Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding from VPN Provider…

    OpenVPN
    5
    11
    12.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killerb81
      last edited by

      Hi guys, I have searched around for an answer and can't come up with a thing.

      I have a VPN provider (Private Internet Access), they allow you to forward one (and only one) port through the VPN tunnel back to your computer.  This single forwarded port is usually used for the listening port for torrent transfers, it ensures that you're connectable.

      So, with this particular VPN provider you can either download their client program and install it on the machine you wish to send through the VPN or, like in my case, you can setup the VPN connection on your router and route all your LAN traffic through it.

      If you want to forward a port, it's real simple if you're using their client program.  You just check a box saying "Port Forwarding" and when you connect a pop-up tells you which port is being forwarded to you. 
      Until recently that was the only way to do it, now they've allowed users connecting other ways other than their client to forward a port but it involves some type of scripting.

      This is the part I don't know how to do, there's a thread on it on their forum site ( https://www.privateinternetaccess.com/forum/index.php?p=/discussion/180/port-forwarding-without-the-application-advanced-users ), but nowhere does it mention pfSense specifically.

      My question is, how can this be done in pfSense?  Is there some kind of scripting interface that can run a certain bunch of code every so often and return a port number somehow?

      I hope there's someone out there who can help.

      Thanks a lot!!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It won't work unless you're on 2.1, but you can do it like so:

        Interfaces > (assign), assign the OpenVPN interface (ovpncX) as a new OPT
        Interfaces > OPTx (whatever you just made)
        Enable, set IP type to 'none', save.
        VPN > OpenVPN, edit/save the VPN once to make sure it's reinitialized (needed just this one time right after interface assignment)

        Then just add a port forward as you would on any other WAN.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          killerb81
          last edited by

          I have the VPN connection setup and working already.
          Are you telling me how to set it up?

          My question is about the forwarded port…  my VPN provider will forward a port to me, but I don't know which one... it could be different everytime you connect.
          If you don't connect using their client software (which is the easy way to find out what number the forwarded port is), then you have to use the script that's in the thread above to determine which port number you have been forwarded.

          That's what I want to know how to do in pfSense.

          Am I making sense?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Yes but forwarding a port in on a VPN interface won't work unless you have it assigned and if you're running pfSense 2.1.

            Even if you figure out how to forward the "right" port, on 2.0.x the return traffic won't go back over the VPN for the port forward.

            Just letting you know that so you don't get one half figured out and then wonder why it still doesn't work.

            Shouldn't be terribly difficult to write a script to update a port alias in a cron job with the results of that script.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              killerb81
              last edited by

              Oh ok, I see…

              But I think I have it setup already.  Here's what I have:

              Two OpenVPN clients connected to two different servers (one in the US, and one in Canada).
              I wanted certain computers to go through specific tunnels.
              For example, AppleTV to go to the US server, desktop computer to go to Canada server... etc...

              That's all setup already and I have traffic leaving my LAN on going through the right tunnels.

              Do I have to do anything further (what you're saying above), in order to make sure the return traffic is going through the tunnel?
              Because ALL the traffic for the computer I want to forward that port to is already going through the right tunnel.

              Also,  what's a cron job?

              1 Reply Last reply Reply Quote 0
              • N
                naughtycamel
                last edited by

                @jimp:

                Even if you figure out how to forward the "right" port, on 2.0.x the return traffic won't go back over the VPN for the port forward.

                I have pfsense configured with a DHCP assigned address on the WAN interface, VPN interface is set as default gateway, LAN interface assigns IP, DNS, and Gateway addresses to a single "protected" host via DHCP. Does this make return path more likely to work?

                Requirements are as simple as I can make them for now. I'll add complexity later. Just having this work has a lot of value.

                1 Reply Last reply Reply Quote 0
                • E
                  eddie4
                  last edited by

                  I think there is some confusion.

                  PFSense 2.0 with PIA VPN
                  Works

                  PFSense 2.0 with PIA VPN and portforwarding
                  Doesn't work

                  PFSense 2.1 with PIA VPN and portforwarding
                  Works but a script is needed to get a port from PIA and update NAT rule.

                  I don't have the knowledge or skill to make a script but we might be able to Post a bounty. I don't think it will require too much time for someone who knows what he is doing.

                  EDIT:

                  PIA= privateinternetaccess.com

                  I just realized that there is no reason to run the script on PFSense, so you could use one of the scripts that is already on the site. Which just made this task a lot easier but still running it on PFSense would be a far nicer approach as you can update your nat rules.

                  1 Reply Last reply Reply Quote 0
                  • N
                    naughtycamel
                    last edited by

                    @eddie4:

                    I just realized that there is no reason to run the script on PFSense, so you could use one of the scripts that is already on the site. Which just made this task a lot easier but still running it on PFSense would be a far nicer approach as you can update your nat rules.

                    Yes. As I understand the reply-to functionality for releases prior to 2.1 do not work for OpenVPN tunnels. Not certain if pf is the issue or pfSense. I got port forwarding to work with a static rule by following suggestions from jimp as posted above.

                    I already have a script partially working as descirbed in this thread:
                    http://forum.pfsense.org/index.php/topic,60341.0.html

                    Having previously used iptables on Tomato isn't helping because the model and the tools for pf are very, very different and cause me to make incorrect assumptions. Hopefully I can have something usable soon.

                    1 Reply Last reply Reply Quote 0
                    • J
                      joelones
                      last edited by

                      naughtycamel, I was just wondering if you got this working?

                      I am new to pfsense so I am struggling with the basics but I'd like to get this working as I too have PIA and would like to dynamically update the firewall rules to enable port forwarding (port given to me from PIA) and update my torrent client on another VM.

                      Is this possible?

                      EDIT: so I created a script (on the pfsense VM) which is able to get the forwarded port (which PIA assigns) and I am able to update that port on my torrent client which resides on another VM. The Openvpn connection is established on the pfsense.

                      I'm just not sure just what needs to be done on the pfsense VM to foward that port to the internal torrent client.

                      Please, thoughts?

                      1 Reply Last reply Reply Quote 0
                      • J
                        joelones
                        last edited by

                        jimp, you think I can get your help with my similar issue?

                        http://forum.pfsense.org/index.php/topic,65230.0.html

                        much appreciated

                        1 Reply Last reply Reply Quote 0
                        • K
                          killerb81
                          last edited by

                          What do you mean by "internal torrent client"?
                          I'd be interested in having a look at your scripting.

                          Any chance you could post it?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.