Port forwarding with vpn



  • Hello, I just enter to the world of pfsense.

    It's really easy to install it, make some change and config my vpn on it (Nord Vpn)

    I'd just try to make some port forwarding. I spend some hours to try but still not working.

    I have on my pfsense

    • WAN
    • LAN
    • Nordvpn

    I try to port forward a port to my lan adress.

    What should I do ?

    Thank you for your help


  • LAYER 8 Rebel Alliance

    You are talking about incoming Ports from the VPN tunnel? Your VPN provider need to support Port Forwading, AFAIK Nord VPN does not.

    -Rico



  • Thanks for your quick answer,

    yes I'd like to access outside my home to my server which has nordvpn connected 24/7

    So what you advise me to do if it's not possible ?


  • LAYER 8 Rebel Alliance

    You don't need any VPN provider for this, just run your own OpenVPN RAS with pfSense.
    Check out https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html

    -Rico



  • ok I'll try it, but can I have nordvpn and my own openvpn at the same time ?


  • LAYER 8 Moderator

    @spospo said in Port forwarding with vpn:

    ok I'll try it, but can I have nordvpn and my own openvpn at the same time ?

    Why would they meddle with each other? If you dial in to your Home IP to access your LAN just make sure you don't force all exiting traffic to NordVPN but let the RAS tunnel network out via default GW and you should be good.



  • I'm not familiar with that. I wan't the best security that's it.
    So I don't want to connect without a vpn.

    if I'm right
    at home when I use internet It's through nord vpn,
    outside if I connect to my server I use my own openvpn, which give me the same network address, so I can connect to my server ? without any change on pfsense ?


  • LAYER 8 Moderator

    @spospo said in Port forwarding with vpn:

    I wan't the best security that's it.

    So why do you route all your traffic through some shady VPN company? I'd not call that secure per se.

    So I don't want to connect without a vpn

    You would be using your own VPN? What's the problem with that?

    outside if I connect to my server I use my own openvpn, which give me the same network address, so I can connect to my server ? without any change on pfsense ?

    No you won't connect to your server but start your OVPN client, dial-in to your home and then start a connection to your server's LAN IP. Only thing to that is that the dial-in IP space you define in the OVPN setup should be excluded from routing through your NordVPN thingy so the answer-traffic from your server will flow back through your own VPN connection instead of be routed to some NordVPN server anywhere.



  • @JeGr said in Port forwarding with vpn:

    So why do you route all your traffic through some shady VPN company? I'd not call that secure per se.

    You advise what ? my own vpn on a dedicated server/vps ?

    @JeGr said in Port forwarding with vpn:

    So I don't want to connect without a vpn

    I mean for seeing website.....


  • LAYER 8 Moderator

    @spospo said in Port forwarding with vpn:

    You advise what ? my own vpn on a dedicated server/vps ?

    Depends on the circumstances. But security? Really? What for exactly? Watching Netflix in other countries etc. -> OK VPN is useful. Sitting in some open WiFi without even the slightest security? Hell yeah VPN (but normally my own). But what do I need a VPN for in terms of "security"? Privacy I'd get - at least partially - but even then, of you want privacy TOR is the better alternative than decrypting your whole traffic an send it to some marketing bullshit company that then decrypts your traffic and send it on it's way. So they know the same/more then your ISP from you. Potentially more, because you would also send DNS over that tunnel, so that company knows what (DNS) you are looking for and when/how you call it and how long. If you ran DNS over pfSense and the DNS resolver it would then resolve every domain at its server (e.g. the server that is authoritative). And if you're curious about your ISP sniffing DNS you could also use an external DNS forwarding via DoT to some other provider which then would only know your DNS queries. Not your complete ISP traffic. It comes down to trust and if you don't trust your ISP at least with something, then why do you trust a strange company that plays marketing bullshit bingo with buzzwords and wants money from you to route your complete traffic? What makes them the "good guys" that will definetly fight for your right for security and privacy?

    But yeah we discussed that in quite some topics already. Don't want to go off-topic, but if I read security with some low cost super-duper VPN providers that advertise "military grade security"... ;) Was just curious.



  • @JeGr said in Port forwarding with vpn:

    No you won't connect to your server but start your OVPN client, dial-in to your home and then start a connection to your server's LAN IP. Only thing to that is that the dial-in IP space you define in the OVPN setup should be excluded from routing through your NordVPN thingy so the answer-traffic from your server will flow back through your own VPN connection instead of be routed to some NordVPN server anywhere.

    That's it ! I'll try this



  • I use dns from 9.9.9.9


  • LAYER 8 Moderator

    @spospo Ah so you even let your domains be read-out and blocked by blocklists not managed by you but another agency? For security? ;)

    @spospo said in Port forwarding with vpn:

    That's it ! I'll try this

    Just try to setup a RAS/road warrior style OVPN setup either via wizard or docs.netgate.com - should work pretty smooth :)



  • Thx, I'm working on it ☺



  • VPNs utilize port sending administrations too. Much the same as your switch turns into the interface between your PC and the web and doesn't give the PC a chance to contact the web legitimately, VPN servers additionally utilize port sending to ensure a customer doesn't cooperate straightforwardly with the web.


Log in to reply