Jump to content

Troubleshooting:Port Forwarding Troubleshooting

From jb-vpn.uk Wiki

Overview

[edit]

This guide covers troubleshooting for SSH port forwarding from the VPS (port 22222) to the Synology NAS (10.8.0.2:22) via OpenVPN.

Port Forwarding Configuration:

  • External Access: ssh -p 22222 user@87.106.61.62
  • Internal Target: 10.8.0.2:22 (Synology NAS via VPN)
  • Network Interface: ens6 (external interface)
  • VPN Interface: tun0 (OpenVPN tunnel)
  • Cloud Provider: IONOS

IONOS Cloud Provider Configuration

[edit]

Important: This VPS is running on IONOS. The IONOS firewall must be configured to allow traffic on port 22222.

IONOS Firewall Configuration

[edit]

IONOS uses a cloud firewall that must be configured through the IONOS Cloud Panel:

Log in to IONOS Cloud Panel:

[edit]
  * Navigate to: https://dcd.ionos.com/

  * Select your Data Center → Server & Cloud → Servers

Configure Firewall Rules:

[edit]
  * Select your VPS server

  * Go to Firewall section

  * Click Add Rule or edit existing rules

Add Firewall Rule for Port 22222:

[edit]
  * Name: SSH Port Forward (or any descriptive name)

  * Protocol: TCP

  * Port: 22222

  * Source: 0.0.0.0/0 (or restrict to specific IPs for security)

  * Action: Allow

  * Priority: Set appropriate priority (lower numbers = higher priority)

Apply Changes:

[edit]
  * Save the firewall rule

  * Changes are applied immediately (no server restart required)

Verify IONOS Firewall:

[edit]
  * Ensure the firewall rule is active and enabled

  * Check that no higher-priority DROP rules are blocking the port

  * Verify the rule applies to the correct network interface

IONOS-Specific Notes

[edit]
  • Firewall Location: IONOS firewall is managed at the cloud infrastructure level, not on the VPS
  • No Security Groups: IONOS uses a direct firewall per server, not security groups
  • Rule Priority: Lower priority numbers are evaluated first
  • Immediate Effect: Firewall changes take effect immediately without server restart
  • Multiple Rules: You can have multiple rules; ensure no conflicting DROP rules have higher priority

Testing IONOS Firewall

[edit]

If you suspect the IONOS firewall is blocking traffic:

Check IONOS Cloud Panel:

[edit]
  * Verify the firewall rule exists and is enabled

  * Check rule priority (lower numbers = higher priority)

  * Ensure no DROP rules are blocking the port

Test from different locations:

[edit]
=== Test from external IP (not from the VPS itself) ===
   ssh -v -p 22222 user@87.106.61.62

Check if packets reach the VPS:

[edit]
=== On the VPS, check if packets are hitting iptables rules ===
   iptables -t nat -L PREROUTING -n -v | grep 22222
=== If packet count doesn't increase, packets are blocked before reaching VPS ===

Quick Verification Checklist

[edit]

Run these commands to verify the setup is working: 

=== 1. Check if VPN is running ===
systemctl status openvpn-server@server.service

== 2. Verify VPN tunnel is up ==
ip addr show tun0

== 3. Check if Synology is connected to VPN ==
ping -c 2 10.8.0.2
cat /etc/openvpn/server/ipp.txt | grep "10.8.0.2"

== 4. Verify iptables rules are active ==
iptables -t nat -L PREROUTING -n -v | grep 22222
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2"

== 5. Check IP forwarding is enabled ==
cat /proc/sys/net/ipv4/ip_forward  # Should output: 1

== 6. Verify SSH is NOT listening on port 22222 (should only be on 22) ==
ss -tlnp | grep 22222  # Should return nothing

Components Explained

[edit]

1. iptables NAT Rules (Port Forwarding)

[edit]

