New Feature: Client Export + Multi-WAN w/Port Forwards


  • Rebel Alliance Developer Netgate

    Yesterday I added a feature to the client export package that helps the VPN coexist better with Multi-WAN scenarios.

    How it works is like so:

    1. Set the 'interface' of the remote access VPN server to be localhost, or your LAN interface, not a WAN
    2. Add a port forward for each WAN to forward traffic from an IP on WAN1, WAN2, etc to the IP:port used in step 1.
    3. In the client export, for the "Host Name Resolution", choose either "Automagic Multi-WAN IPs" or Automagic Multi-WAN Hostnames"
    4. Export the client as usual.

    The "Automagic Multi-WAN IPs" choice will look for port forwards and build a set of "remote …" lines for each port forward found that points to the VPN, and places them in the client configuration in the order they're found in the port forward list.

    The "Automagic Multi-WAN Hostnames" option works the same but takes the first Dynamic DNS hostname it can find for each port forward interface.

    As an added bonus, it isn't just for multi-wan, you can setup a bunch of port forwards for the same protocol and forward them all to the same instance and it will add a remote line for all of them. So you can forward in 53, 123, 80, 1194, 5060, whatever you want and as long as the port forward target IP and port match where the VPN is bound, it will add a remote line for it.

    Some caveats:

    • You can't use port forwards using aliases with more than one port, and you can't use ranges.
    • The 'destination' on a port forward must be a single IP, not a subnet or 'any'.
    • Probably something else I haven't found yet.


  • This feature works great, however it does not work if the NAT rue was created using an alias. Any chance that could be added?


  • Rebel Alliance Developer Netgate

    I don't see that happening. While technically it may be possible, that would increase the complexity quite a lot for very little benefit to most users.


Log in to reply