VPN Cascading Ignores Port Forwarding

briar-spoon-celibate · July 27, 2023, 12:13am

Background Information

Model: GL Technologies, Inc. AX1800
Firmware Version: 4.2.3
Firmware Type: release5
VPN Server: WireGuard
- Allow Remote Access LAN
VPN Client: WireGuard
- IP Masquerading
- Services from GL.iNet Use VPN
Notable Firewall Changes: Access LAN services through real IP with active VPN client - #6 by hansome
Other information:
- Custom DDNS set up
- Port 80 and 443 Forwards to Client A on local network

Issue

My phone, on cellular network, connects to the WireGuard Server, it successfully connected.
I am able to connect to Client A via Local IP address (192.168.x.x).
When I attempt to connect to Client A via a domain name, it forwards to 192.168.8.1.

Side Note

After enabling the custom firewall change (See link above, Internet Kill Switch doesn’t work)

lizh · July 27, 2023, 3:17am

What domain name are you accessing?

hansome · July 27, 2023, 10:09am

Please revise the script following

I test it with killswitch. It works. ie when I turn off VPN and the LAN clients can’t access Internet after a while.

briar-spoon-celibate · July 27, 2023, 12:15pm

I’m using my own domain name, say example.com

briar-spoon-celibate · August 16, 2023, 1:18am

Hi @hansome , Kill Switch still doesn’t work (sorta)

I enabled Block Non-VPN Traffic
curl ipinfo.io returns VPN IP
I turned off VPN from dashboard
- curl ipinfo.io returns curl: (6) Could not resolve host: ipinfo.io (Good)
I turned on VPN from dashboard
- curl ipinfo.io returns MY HOME IP ADDRESS
- I waited 2 minutes after the VPN status showed connected, curl ipinfo.io still returns my home IP address
I switched VPN from dashboard (without turning off VPN)
- curl ipinfo.io returns VPN IP.

briar-spoon-celibate · August 16, 2023, 1:20am

lizh:

What domain name are you accessing?

@lizh Do you think you can assist me with this matter? Thanks a lot!!

briar-spoon-celibate · August 26, 2023, 4:57am

@hansome @lizh Hi, I’ve upgraded to v4.4.5 and issue persists.

hansome · August 27, 2023, 5:14am

v4.4.5 has not included “port forward” fix yet, please re-run the following commands:

cat >/etc/firewall.swap_wan_in_conn_mark.sh <<EOF
#!/bin/sh

iptables-save -t mangle |sed '/_in_conn_mark/ s/-A PREROUTING/-I PREROUTING/' | iptables-restore -T mangle
EOF

As for curl returning the HOME IP ADDRESS, do you use VPN policy based on IP/domain? and where do you run curl command?
It could happen with the DNS cache or /proc/net/nf_conntrack cache.

briar-spoon-celibate · August 27, 2023, 1:20pm

Hi @hansome, I had re-ran that command but the problem persists.

I don’t have any VPN policy.
I ran curl on the router.

hansome · August 27, 2023, 1:37pm

Please upload(better via a file) the debug output of command:

iptables-save

if you change port forward to another port, will it work?
For example, 8080 → 80, 4430 → 443

briar-spoon-celibate · August 27, 2023, 2:00pm

PM’d you. Thanks~

20 chars