DNAT Rule (PREROUTING): 

iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 22222 -j DNAT --to-destination 10.8.0.2:22
  • Purpose: Redirects incoming traffic on port 22222 to the Synology NAS
  • Interface: ens6 (external/public interface)
  • Direction: Incoming → Forwarded

MASQUERADE Rule (POSTROUTING): 

iptables -t nat -A POSTROUTING -d 10.8.0.2/32 -o tun0 -p tcp --dport 22 -j MASQUERADE
  • Purpose: Handles source NAT for forwarded traffic so return packets route correctly
  • Interface: tun0 (VPN tunnel)
  • Direction: Outgoing forwarded traffic

2. iptables Filter Rules (Firewall)

[edit]

FORWARD Rule: 

iptables -t filter -A FORWARD -d 10.8.0.2/32 -p tcp --dport 22 -j ACCEPT
  • Purpose: Allows forwarding packets to the Synology SSH port
  • Direction: Forwarded traffic

3. Persistence Configuration

[edit]

Files:

  • /etc/iptables/rules.v4 - Saved iptables rules
  • /etc/openvpn/server/server.conf - OpenVPN configuration
  • /etc/openvpn/iptables-restore.sh - Script that restores rules when VPN starts
  • /etc/sysctl.conf - Contains net.ipv4.ip_forward=1

Services:

  • netfilter-persistent - Loads iptables rules on boot
  • openvpn-server@server.service - OpenVPN server service

Common Issues and Solutions

[edit]

Issue 1: Connection Timeout from External

[edit]

Symptoms:

  • ssh -p 22222 user@87.106.61.62 times out
  • No response from the server

Diagnostic Steps:

Check if packets are reaching the VPS:

[edit]
=== Watch kernel logs for DNAT rule hits ===
=== Note: On systems using journald, kern.log may not exist. Use dmesg instead. ===
   tail -f /var/log/kern.log | grep "DNAT-22222" 2>/dev/null || \
   dmesg -w | grep "DNAT-22222"
   
=== Or check recent logs ===
   dmesg | tail -30 | grep "DNAT-22222"

Check IONOS cloud firewall:

[edit]
  * IONOS Cloud Panel: Log in to https://dcd.ionos.com/

  * Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall

  * Verify TCP port 22222 has an ALLOW rule configured

  * Check rule priority (lower numbers = higher priority)

  * Ensure no DROP rules with higher priority are blocking the port

  * This is the most common cause of timeouts on IONOS

  * See "IONOS Cloud Provider Configuration" section above for detailed steps

Verify VPN is running:

[edit]
   systemctl status openvpn-server@server.service
   ip link show tun0

Check if Synology is connected:

[edit]
   ping -c 2 10.8.0.2
   cat /etc/openvpn/server/ipp.txt

Solution:

  • If no logs appear: Check IONOS firewall in Cloud Panel (most common issue)
 * Verify port 22222 is allowed in IONOS firewall rules

 * Check rule priority and ensure no blocking rules override it
  • If logs appear but connection fails: Check Synology VPN connection
  • If Synology is not in ipp.txt: Reconnect Synology to VPN

Issue 2: Port Forwarding Not Working After Reboot

[edit]

Symptoms:

  • Port forwarding works initially
  • After reboot, connections time out

Diagnostic Steps:

Check if iptables rules are loaded:

[edit]
   iptables -t nat -L PREROUTING -n -v | grep 22222

  * If rule is missing, rules weren't loaded

Verify persistence services are enabled:

[edit]
   systemctl is-enabled netfilter-persistent
   systemctl is-enabled openvpn-server@server.service

Check OpenVPN configuration:

[edit]
   grep "script-security\|up" /etc/openvpn/server/server.conf

  * Should show: script-security 2 and up /etc/openvpn/iptables-restore.sh

Verify iptables-restore script exists:

[edit]
   ls -la /etc/openvpn/iptables-restore.sh
   cat /etc/openvpn/iptables-restore.sh

Solution: 

