So my VPN provider allows port forwarding. I can connect the Firewalla (in router mode) as a WireGuard or OpenVPN client to the VPN provider. I then specify in the VPN provider portal what port I would like forwarded. Now, how do I direct that incoming port forward to the device of my choice on my internal network? I’m ok with using a name or IP. Is that through the routes function in the GUI?
You do not need to, and should not, expose that port from the router. This is done on the VPN server side so there isn’t anything special you need to do as everything goes through the tunnel.
Right, I understand that. However, logically I need some way to direct the inbound from the VPN tunnel to the correct host. That is, with the Firewalla acting as VPN Client to the provider, (excuse my lack of networking knowledge…) I assign that VPN connection to a Firewalla Group. Now within that group, I would like the port coming from the outside world, through the VPN tunnel, to a specific client.
How does one achieve this?
Alternatively for dummies, if I ONLY have the VPN Client enabled to the one device, would this simplify and not need to do any other routing changes? Ideally I’d like a group of devices connected to that VPN, but if it’s too terrible or not possible…
Is this for torrenting?
No this is for hosting services through a tunnel (eg through AirVPN). This would logically segment it from my primary ISP link.
Ok it shouldn’t matter either way. You need to make sure that your server is listening on the same port that is port-forwarded. If you have a collection of services you will need to use a reverse-proxy.
Heres a basic example using PIA (not that it matters). Once the server was up and running I was able to hit the VPN IP and port and it hit the server.
admin@raspberrypi:~$ piactl get portforward
49050
admin@raspberrypi:~$ curl icanhazip.com
181.214.xxx.xxx
admin@raspberrypi:~$ python3 -m http.server 49050 Serving HTTP on 0.0.0.0 port 49050 (http://0.0.0.0:49050/) ...
xx.xxx.xx.xxx - - [06/Oct/2023 10:46:46] "GET / HTTP/1.1" 200 -
xx.xxx.xx.xxx - - [06/Oct/2023 10:46:49] "GET / HTTP/1.1" 200 -
xx.xxx.xx.xxx - - [06/Oct/2023 10:46:49] "GET / HTTP/1.1" 200
Hmmm I’m still not quite sure I follow it, this network neophyte. So say…
- VPN Client on Firewalla connected to VPN Service. Firewalla is assigned 8.8.8.8 (disregard erroneous IP schemes).
- On VPN Service, choose port 8888 to be forwarded. This in essence allows “outside world” to hit 8.8.8.8 on port 8888 and it will be forwarded through the tunnel to the Firewalla (VPN Client).
- On Firewalla, created a group with device A, B, C. On that group, enabled VPN Client… so basically A, B, C traverse the VPN tunnel.
- Ok, so now an outsider hits 8.8.8.8, on port 8888. How can I direct that request to device A since the VPN tunnel is between the Firewalla and the service? Yes, assuming device A is listening on 8888 of course.
- Ideally, I may also add port 9999 and forward to device B. That said, I’m happy to throw an nginx proxy in front of device A, B, C in the future, but I’m really stick at #4 above… directing the inbound request.
Ok let me play around with Firewalla VPN client. My example was running WireGuard on the server itself.
PIA needs the client to request a forwarded port and it changes every on every device that does so I can’t really test… Sounds like AirVPN may be able to do it if you can peg a port to a device???
Say you have port 1234 in AirVPN. Have you tried to running your service on port 1234 and then hitting the VPN IP:1234?
Well here is the thing. The VPN Client is initiated on the Firewalla so it… terminates there? Hope that makes sense. I need some way like… iptables maybe that will tell Firewalla… if you see a request coming through the VPN Tunnel for port 8888, send it over to the local device IP 192.168.1.100. Something like that.
Example: https://airvpn.org/forums/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/
Basically, hey Firewalla, stuff coming in from this TUN on this port needs to be routed over to THERE on that port.
Oh just think I found it. Go to the device and add a port forwarding rule but make sure the interface is the VPN, not your WAN. That should do it without exposing anything from your WAN.
Side question. How do you like AirVPN? Thinking about switching since PIA doesn’t have a native WireGuard config and I need to run some hacky scripts to generate it. Would also be nice to configure port-forwarding from the web.
Oh my gosh. I hadn’t even dug that far to see I could select the VPN interface in the port forwarding screen…! When did that happen! Will give it a try. I’ve been holding off AirVPN until this was figured out I’m going to try very soon. I usually use my ProtonVPN sub.