVPN is the network were using at the client end blocks all the ports we use and they don't fell like working with use to open those ports for us, so with the OpenVPN the OpenVPN server is providing the internet access and ability to run our programs that we need the ports.

So the main thing is that we'd need the ability to have the ports opened up so that people can use the ports even with using a OpenVPN server/client

[JonArmy]

Yes that's what were looking for with the port forwarding.

We had tried a PPTP client, however they had they had blocked so that's why we had to go to a OpenVPN.

I can copy what I have set for both the server and client for adjusting to a tunnel which currently we have the server mode as TUN

[JonArmy]

[JonArmy]

Also if this works, will this allow us to forward any ports on the client side and it will still run normal internet and also forward those ports even though using a OpenVPN.

[JonArmy]

Currently our network is as follows:

Router running OpenVPN Server is using Router IP address of 192.168.0.1 under Setup > Basic Settings. Then under Services > VPN it has set up Network of 10.0.8.0 so under additional config should be something like 192.168.1.0 to push the client network of 192.168.1.0.

On the client the router is set up under Setup > Basic Settings of 192.168.1.1

I've copied all the configuration's from client & server and need to confirm I have everything setup correctly.

startup

mkdir -p /tmp/openvpn/ccd
echo "iroute 192.168.1.0 255.255.255.0"> /tmp/openvpn/ccd/Jon KK4ZIZ (common name on certificate)

Firewall

#!/bin/sh
OVPN_SERVER="10.0.8.0/24"
OVPN_DEV="tun2"
OVPN_PROTO="tcp"
OVPN_PORT="443"

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT

# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to use the OpenVPN server as an internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE

# what follows is only for site-to-site and port forwarding over the the tunnel

LAN_IP="$(nvram get lan_ipaddr)"
LAN_NET="$LAN_IP/$(nvram get lan_netmask)"
REMOTE_NET="192.168.1.0/24"

# allow local devices to become clients of the remote network
iptables -I FORWARD -o $OVPN_DEV -m state --state NEW -j ACCEPT

# NAT anything that's NOT the local network (e.g., WAN) over the OpenVPN tunnel
iptables -t nat -A POSTROUTING -s ! $LAN_NET -o $OVPN_DEV -j MASQUERADE

# NAT the remote network (behind the OpenVPN client) over the WAN
iptables -t nat -A POSTROUTING -s $REMOTE_NET -o $WAN_IF -j MASQUERADE



Additional Config

push "route 192.168.0.1 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"


Client

Firewall

iptables -t net -A POSTROUTING -j MASQUERADE

[JonArmy]

[JonArmy]

Well just updated the server, and after a restart it is talking, I remote into one of the computers on the other network via TeamViewer and I can ping the server router at 192.168.0.1 and get response. If I go to the server connection and ping something on the client side it doesn't I get a time out.

How can I tell it's working correctly, should I be able to ping a computer on the client side, even if the on the client side under Security > Firewall it's enabled and it blocks WAN Requests at Block Anonymous WAN Request (ping), Filter Multicast, Filter IDENT (Port 113), Block WAN SNMP access.

Should I try turning off the Firewall on the client?

[JonArmy]

[JonArmy]

So for the "redirect-gateway def1" if that is taken out will it make any difference? I also might of had just restarted since the previous post about the

mkdir -p /tmp/openvpn/ccd
echo "iroute 192.168.1.0 255.255.255.0"> /tmp/openvpn/ccd/Jon KK4ZIZ

to

mkdir -p /tmp/openvpn/ccd
echo "iroute 192.168.1.0 255.255.255.0"> "/tmp/openvpn/ccd/Jon KK4ZIZ"

which now on the Status > OpenVPN I show the following:

Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since Connected Since (time_t)
Jon KK4ZIZ xx.xx.xxx.xxx:xxxxx 10.0.8.2 1682084 1168544 Mon Dec 28 18:51:07 2015 1451328667
Virtual Address Common Name Real Address Last Ref
192.168.1.0/24 Jon KK4ZIZ xx.xx.xxx.xxx:xxxxx Mon Dec 28 18:51:10 2015
10.0.8.2 Jon KK4ZIZ xx.xx.xxx.xxx:xxxxx Mon Dec 28 19:12:21 2015

[JonArmy]

So far I can ping 10.0.8.2 and I get a good ping response. I can even place 10.0.8.2 and I get access to the router page of the client. If I ping one of the IP address on the client I don't get any response, if I even ping 192.168.1.254 which is the routers IP address I don't get a response.

[JonArmy]

[bl@d3runn3r]