== Manually restore rules ==
iptables-restore < /etc/iptables/rules.v4

== Verify rules are saved correctly ==
iptables-save > /etc/iptables/rules.v4

== Ensure services are enabled ==
systemctl enable netfilter-persistent
systemctl enable openvpn-server@server.service

Issue 3: Wrong Network Interface

[edit]

Symptoms:

  • Rules exist but forwarding doesn't work
  • Interface name mismatch

Diagnostic Steps:

Identify the correct external interface:

[edit]
   ip route | grep default
=== Output: default via 87.106.61.1 dev ens6 ... ===

Check iptables rule interface:

[edit]
   iptables -t nat -L PREROUTING -n -v | grep 22222
=== Should show: -i ens6 (or your actual interface) ===

Check saved rules file:

[edit]
   grep "22222" /etc/iptables/rules.v4

Solution: 

== Fix the interface in the rules file ==
sed -i 's/-i eth0/-i ens6/g' /etc/iptables/rules.v4

== Or manually edit /etc/iptables/rules.v4 ==
== Change: -A PREROUTING -i eth0 ... ==
== To:     -A PREROUTING -i ens6 ... ==

== Reload rules ==
iptables-restore < /etc/iptables/rules.v4

Issue 4: SSH Conflicts with Port Forwarding

[edit]

Symptoms:

  • Port 22222 is being used by SSH
  • Connection connects but to wrong server

Diagnostic Steps:

Check what's listening on port 22222:

[edit]
   ss -tlnp | grep 22222

Check SSH configuration:

[edit]
   grep "^Port" /etc/ssh/sshd_config

Solution: 

== Remove port 22222 from SSH config ==
sed -i '/^Port 22222$/d' /etc/ssh/sshd_config

== Restart SSH ==
systemctl restart sshd

== Verify port 22222 is free ==
ss -tlnp | grep 22222  # Should return nothing

Issue 5: VPN Not Starting

[edit]

Symptoms:

  • OpenVPN service fails to start
  • Error messages about script-security

Diagnostic Steps:

Check OpenVPN status:

[edit]
   systemctl status openvpn-server@server.service
   journalctl -u openvpn-server@server.service -n 50

Common error:

[edit]
   WARNING: External program may not be called unless '--script-security 2' or higher is enabled

Solution: 

== Add script-security to OpenVPN config ==
echo "script-security 2" >> /etc/openvpn/server/server.conf

== Restart OpenVPN ==
systemctl restart openvpn-server@server.service

Issue 6: IP Forwarding Disabled

[edit]

Symptoms:

  • Rules exist but forwarding doesn't work
  • Can't reach Synology even though VPN is up

Diagnostic Steps:

Check if forwarding is enabled:

[edit]
   cat /proc/sys/net/ipv4/ip_forward
=== Should output: 1 ===

Check if it's in sysctl.conf:

[edit]
   grep "ip_forward" /etc/sysctl.conf

Solution: 

== Enable forwarding ==
echo 1 > /proc/sys/net/ipv4/ip_forward

== Make it persistent ==
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Diagnostic Commands

[edit]

Check Complete Forwarding Chain

[edit]
echo "=== Port Forwarding Status ===" && \
echo "" && \
echo "1. DNAT Rule:" && \
iptables -t nat -L PREROUTING -n -v | grep 22222 && \
echo "" && \
echo "2. FORWARD Rules:" && \
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2" && \
echo "" && \
echo "3. POSTROUTING (MASQUERADE):" && \
iptables -t nat -L POSTROUTING -n -v | grep "10.8.0.2\|MASQUERADE" && \
echo "" && \
echo "4. VPN Status:" && \
ip addr show tun0 2>/dev/null | grep "inet " && \
echo "" && \
echo "5. Synology Reachability:" && \
ping -c 1 -W 2 10.8.0.2 2>&1 | grep -E "bytes from|time=" || echo "Not reachable"

