Nowadays, with the exhaustion of IPv4 addresses, more and more ISPs use Carrier-grade NAT. What’s the main issue for customers? Well, they can’t forward their ports which could be an issue if they wanted to host a website, a video game server or any kind of peer-to-peer application.
To avoid this, you can setup your own VPN on a cheap VPS. After setting it up, configuring SSH settings and firewall rules, you can run this OpenVPN installation script. Then, allow incoming traffic through ufw on your OpenVPN port and on the port you want to forward.
22 ALLOW IN Anywhere
[PORT_TO_FORWARD]/tcp ALLOW IN Anywhere
[PORT_TO_FORWARD]/udp ALLOW IN Anywhere
[OPENVPN_PORT]/udp ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
[PORT_TO_FORWARD]/tcp (v6) ALLOW IN Anywhere (v6)
[PORT_TO_FORWARD]/udp (v6) ALLOW IN Anywhere (v6)
[OPENVPN_PORT]/udp (v6) ALLOW IN Anywhere (v6)
You also have to change DEFAULT_FORWARD_POLICY
to ACCEPT insde /etc/default/ufw
. Next step is to configure our local client IP address so it’ll stay the same accross connections. To do that, you need to add ifconfig-pool-persist ipp.txt 0
to /etc/openvpn/server.conf
and client_name,[LOCAL_CLIENT_IP_ADDRESS]
to /etc/openvpn/ipp.txt
. To disable logs. you can also add the following lines to the same file:
log /dev/null
status /dev/null
verb 0
You obviously need to change [LOCAL_CLIENT_IP_ADDRESS]
to a valid IPv4 address matching the OpenVPN server subnetwork (which you can find inside /etc/openvpn/server.conf
). Then, copy the following lines to /etc/ufw/before.rules
, before the last “COMMIT” line.
# Commits changes made to another table
COMMIT
# NAT rules for OpenVPN
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport [PORT_TO_FORWARD] -j DNAT --to-destination [LOCAL_CLIENT_IP_ADDRESS]:[PORT_TO_FORWARD]
-A PREROUTING -i eth0 -p udp --dport [PORT_TO_FORWARD] -j DNAT --to-destination [LOCAL_CLIENT_IP_ADDRESS]:[PORT_TO_FORWARD]
-A POSTROUTING -o eth0 -j MASQUERADE
Finally, copy your OpenVPN client configuration generated earlier to your local machine with scp
and allow incoming traffic on your local OpenVPN port through ufw.
[OPENVPN_PORT]/udp ALLOW IN Anywhere
[OPENVPN_PORT]/udp (v6) ALLOW IN Anywhere (v6)
If you only want to use your VPN with one application, you can install and run vopono.
yay -S vopono-git
vopono -v exec --custom ./custom_openvpn.ovpn --protocol openvpn "your_application"
I hope this tutorial has been helpful. See you again, have a nice day!