Josh: Major update - troubleshooting guide: Port Forwarding Troubleshooting Guide (108 sections) (troubleshooting)

2026-01-01T13:44:49Z

Major update - troubleshooting guide: Port Forwarding Troubleshooting Guide (108 sections) (troubleshooting)

Show changes

Josh: Content added - troubleshooting guide: Port Forwarding Troubleshooting Guide (32 sections) (troubleshooting)

2026-01-01T13:28:28Z

Content added - troubleshooting guide: Port Forwarding Troubleshooting Guide (32 sections) (troubleshooting)

Show changes

Josh: Added troubleshooting guide: Port Forwarding Troubleshooting Guide (troubleshooting)

2026-01-01T13:16:11Z

Added troubleshooting guide: Port Forwarding Troubleshooting Guide (troubleshooting)

New page

= Port Forwarding Troubleshooting Guide =

== Overview ==

This guide covers troubleshooting for SSH port forwarding from the VPS (port 22222) to the Synology NAS (10.8.0.2:22) via OpenVPN.

'''Port Forwarding Configuration:'''
'' '''External Access''': <code>ssh -p 22222 user@87.106.61.62</code>
'' '''Internal Target''': <code>10.8.0.2:22</code> (Synology NAS via VPN)
'' '''Network Interface''': <code>ens6</code> (external interface)
'' '''VPN Interface''': <code>tun0</code> (OpenVPN tunnel)
'' '''Cloud Provider''': IONOS

----

== IONOS Cloud Provider Configuration ==

'''Important:''' This VPS is running on IONOS. The IONOS firewall must be configured to allow traffic on port 22222.

=== IONOS Firewall Configuration ===

IONOS uses a cloud firewall that must be configured through the IONOS Cloud Panel:

= '''Log in to IONOS Cloud Panel:''' =
'' Navigate to: https://dcd.ionos.com/
'' Select your Data Center → Server & Cloud → Servers

= '''Configure Firewall Rules:''' =
'' Select your VPS server
'' Go to '''Firewall''' section
'' Click '''Add Rule''' or edit existing rules

= '''Add Firewall Rule for Port 22222:''' =
'' '''Name''': SSH Port Forward (or any descriptive name)
'' '''Protocol''': TCP
'' '''Port''': 22222
'' '''Source''': 0.0.0.0/0 (or restrict to specific IPs for security)
'' '''Action''': Allow
'' '''Priority''': Set appropriate priority (lower numbers = higher priority)

= '''Apply Changes:''' =
'' Save the firewall rule
'' Changes are applied immediately (no server restart required)

= '''Verify IONOS Firewall:''' =
'' Ensure the firewall rule is active and enabled
'' Check that no higher-priority DROP rules are blocking the port
'' Verify the rule applies to the correct network interface

=== IONOS-Specific Notes ===

'' '''Firewall Location''': IONOS firewall is managed at the cloud infrastructure level, not on the VPS
'' '''No Security Groups''': IONOS uses a direct firewall per server, not security groups
'' '''Rule Priority''': Lower priority numbers are evaluated first
'' '''Immediate Effect''': Firewall changes take effect immediately without server restart
'' '''Multiple Rules''': You can have multiple rules; ensure no conflicting DROP rules have higher priority

=== Testing IONOS Firewall ===

If you suspect the IONOS firewall is blocking traffic:

= '''Check IONOS Cloud Panel:''' =
'' Verify the firewall rule exists and is enabled
'' Check rule priority (lower numbers = higher priority)
'' Ensure no DROP rules are blocking the port

= '''Test from different locations:''' =
<pre class="lang-bash">
# Test from external IP (not from the VPS itself)
ssh -v -p 22222 user@87.106.61.62
</pre>

= '''Check if packets reach the VPS:''' =
<pre class="lang-bash">
# On the VPS, check if packets are hitting iptables rules
iptables -t nat -L PREROUTING -n -v | grep 22222
# If packet count doesn't increase, packets are blocked before reaching VPS
</pre>

----

== Quick Verification Checklist ==

Run these commands to verify the setup is working:

<pre class="lang-bash">
= 1. Check if VPN is running =
systemctl status openvpn-server@server.service

= 2. Verify VPN tunnel is up =
ip addr show tun0

= 3. Check if Synology is connected to VPN =
ping -c 2 10.8.0.2
cat /etc/openvpn/server/ipp.txt | grep "10.8.0.2"

= 4. Verify iptables rules are active =
iptables -t nat -L PREROUTING -n -v | grep 22222
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2"

= 5. Check IP forwarding is enabled =
cat /proc/sys/net/ipv4/ip_forward # Should output: 1

= 6. Verify SSH is NOT listening on port 22222 (should only be on 22) =
ss -tlnp | grep 22222 # Should return nothing
</pre>

