port forwarding is not working when OpenVPN client is active

[mrjayviper]

I'm trying to SSH into a UNIX box in my home network from work but the connection is timing out. I looked at my port forwarding settings everything seems to be ok.

Port forwarding works fine if I turn off the OpenVPN client.

Can you please help find a fix to my problem that doesn't involve turning off OpenVPN client? if it's fixable of course.

Thanks a lot!

some info:

1. I can access the DDWRT Web Admin website remotely.

2. OpenVPN client is active. I have used Policy-based Routing setting to be able to access my router Web admin remotely.

3. iptable commands (all commands were run using DDWRT Administration => Commands unless stated otherwise)

#iptables -t nat -vnL PREROUTING

Chain PREROUTING (policy ACCEPT 3771 packets, 268K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  469 29996 DNAT       tcp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         tcp dpt:443 to:192.168.1.1:443 
    2   112 DNAT       icmp --  *      *       0.0.0.0/0            ISP-provided-static-IP         to:192.168.1.1 
    0     0 DNAT       udp  --  ppp0   *       0.0.0.0/0            ISP-provided-static-IP         udp dpt:56010 to:192.168.1.31:56010 
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            ISP-provided-static-IP         tcp dpt:56010 to:192.168.1.31:56010 
    7   448 DNAT       tcp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         tcp dpt:3283 to:192.168.1.11:3283 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         udp dpt:3283 to:192.168.1.11:3283 
   10   592 DNAT       tcp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         tcp dpt:5900 to:192.168.1.11:5900 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         udp dpt:5900 to:192.168.1.11:5900 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         tcp dpt:322 to:192.168.1.13:322 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         udp dpt:322 to:192.168.1.13:322 
    3   192 DNAT       tcp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         tcp dpt:522 to:192.168.1.15:522 
    2    56 DNAT       udp  --  *      *       0.0.0.0/0            ISP-provided-static-IP         udp dpt:522 to:192.168.1.15:522 
 2320  145K TRIGGER    0    --  *      *       0.0.0.0/0            ISP-provided-static-IP         TRIGGER type:dnat match:0 relate:0 
 
 
 #iptables -vnL FORWARD
 
 Chain FORWARD (policy ACCEPT 330 packets, 22973 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  311 15092 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 6222  430K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.31        udp dpt:56010 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.31        tcp dpt:56010 
    7   448 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.11        tcp dpt:3283 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.11        udp dpt:3283 
   10   600 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.11        tcp dpt:5900 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.11        udp dpt:5900 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.13        tcp dpt:322 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.13        udp dpt:322 
    3   192 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.15        tcp dpt:522 
    2    56 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.15        udp dpt:522 
    0     0 TRIGGER    0    --  ppp0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0 
 6200  429K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
 5870  406K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW

4. result of route -n

#route -n
 
 Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.20.21.18     0.0.0.0         UG    0      0        0 ppp0
10.20.21.18     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
10.208.111.17   0.0.0.0         255.255.255.255 UH    0      0        0 tun1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0

5. result of ping commands

#ping -c 5 192.168.1.13

PING 192.168.1.13 (192.168.1.13): 56 data bytes
64 bytes from 192.168.1.13: seq=0 ttl=64 time=1.887 ms
64 bytes from 192.168.1.13: seq=1 ttl=64 time=0.615 ms
64 bytes from 192.168.1.13: seq=2 ttl=64 time=0.628 ms
64 bytes from 192.168.1.13: seq=3 ttl=64 time=0.580 ms
64 bytes from 192.168.1.13: seq=4 ttl=64 time=0.555 ms
--- 192.168.1.13 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.555/0.853/1.887 ms

#ping -c 5 192.168.1.15

PING 192.168.1.15 (192.168.1.15): 56 data bytes
64 bytes from 192.168.1.15: seq=0 ttl=64 time=0.758 ms
64 bytes from 192.168.1.15: seq=1 ttl=64 time=0.378 ms
64 bytes from 192.168.1.15: seq=2 ttl=64 time=0.359 ms
64 bytes from 192.168.1.15: seq=3 ttl=64 time=0.402 ms
64 bytes from 192.168.1.15: seq=4 ttl=64 time=0.440 ms
--- 192.168.1.15 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.359/0.467/0.758 ms

6. result of nmap command. This was run remotely (at work).

08:52:21 Tue Jul 21
root@mymacbook : ~
=> nmap -sT -sU -p 522 ISP-provided-static-IP

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-07-21 08:52 ACST
Nmap scan report for ISP-provided-static-IP (ISP-provided-static-IP)
Host is up (0.00034s latency).
rDNS record for ISP-provided-static-IP: ISP-provided-static-IP
PORT    STATE         SERVICE
522/tcp filtered      ulp
522/udp open|filtered ulp

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

7. result of ssh command. This was run remotely (at work).

08:52:28 Tue Jul 21
root@mymacbook : ~
=> ssh -p 522 myuser@ISP-provided-static-IP
ssh: connect to host ISP-provided-static-IP port 522: Operation timed out

 

[Insane Scyth]

If the OpenVPN client on the PC or the Router? How is the routing configured on the PC?

I have a suspicion that you are asymmetrically routing when the OpenVPN client is on. Traffic goes like so:

Remote PC -> Remote Firewall -> Internet -> Home Firewall/Routing (DD-WRT) -> Home PC -> OpenVPN -> Internet -> OpenVPN End Point (changes source IP) -> Internet -> Remote Firewall (traffic would be blocked here as it does not match any sessions as the IP has changed)

If you are always coming from the same IP, and you have split tunneling enabled with the OpenVPN client, you should be able to put in a persistent route on the PC pointing traffic from the IP to go out your normal connection and not through Open VPN.

I am not sure, but open VPN may also be able to ignore specific ports or send only specific ports out the tunnel. I would look into options on your Open VPN client.