Monitor Connection Attempts

[edit]
==== Watch for incoming connections ====
== Note: On systems using journald, kern.log may not exist. Use dmesg instead. ==
tail -f /var/log/kern.log | grep -E "DNAT-22222|FWD-to-Synology" 2>/dev/null || \
dmesg -w | grep -E "DNAT-22222|FWD-to-Synology"

== Or use tcpdump ==
tcpdump -i ens6 -n tcp port 22222

== Monitor iptables counters ==
watch -n 1 'iptables -t nat -L PREROUTING -n -v | grep 22222'

Test Connection from VPS

[edit]
==== Test direct connection to Synology ====
ssh -o ConnectTimeout=5 -p 22 user@10.8.0.2 "echo 'Direct connection works'"

== Test if port forwarding rule is active (from external IP) ==
timeout 5 nc -zv 87.106.61.62 22222

Restore Configuration After Issues

[edit]

If port forwarding stops working, restore the complete configuration: 

=== 1. Restore iptables rules ===
iptables-restore < /etc/iptables/rules.v4

== 2. Verify rules are loaded ==
iptables -t nat -L PREROUTING -n -v | grep 22222

== 3. Restart OpenVPN (will also restore rules via up script) ==
systemctl restart openvpn-server@server.service

== 4. Verify VPN is up ==
ip addr show tun0

== 5. Check Synology connection ==
ping -c 2 10.8.0.2

Configuration Files Reference

[edit]

/etc/iptables/rules.v4

[edit]

Complete iptables rules including:

  • DNAT rule for port 22222
  • FORWARD rule for Synology
  • MASQUERADE rule for return traffic
  • Logging rules for debugging

/etc/openvpn/server/server.conf

[edit]

OpenVPN server configuration with:

  • script-security 2 - Allows up/down scripts
  • up /etc/openvpn/iptables-restore.sh - Restores rules when VPN starts

/etc/openvpn/iptables-restore.sh

[edit]

Script that restores iptables rules when OpenVPN tunnel comes up.

/etc/sysctl.conf

[edit]

Contains net.ipv4.ip_forward=1 to enable IP forwarding.

Maintenance

[edit]

Update Rules

[edit]

After making changes to iptables rules: 

==== Save current rules ====
iptables-save > /etc/iptables/rules.v4

== Verify they're correct ==
cat /etc/iptables/rules.v4 | grep 22222

Add More Port Forwards

[edit]

To forward additional ports: 

==== Add DNAT rule ====
iptables -t nat -A PREROUTING -i ens6 -p tcp --dport <EXTERNAL_PORT> \
  -j DNAT --to-destination 10.8.0.2:<INTERNAL_PORT>

== Add FORWARD rule ==
iptables -t filter -A FORWARD -d 10.8.0.2 -p tcp --dport <INTERNAL_PORT> -j ACCEPT

== Save rules ==
iptables-save > /etc/iptables/rules.v4

Quick Reference

[edit]
Component Value
External Port 22222
Internal Target 10.8.0.2:22
External Interface ens6
VPN Interface tun0
VPN Subnet 10.8.0.0/24
VPS Public IP 87.106.61.62
Synology VPN IP 10.8.0.2
Cloud Provider IONOS
IONOS Panel https://dcd.ionos.com/

Contact & Support

[edit]

If issues persist after following this guide:

Check all diagnostic commands above

[edit]

Review kernel logs: dmesg | tail -50

[edit]

Check OpenVPN logs: journalctl -u openvpn-server@server.service -n 100

[edit]

Verify IONOS firewall settings (most common issue):

[edit]
  * Log in to IONOS Cloud Panel: https://dcd.ionos.com/

  * Navigate to Server & Cloud → Servers → [Your VPS] → Firewall

  * Verify port 22222 is allowed with proper priority

Check IONOS support documentation or contact IONOS support if firewall is correctly configured

[edit]
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=Troubleshooting:Port_Forwarding_Troubleshooting&oldid=237"