----

== Components Explained ==

=== 1. iptables NAT Rules (Port Forwarding) ===

'''DNAT Rule (PREROUTING):'''
<pre class="lang-bash">
iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 22222 -j DNAT --to-destination 10.8.0.2:22
</pre>
'' '''Purpose''': Redirects incoming traffic on port 22222 to the Synology NAS
'' '''Interface''': <code>ens6</code> (external/public interface)
'' '''Direction''': Incoming → Forwarded

'''MASQUERADE Rule (POSTROUTING):'''
<pre class="lang-bash">
iptables -t nat -A POSTROUTING -d 10.8.0.2/32 -o tun0 -p tcp --dport 22 -j MASQUERADE
</pre>
'' '''Purpose''': Handles source NAT for forwarded traffic so return packets route correctly
'' '''Interface''': <code>tun0</code> (VPN tunnel)
'' '''Direction''': Outgoing forwarded traffic

=== 2. iptables Filter Rules (Firewall) ===

'''FORWARD Rule:'''
<pre class="lang-bash">
iptables -t filter -A FORWARD -d 10.8.0.2/32 -p tcp --dport 22 -j ACCEPT
</pre>
'' '''Purpose''': Allows forwarding packets to the Synology SSH port
'' '''Direction''': Forwarded traffic

=== 3. Persistence Configuration ===

'''Files:'''
'' <code>/etc/iptables/rules.v4</code> - Saved iptables rules
'' <code>/etc/openvpn/server/server.conf</code> - OpenVPN configuration
'' <code>/etc/openvpn/iptables-restore.sh</code> - Script that restores rules when VPN starts
'' <code>/etc/sysctl.conf</code> - Contains <code>net.ipv4.ip_forward=1</code>

'''Services:'''
'' <code>netfilter-persistent</code> - Loads iptables rules on boot
'' <code>openvpn-server@server.service</code> - OpenVPN server service

----

== Common Issues and Solutions ==

=== Issue 1: Connection Timeout from External ===

'''Symptoms:'''
'' <code>ssh -p 22222 user@87.106.61.62</code> times out
'' No response from the server

'''Diagnostic Steps:'''

= '''Check if packets are reaching the VPS:''' =
<pre class="lang-bash">
# Watch kernel logs for DNAT rule hits
# Note: On systems using journald, kern.log may not exist. Use dmesg instead.
tail -f /var/log/kern.log | grep "DNAT-22222" 2>/dev/null || \
dmesg -w | grep "DNAT-22222"

# Or check recent logs
dmesg | tail -30 | grep "DNAT-22222"
</pre>

= '''Check IONOS cloud firewall:''' =
'' '''IONOS Cloud Panel''': Log in to https://dcd.ionos.com/
'' Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall
'' Verify TCP port 22222 has an '''ALLOW''' rule configured
'' Check rule priority (lower numbers = higher priority)
'' Ensure no DROP rules with higher priority are blocking the port
'' '''This is the most common cause of timeouts on IONOS'''
'' See "IONOS Cloud Provider Configuration" section above for detailed steps

= '''Verify VPN is running:''' =
<pre class="lang-bash">
systemctl status openvpn-server@server.service
ip link show tun0
</pre>

= '''Check if Synology is connected:''' =
<pre class="lang-bash">
ping -c 2 10.8.0.2
cat /etc/openvpn/server/ipp.txt
</pre>

'''Solution:'''
'' If no logs appear: '''Check IONOS firewall in Cloud Panel''' (most common issue)
'' Verify port 22222 is allowed in IONOS firewall rules
'' Check rule priority and ensure no blocking rules override it
'' If logs appear but connection fails: Check Synology VPN connection
'' If Synology is not in ipp.txt: Reconnect Synology to VPN

----

=== Issue 2: Port Forwarding Not Working After Reboot ===

'''Symptoms:'''
'' Port forwarding works initially
'' After reboot, connections time out

'''Diagnostic Steps:'''

= '''Check if iptables rules are loaded:''' =
<pre class="lang-bash">
iptables -t nat -L PREROUTING -n -v | grep 22222
</pre>
'' If rule is missing, rules weren't loaded

= '''Verify persistence services are enabled:''' =
<pre class="lang-bash">
systemctl is-enabled netfilter-persistent
systemctl is-enabled openvpn-server@server.service
</pre>

= '''Check OpenVPN configuration:''' =
<pre class="lang-bash">
grep "script-security\|up" /etc/openvpn/server/server.conf
</pre>
'' Should show: <code>script-security 2</code> and <code>up /etc/openvpn/iptables-restore.sh</code>

