How to setup port forwarding with VPN?

[henris]

First, thank you for an amazing piece of network equipment! Congestion control, host filtering, standard VPN and other features are working just perfectly. Especially our son is now enjoying the lag free XBox One gaming experience!

 

The last thing I'm trying to accomplish is to get rid of a locally installed VPN client on a windows machine. One of the services (Vuze) running on that machine requires a port forward on both UDP and TCP. The VPN connection to the VPN provider is already working fine through Netduma and eg. showip.net is reporting the corrent VPN external IP. The port forward has been working fine with the locally installed client.

 

The problem is that the port forwarding is not working with Netduma VPN. Vuze is registering the port forwards through uPnP to Netduma and they are listed in the uPnP tab. But no traffic is going through and the Vuze NAT/firewall test fails when VPN is enabled. If I disable Netduma VPN the port forwards start to work immediately. 

 

The VPN provider has two options for the connection:

1. Default config ("Use the default config to get a routable internet IP address"). This does connect but no traffic at all is going through.
2. NAT config ("The NAT config will assign you a RFC1918 IP address and will also shield your client from the internet and other VPN users"). This connects and works apart from the port forward.

 

Below is the current config and the resulting log. I'm pretty stuck and having no idea what to try. Should I be using the default/routed config or the NAT config? The only difference between these two seem to be the remote endpoints. Any help is well appreciated.

 

Current config (NAT config)

# VER: 0.25
client
dev tun0
proto udp
remote nat.openvpn.####.#a 1194
remote nat.openvpn.####.#b 1194
remote nat.openvpn.####.#c 1194
resolv-retry infinite
nobind

auth-user-pass

ca [inline]

tls-client
tls-auth [inline]
ns-cert-type server
remote-cert-tls server
remote-cert-ku 0x00e0

keepalive 10 30
cipher AES-256-CBC
persist-key
comp-lzo
tun-mtu 1500
mssfix 1200
verb 3
replay-window 512 60
mute-replay-warnings
ifconfig-nowarn

# Enable this if your system does support it!
#tls-version-min 1.2

<ca>
-----BEGIN CERTIFICATE-----
snip
</ca>

<tls-auth>
snip
</tls-auth>

 

Log

Sat Dec 12 10:12:32 2015 WARNING: file '/tmp/vpncred' is group or others accessible
Sat Dec 12 10:12:32 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Dec 12 10:12:32 2015 Control Channel Authentication: tls-auth using INLINE static key file
Sat Dec 12 10:12:32 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 12 10:12:32 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 12 10:12:32 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat Dec 12 10:12:32 2015 UDPv4 link local: [undef]
Sat Dec 12 10:12:32 2015 UDPv4 link remote: [AF_INET]##:1194
Sat Dec 12 10:12:32 2015 TLS: Initial packet from [AF_INET]##:1194, sid=c5e43495 89e5a63f
Sat Dec 12 10:12:32 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Dec 12 10:12:32 2015 VERIFY OK: depth=1, ##
Sat Dec 12 10:12:32 2015 VERIFY OK: nsCertType=SERVER
Sat Dec 12 10:12:32 2015 Validating certificate key usage
Sat Dec 12 10:12:32 2015 ++ Certificate has key usage  00e0, expects 00e0
Sat Dec 12 10:12:32 2015 VERIFY KU OK
Sat Dec 12 10:12:32 2015 Validating certificate extended key usage
Sat Dec 12 10:12:32 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Dec 12 10:12:32 2015 VERIFY EKU OK
Sat Dec 12 10:12:32 2015 VERIFY OK: depth=0, ##
Sat Dec 12 10:12:33 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Dec 12 10:12:33 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 12 10:12:33 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Dec 12 10:12:33 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 12 10:12:33 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2161 bit RSA
Sat Dec 12 10:12:33 2015 [##] Peer Connection Initiated with [AF_INET]##:1194
Sat Dec 12 10:12:36 2015 SENT CONTROL [##]: 'PUSH_REQUEST' (status=1)
Sat Dec 12 10:12:36 2015 PUSH: Received control message: 'PUSH_REPLY,route ## 255.255.255.255 net_gateway,route-gateway 10.10.16.1,redirect-gateway def1,topology subnet,dhcp-option DOMAIN ipredator.se,dhcp-option DNS 10.10.254.53,dhcp-option DNS 10.10.254.54,ip-win32 dynamic,ping 10,ping-restart 60,explicit-exit-notify 3,ifconfig 10.10.17.115 255.255.240.0'
Sat Dec 12 10:12:36 2015 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:8: ip-win32 (2.3.4)
Sat Dec 12 10:12:36 2015 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:11: explicit-exit-notify (2.3.4)
Sat Dec 12 10:12:36 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 12 10:12:36 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 12 10:12:36 2015 OPTIONS IMPORT: route options modified
Sat Dec 12 10:12:36 2015 OPTIONS IMPORT: route-related options modified
Sat Dec 12 10:12:36 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Dec 12 10:12:36 2015 TUN/TAP device tun0 opened
Sat Dec 12 10:12:36 2015 TUN/TAP TX queue length set to 100
Sat Dec 12 10:12:36 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Dec 12 10:12:36 2015 /sbin/ifconfig tun0 10.10.17.115 netmask 255.255.240.0 mtu 1500 broadcast 10.10.31.255
Sat Dec 12 10:12:36 2015 /www/scripts/vpnup.sh 2631 tun0 1500 1558 10.10.17.115 255.255.240.0 init
Sat Dec 12 10:12:36 2015 Initialization Sequence Completed

[Netduma Crossy]

Hey Henris, welcome to the forum - great to here you're liking the Duma

 

Who is your VPN Provider?

[henris]

The provider is iPredator. I also didn't mention anything about our connection which is a ADSL with the modem in full bridge mode (no double NAT).

[Netduma Fraser]

Could you post the default config as well and we can have a look

[henris]

All the different configuration files are available here: https://www.ipredator.se/guide/openvpn/settings

I've tried all the Windows/Native and CLI versions.

 

This is the default (routing) config file:

# VER: 0.25
client
dev tun0
proto udp
remote pw.openvpn.ipredator.se 1194
remote pw.openvpn.ipredator.me 1194
remote pw.openvpn.ipredator.es 1194
resolv-retry infinite
nobind

auth-user-pass

ca [inline]

tls-client
tls-auth [inline]
ns-cert-type server
remote-cert-tls server
remote-cert-ku 0x00e0
keepalive 10 30
cipher AES-256-CBC
persist-key
comp-lzo
tun-mtu 1500
mssfix 1200
verb 3
replay-window 512 60
mute-replay-warnings
ifconfig-nowarn

# Enable this if your system does support it!
#tls-version-min 1.2

<ca>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</ca>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
snip
-----END OpenVPN Static key V1-----
</tls-auth>

[Netduma Fraser]

You should be using the ones for linux. I did have a look at them and they don't have the exact same layout. Try them and if not I'll have to have Iain take a look when he can

[jsp0511]

Did this ever get resolved?  I am having the same issue with Vuze and Plex though I understand Plex may be a bigger issue.  My VPN provider is Private Internet Access .  Cannot seem to get ports to forward at all.

[Netduma Fraser]

Put through exceptions for the ports and see if that helps

[esgafia]

Good morning I have already received the new one and everything is ok , thank you

 

Regards

 

João oliveira