VPN Cascading Ignores Port Forwarding

Background Information

  • Model: GL Technologies, Inc. AX1800
  • Firmware Version: 4.2.3
  • Firmware Type: release5
  • VPN Server: WireGuard
    • Allow Remote Access LAN
  • VPN Client: WireGuard
    • IP Masquerading
    • Services from GL.iNet Use VPN
  • Notable Firewall Changes: Access LAN services through real IP with active VPN client - #6 by hansome
  • Other information:
    • Custom DDNS set up
    • Port 80 and 443 Forwards to Client A on local network


My phone, on cellular network, connects to the WireGuard Server, it successfully connected.
I am able to connect to Client A via Local IP address (192.168.x.x).
When I attempt to connect to Client A via a domain name, it forwards to

Side Note

After enabling the custom firewall change (See link above, Internet Kill Switch doesn’t work)

What domain name are you accessing?

Please revise the script following

I test it with killswitch. It works. ie when I turn off VPN and the LAN clients can’t access Internet after a while.

I’m using my own domain name, say example.com

Hi @hansome , Kill Switch still doesn’t work (sorta)

  • I enabled Block Non-VPN Traffic
  • curl ipinfo.io returns VPN IP
  • I turned off VPN from dashboard
    • curl ipinfo.io returns curl: (6) Could not resolve host: ipinfo.io (Good)
  • I turned on VPN from dashboard
    • curl ipinfo.io returns MY HOME IP ADDRESS
    • I waited 2 minutes after the VPN status showed connected, curl ipinfo.io still returns my home IP address
  • I switched VPN from dashboard (without turning off VPN)
    • curl ipinfo.io returns VPN IP.

@lizh Do you think you can assist me with this matter? Thanks a lot!!

@hansome @lizh Hi, I’ve upgraded to v4.4.5 and issue persists.

v4.4.5 has not included “port forward” fix yet, please re-run the following commands:

cat >/etc/firewall.swap_wan_in_conn_mark.sh <<EOF

iptables-save -t mangle |sed '/_in_conn_mark/ s/-A PREROUTING/-I PREROUTING/' | iptables-restore -T mangle

As for curl returning the HOME IP ADDRESS, do you use VPN policy based on IP/domain? and where do you run curl command?
It could happen with the DNS cache or /proc/net/nf_conntrack cache.

Hi @hansome, I had re-ran that command but the problem persists.

I don’t have any VPN policy.
I ran curl on the router.

Please upload(better via a file) the debug output of command:


if you change port forward to another port, will it work?
For example, 8080 → 80, 4430 → 443

PM’d you. Thanks~

20 chars