= '''Verify iptables-restore script exists:''' =
<pre class="lang-bash">
ls -la /etc/openvpn/iptables-restore.sh
cat /etc/openvpn/iptables-restore.sh
</pre>

'''Solution:'''
<pre class="lang-bash">
= Manually restore rules =
iptables-restore < /etc/iptables/rules.v4

= Verify rules are saved correctly =
iptables-save > /etc/iptables/rules.v4

= Ensure services are enabled =
systemctl enable netfilter-persistent
systemctl enable openvpn-server@server.service
</pre>

----

=== Issue 3: Wrong Network Interface ===

'''Symptoms:'''
'' Rules exist but forwarding doesn't work
'' Interface name mismatch

'''Diagnostic Steps:'''

= '''Identify the correct external interface:''' =
<pre class="lang-bash">
ip route | grep default
# Output: default via 87.106.61.1 dev ens6 ...
</pre>

= '''Check iptables rule interface:''' =
<pre class="lang-bash">
iptables -t nat -L PREROUTING -n -v | grep 22222
# Should show: -i ens6 (or your actual interface)
</pre>

= '''Check saved rules file:''' =
<pre class="lang-bash">
grep "22222" /etc/iptables/rules.v4
</pre>

'''Solution:'''
<pre class="lang-bash">
= Fix the interface in the rules file =
sed -i 's/-i eth0/-i ens6/g' /etc/iptables/rules.v4

= Or manually edit /etc/iptables/rules.v4 =
= Change: -A PREROUTING -i eth0 ... =
= To: -A PREROUTING -i ens6 ... =

= Reload rules =
iptables-restore < /etc/iptables/rules.v4
</pre>

----

=== Issue 4: SSH Conflicts with Port Forwarding ===

'''Symptoms:'''
'' Port 22222 is being used by SSH
'' Connection connects but to wrong server

'''Diagnostic Steps:'''

= '''Check what's listening on port 22222:''' =
<pre class="lang-bash">
ss -tlnp | grep 22222
</pre>

= '''Check SSH configuration:''' =
<pre class="lang-bash">
grep "^Port" /etc/ssh/sshd_config
</pre>

'''Solution:'''
<pre class="lang-bash">
= Remove port 22222 from SSH config =
sed -i '/^Port 22222$/d' /etc/ssh/sshd_config

= Restart SSH =
systemctl restart sshd

= Verify port 22222 is free =
ss -tlnp | grep 22222 # Should return nothing
</pre>

----

=== Issue 5: VPN Not Starting ===

'''Symptoms:'''
'' OpenVPN service fails to start
'' Error messages about script-security

'''Diagnostic Steps:'''

= '''Check OpenVPN status:''' =
<pre class="lang-bash">
systemctl status openvpn-server@server.service
journalctl -u openvpn-server@server.service -n 50
</pre>

= '''Common error:''' =
<pre>
WARNING: External program may not be called unless '--script-security 2' or higher is enabled
</pre>

'''Solution:'''
<pre class="lang-bash">
= Add script-security to OpenVPN config =
echo "script-security 2" >> /etc/openvpn/server/server.conf

= Restart OpenVPN =
systemctl restart openvpn-server@server.service
</pre>

----

=== Issue 6: IP Forwarding Disabled ===

'''Symptoms:'''
'' Rules exist but forwarding doesn't work
'' Can't reach Synology even though VPN is up

'''Diagnostic Steps:'''

= '''Check if forwarding is enabled:''' =
<pre class="lang-bash">
cat /proc/sys/net/ipv4/ip_forward
# Should output: 1
</pre>

= '''Check if it's in sysctl.conf:''' =
<pre class="lang-bash">
grep "ip_forward" /etc/sysctl.conf
</pre>

'''Solution:'''
<pre class="lang-bash">
= Enable forwarding =
echo 1 > /proc/sys/net/ipv4/ip_forward

= Make it persistent =
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
</pre>

----

== Diagnostic Commands ==

=== Check Complete Forwarding Chain ===

<pre class="lang-bash">
echo "=== Port Forwarding Status ===" && \
echo "" && \
echo "1. DNAT Rule:" && \
iptables -t nat -L PREROUTING -n -v | grep 22222 && \
echo "" && \
echo "2. FORWARD Rules:" && \
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2" && \
echo "" && \
echo "3. POSTROUTING (MASQUERADE):" && \
iptables -t nat -L POSTROUTING -n -v | grep "10.8.0.2\|MASQUERADE" && \
echo "" && \
echo "4. VPN Status:" && \
ip addr show tun0 2>/dev/null | grep "inet " && \
echo "" && \
echo "5. Synology Reachability:" && \
ping -c 1 -W 2 10.8.0.2 2>&1 | grep -E "bytes from|time=" || echo "Not reachable"
</pre>

