split-vpn
split-vpn copied to clipboard
peacey
Port forwarding does not work
I have setup split-vpn on my udm pro, on VLAN 69, and all traffic on that vlan does indeed go through that VLAN, qbittorrent is setup listening on TCP/UDP port 54913, but the port is not showing as open:
VPN side port forwarding:
split-vpn config:
root@Enterprise:/data/split-vpn/nexthop/torguard# cat vpn.conf
### SPLIT VPN OPTIONS ###
# Enter multiple entries separated by spaces.
# Do not enter square brackets around the entries.
# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE="br69"
# Exempt these destinations from the VPN.
# Format: [IP/nn]
EXEMPT_DESTINATIONS_IPV4="192.168.0.0/16"
EXEMPT_DESTINATIONS_IPV6=""
# VPN port forwards.
# Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]
PORT_FORWARDS_IPV4="both-54913-192.168.69.2-54913"
PORT_FORWARDS_IPV6=""
# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=1
# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=0
# Enable this if you added blackhole routes in the Unifi Settings to prevent Internet
# access at system startup before the VPN script runs. This option removes the blackhole
# routes to restore Internet access after the killswitch has been enabled.
# If you do not set this to 1, openvpn will not be able to connect at startup, and your
# Internet access will never be enabled until you manually remove the blackhole routes.
# Set this to 0 only if you did not add any blackhole routes.
REMOVE_STARTUP_BLACKHOLES=1
# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="nexthop"
# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4="192.168.3.69"
VPN_ENDPOINT_IPV6=""
# Set this to the route table that contains the gateway route, "auto", or "disabled".
# The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and
# "203" for U-LTE.
# Default is "auto" which works with WAN failover and automatically changes the endpoint
# via gateway route when the WAN or gateway routes changes.
# Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN.
GATEWAY_TABLE="disabled"
# Set this to the timer to use for the rule watcher (in seconds).
# The script will wake up every N seconds to re-add rules if they're deleted by
# the system, or change gateway routes if they changed. Default is 1 second.
WATCHER_TIMER=1
# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_"
PREF=99
DEV=br3
traceroute on the container in question (qbittorrent):
root@12ad3c96eb22:/# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 46 byte packets
1 192.168.69.1 (192.168.69.1) 0.286 ms 0.222 ms 0.168 ms
2 192.168.3.69 (192.168.3.69) 0.273 ms 0.253 ms 0.247 ms
3 10.13.0.1 (10.13.0.1) 12.270 ms 11.907 ms 12.357 ms
4 93.115.35.97 (93.115.35.97) 12.735 ms 12.731 ms 12.994 ms
5 217.138.223.132 (217.138.223.132) 49.086 ms 26.600 ms 29.825 ms
6 gr-4-0-0-0.core1.fra2.de.m247.com (193.27.15.90) 13.219 ms 217.138.223.72 (217.138.223.72) 12.948 ms 12.860 ms
7 13335.syd.equinix.com (45.127.172.154) 13.607 ms 193.27.15.88 (193.27.15.88) 13.010 ms 13335.syd.equinix.com (45.127.172.154) 24.167 ms
8 13335.syd.equinix.com (45.127.172.154) 22.980 ms 13.540 ms 172.69.60.3 (172.69.60.3) 13.599 ms
9 one.one.one.one (1.1.1.1) 12.394 ms 12.683 ms 12.666 ms
everything appears to be setup correctly, and the port were open when i was using another solution with the same wireguard config. any ideas?
