Need help with port forwarding on PiVPN

psychobacter

I have successfully set up a VPS with PiVPN, and I am interested in using it to forward certain ports from my computer, which is currently located behind a CG NAT. I would greatly appreciate it if someone could guide me through the necessary steps to accomplish this task. As a complete novice, any additional details and explanations would be immensely helpful. Thank you!

r4h156

Try iptables -t nat -A PREROUTING -p [tcp/udp] --dport [port to forward] -j DNAT --to-destination [computer's IP address on VPN interface]:[same port] for each port you want to forward. TCP and UDP are done separately.

iptables rules do not persist upon reboot, so install iptables-persistent (this will automatically save the rules). If you change them in the future, run sudo iptables-save > /etc/iptables/rules.v4 to save the changes.

psychobacter

@r4h156 said:
Try iptables -t nat -A PREROUTING -p [tcp/udp] --dport [port to forward] -j DNAT --to-destination [computer's IP address on VPN interface]:[same port] for each port you want to forward. TCP and UDP are done separately.

iptables rules do not persist upon reboot, so install iptables-persistent (this will automatically save the rules). If you change them in the future, run sudo iptables-save > /etc/iptables/rules.v4 to save the changes.

What is the syntax if I want to do it for a range of ports? Also, how do I find my computer's IP on the VPN interface?

r4h156

@psychobacter said: What is the syntax if I want to do it for a range of ports?

It might work to do --dport start:end and --to-destination IP:start-end, but I have not personally tested it.

@psychobacter said: Also, how do I find my computer's IP on the VPN interface?

ip a on Linux or ipconfig /all on Windows.

eliphas

# redirect 5555:6666 to INTERNALIP
iptables -t nat -A PREROUTING -p tcp -i EXTERNALIF -d EXTERNALIP -m multiport --dports 5555:6666 -j DNAT --to INTERNALIP
# masquerade as coming from myself
iptables -t nat -A POSTROUTING -p tcp -m multiport --dports 5555:6666 -d INTERNALIP -j MASQUERADE

psychobacter

@r4h156 said:

@psychobacter said: What is the syntax if I want to do it for a range of ports?

It might work to do --dport start:end and --to-destination IP:start-end, but I have not personally tested it.

@psychobacter said: Also, how do I find my computer's IP on the VPN interface?

ip a on Linux or ipconfig /all on Windows.

Here's the MOTD displayed when my vps boots up

IPv4 address for wg0: 10.47.41.1
IPv6 address for wg0: fd11:5ee:bad:c0de::1

Is this the correct address?

psychobacter

@eliphas said:
# redirect 5555:6666 to INTERNALIP
iptables -t nat -A PREROUTING -p tcp -i EXTERNALIF -d EXTERNALIP -m multiport --dports 5555:6666 -j DNAT --to INTERNALIP
# masquerade as coming from myself
iptables -t nat -A POSTROUTING -p tcp -m multiport --dports 5555:6666 -d INTERNALIP -j MASQUERADE

What should I put in the external IP field? My CGNAT IP or my VPS's public IP address.

r4h156

@psychobacter said: What should I put in the external IP field? My CGNAT IP or my VPS's public IP address.

You want to run the iptables command on your VPS. The IP address that you should use in the command is the one that your computer has for the WireGuard interface. It should be in the generated config file, 10.47.41.x.

psychobacter

@r4h156 said:

@psychobacter said: What should I put in the external IP field? My CGNAT IP or my VPS's public IP address.

You want to run the iptables command on your VPS. The IP address that you should use in the command is the one that your computer has for the WireGuard interface. It should be in the generated config file, 10.47.41.x.

I don't think both the internal and the external IP fields would be the same. The internal IP would be something like 10.47.41.x. so what would the external IP mentioned in his command be

r4h156

@psychobacter said: what would the external IP mentioned in his command be

Sorry, misread that. It would be your VPS's external IP since the iptables rule is on your VPS.