=== Monitor Connection Attempts ===

<pre class="lang-bash">
= Watch for incoming connections =
= Note: On systems using journald, kern.log may not exist. Use dmesg instead. =
tail -f /var/log/kern.log | grep -E "DNAT-22222|FWD-to-Synology" 2>/dev/null || \
dmesg -w | grep -E "DNAT-22222|FWD-to-Synology"

= Or use tcpdump =
tcpdump -i ens6 -n tcp port 22222

= Monitor iptables counters =
watch -n 1 'iptables -t nat -L PREROUTING -n -v | grep 22222'
</pre>

=== Test Connection from VPS ===

<pre class="lang-bash">
= Test direct connection to Synology =
ssh -o ConnectTimeout=5 -p 22 user@10.8.0.2 "echo 'Direct connection works'"

= Test if port forwarding rule is active (from external IP) =
timeout 5 nc -zv 87.106.61.62 22222
</pre>

----

== Restore Configuration After Issues ==

If port forwarding stops working, restore the complete configuration:

<pre class="lang-bash">
= 1. Restore iptables rules =
iptables-restore < /etc/iptables/rules.v4

= 2. Verify rules are loaded =
iptables -t nat -L PREROUTING -n -v | grep 22222

= 3. Restart OpenVPN (will also restore rules via up script) =
systemctl restart openvpn-server@server.service

= 4. Verify VPN is up =
ip addr show tun0

= 5. Check Synology connection =
ping -c 2 10.8.0.2
</pre>

----

== Configuration Files Reference ==

=== <code>/etc/iptables/rules.v4</code> ===
Complete iptables rules including:
'' DNAT rule for port 22222
'' FORWARD rule for Synology
'' MASQUERADE rule for return traffic
'' Logging rules for debugging

=== <code>/etc/openvpn/server/server.conf</code> ===
OpenVPN server configuration with:
'' <code>script-security 2</code> - Allows up/down scripts
'' <code>up /etc/openvpn/iptables-restore.sh</code> - Restores rules when VPN starts

=== <code>/etc/openvpn/iptables-restore.sh</code> ===
Script that restores iptables rules when OpenVPN tunnel comes up.

=== <code>/etc/sysctl.conf</code> ===
Contains <code>net.ipv4.ip_forward=1</code> to enable IP forwarding.

----

== Maintenance ==

=== Update Rules ===

After making changes to iptables rules:
<pre class="lang-bash">
= Save current rules =
iptables-save > /etc/iptables/rules.v4

= Verify they're correct =
cat /etc/iptables/rules.v4 | grep 22222
</pre>

=== Add More Port Forwards ===

To forward additional ports:
<pre class="lang-bash">
= Add DNAT rule =
iptables -t nat -A PREROUTING -i ens6 -p tcp --dport <EXTERNAL_PORT> \
-j DNAT --to-destination 10.8.0.2:<INTERNAL_PORT>

= Add FORWARD rule =
iptables -t filter -A FORWARD -d 10.8.0.2 -p tcp --dport <INTERNAL_PORT> -j ACCEPT

= Save rules =
iptables-save > /etc/iptables/rules.v4
</pre>

----

== Quick Reference ==

{| class="wikitable"
|-
| Component || Value
|-
| External Port || 22222
|-
| Internal Target || 10.8.0.2:22
|-
| External Interface || ens6
|-
| VPN Interface || tun0
|-
| VPN Subnet || 10.8.0.0/24
|-
| VPS Public IP || 87.106.61.62
|-
| Synology VPN IP || 10.8.0.2
|-
| Cloud Provider || IONOS
|-
| IONOS Panel || https://dcd.ionos.com/
|}
== Contact & Support ==

If issues persist after following this guide:
= Check all diagnostic commands above =
= Review kernel logs: <code>dmesg | tail -50</code> =
= Check OpenVPN logs: <code>journalctl -u openvpn-server@server.service -n 100</code> =
= '''Verify IONOS firewall settings''' (most common issue): =
'' Log in to IONOS Cloud Panel: https://dcd.ionos.com/
'' Navigate to Server & Cloud → Servers → [Your VPS] → Firewall
'' Verify port 22222 is allowed with proper priority
= Check IONOS support documentation or contact IONOS support if firewall is correctly configured =

[[Category:Documentation]]
[[Category:Documentation/Troubleshooting]]

Troubleshooting:Port Forwarding Troubleshooting - Revision history

Josh: Major update - troubleshooting guide: Port Forwarding Troubleshooting Guide (108 sections) (troubleshooting)

Josh: Content added - troubleshooting guide: Port Forwarding Troubleshooting Guide (32 sections) (troubleshooting)

Josh: Added troubleshooting guide: Port Forwarding Troubleshooting Guide (troubleshooting)