Port forwarding from the VPN server's Internet channel to a remote local network behind a VPN client
There is a Keenetic Hero (local network 192.168.1.0/24) with Internet access via a public WAN IP address, on which a PPTP VPN server is enabled. In a different location, there is a Keenetic Carrier (local network 192.168.2.0/24) connected to the Internet with a private IP address via another ISP. A PPTP VPN tunnel is established between Keenetic Hero и Carrier.
How do I access the web interface of a remote Keenetic Carrier or another host on the local network, which is behind a VPN tunnel, from the Internet using the public WAN IP address of KeeneticHero? How to configure port forwarding from the WAN interface of Keenetic Hero to the local network behind Keenetic Carrier?
1. The Keenetic Hero router connects to the Internet via the ISP interface with a public WAN IP address.
2. In Keenetic , you need to enable the NAT for clients mechanism in the VPN server settings (in the Applications > PPTP VPN Server menu), disable the Multiple sign-in option to use one connection per user, and register a static IP address for the client for Keenetic Carrier.
3. You also need to add a static route in the Routing menu to the 192.168.2.0/24 subnet via the IP address we reserved in the previous step (in our example, this is IP address 172.16.1.33).
4. On Keenetic Carrier, you need to configure a PPTP connection to the VPN server on Keenetic Hero in the Other Connections menu and make sure to tick the Use for accessing the Internet box.
Önemli
Since the router will have a tick in the Use for accessing the Internet box and the PPTP interface will have a higher priority than the local provider's interface, all traffic will go through the VPN tunnel by default.
If you need to leave Internet access via a local provider on Keenetic Carrier, you will need to register static routes via the PPTP interface for all clients that will use port forwarding (will use access to remote hosts). To do this, you need to know their IP addresses. For example, we will access open ports from a remote host that has an Internet IP address of 95.211.169.65. In this case, for port forwarding to work on Keenetic Carrier, which is a PPTP client, you need to register a route to this host (with IP 91.211.169.65) in the Routing menu and add a route via the PPTP interface.
5. Also, for traffic to pass through the PPTP interface, you need to allow it in the Firewall menu.
6. After that, in Keenetic Hero settings, you need to configure a port forwarding rule to a remote subnet in the Port Forwarding menu. In our example, we will forward external port 888 to the local IP address and port 80 of the Keenetic Carrier for access to its web interface.
After this configuration, you will be able to access the public WAN IP address of the Keenetic Hero router via port 888 (http://193.0.x.x:888) from the Internet to access the web interface of the remote Keenetic Carrier located behind the VPN. Similarly, you can forward a port to any host in a remote local network located behind the VPN tunnel.
Not
The Use for accessing the Internet option enables the default route on the device through the PPTP tunnel. Only one (unconditional) default route is possible on routers. If this setting is not configured, responses to requests forwarded from the server through the tunnel will be sent by the client through the WAN interface. This will lead to a "triangular route" problem. To avoid this, without assigning the default route through the tunnel to the server, you can configure static routing if the IP addresses of the hosts from which requests are made to the client network are known. For them, you need to create routes through the PPTP tunnel interface. This scheme can be implemented by connecting a professional equipment product to the server.