Troubleshooting:Port Forwarding Troubleshooting: Difference between revisions

This guide covers troubleshooting for SSH port forwarding from the VPS (port 22222) to the Synology NAS (10.8.0.2:22) via OpenVPN.

Port Forwarding Configuration:

• External Access: ssh -p 22222 user@87.106.61.62

• Internal Target: 10.8.0.2:22 (Synology NAS via VPN)

• Network Interface: ens6 (external interface)

• VPN Interface: tun0 (OpenVPN tunnel)

• Cloud Provider: IONOS

---

Important: This VPS is running on IONOS. The IONOS firewall must be configured to allow traffic on port 22222.

IONOS uses a cloud firewall that must be configured through the IONOS Cloud Panel:

  * Navigate to: https://dcd.ionos.com/

  * Select your Data Center → Server & Cloud → Servers

  * Select your VPS server

  * Go to Firewall section

  * Click Add Rule or edit existing rules

  * Name: SSH Port Forward (or any descriptive name)

  * Protocol: TCP

  * Port: 22222

  * Source: 0.0.0.0/0 (or restrict to specific IPs for security)

  * Action: Allow

  * Priority: Set appropriate priority (lower numbers = higher priority)

  * Save the firewall rule

  * Changes are applied immediately (no server restart required)

  * Ensure the firewall rule is active and enabled

  * Check that no higher-priority DROP rules are blocking the port

  * Verify the rule applies to the correct network interface

• Firewall Location: IONOS firewall is managed at the cloud infrastructure level, not on the VPS

• No Security Groups: IONOS uses a direct firewall per server, not security groups

• Rule Priority: Lower priority numbers are evaluated first

• Immediate Effect: Firewall changes take effect immediately without server restart

• Multiple Rules: You can have multiple rules; ensure no conflicting DROP rules have higher priority

If you suspect the IONOS firewall is blocking traffic:

  * Verify the firewall rule exists and is enabled

  * Check rule priority (lower numbers = higher priority)

  * Ensure no DROP rules are blocking the port

=== Test from external IP (not from the VPS itself) ===
   ssh -v -p 22222 user@87.106.61.62

=== On the VPS, check if packets are hitting iptables rules ===
   iptables -t nat -L PREROUTING -n -v | grep 22222
=== If packet count doesn't increase, packets are blocked before reaching VPS ===

---

Run these commands to verify the setup is working:

=== 1. Check if VPN is running ===
systemctl status openvpn-server@server.service

== 2. Verify VPN tunnel is up ==
ip addr show tun0

== 3. Check if Synology is connected to VPN ==
ping -c 2 10.8.0.2
cat /etc/openvpn/server/ipp.txt | grep "10.8.0.2"

== 4. Verify iptables rules are active ==
iptables -t nat -L PREROUTING -n -v | grep 22222
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2"

== 5. Check IP forwarding is enabled ==
cat /proc/sys/net/ipv4/ip_forward  # Should output: 1

== 6. Verify SSH is NOT listening on port 22222 (should only be on 22) ==
ss -tlnp | grep 22222  # Should return nothing

---

DNAT Rule (PREROUTING):

iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 22222 -j DNAT --to-destination 10.8.0.2:22

• Purpose: Redirects incoming traffic on port 22222 to the Synology NAS

• Interface: ens6 (external/public interface)

• Direction: Incoming → Forwarded

MASQUERADE Rule (POSTROUTING):

iptables -t nat -A POSTROUTING -d 10.8.0.2/32 -o tun0 -p tcp --dport 22 -j MASQUERADE

• Purpose: Handles source NAT for forwarded traffic so return packets route correctly

• Interface: tun0 (VPN tunnel)

• Direction: Outgoing forwarded traffic

FORWARD Rule:

iptables -t filter -A FORWARD -d 10.8.0.2/32 -p tcp --dport 22 -j ACCEPT

• Purpose: Allows forwarding packets to the Synology SSH port

• Direction: Forwarded traffic

Files:

• /etc/iptables/rules.v4 - Saved iptables rules

• /etc/openvpn/server/server.conf - OpenVPN configuration

• /etc/openvpn/iptables-restore.sh - Script that restores rules when VPN starts

• /etc/sysctl.conf - Contains net.ipv4.ip_forward=1

Services:

• netfilter-persistent - Loads iptables rules on boot

• openvpn-server@server.service - OpenVPN server service

---

Symptoms:

• ssh -p 22222 user@87.106.61.62 times out

• No response from the server

Diagnostic Steps:

=== Watch kernel logs for DNAT rule hits ===
=== Note: On systems using journald, kern.log may not exist. Use dmesg instead. ===
   tail -f /var/log/kern.log | grep "DNAT-22222" 2>/dev/null || \
   dmesg -w | grep "DNAT-22222"
   
=== Or check recent logs ===
   dmesg | tail -30 | grep "DNAT-22222"

  * IONOS Cloud Panel: Log in to https://dcd.ionos.com/

  * Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall

  * Verify TCP port 22222 has an ALLOW rule configured

  * Check rule priority (lower numbers = higher priority)

  * Ensure no DROP rules with higher priority are blocking the port

  * This is the most common cause of timeouts on IONOS

  * See "IONOS Cloud Provider Configuration" section above for detailed steps

   systemctl status openvpn-server@server.service
   ip link show tun0

   ping -c 2 10.8.0.2
   cat /etc/openvpn/server/ipp.txt

Solution:

• If no logs appear: Check IONOS firewall in Cloud Panel (most common issue)

 * Verify port 22222 is allowed in IONOS firewall rules

 * Check rule priority and ensure no blocking rules override it

• If logs appear but connection fails: Check Synology VPN connection

• If Synology is not in ipp.txt: Reconnect Synology to VPN

---

Symptoms:

• Port forwarding works initially

• After reboot, connections time out

Diagnostic Steps:

   iptables -t nat -L PREROUTING -n -v | grep 22222

  * If rule is missing, rules weren't loaded

   systemctl is-enabled netfilter-persistent
   systemctl is-enabled openvpn-server@server.service

   grep "script-security\|up" /etc/openvpn/server/server.conf

  * Should show: script-security 2 and up /etc/openvpn/iptables-restore.sh

   ls -la /etc/openvpn/iptables-restore.sh
   cat /etc/openvpn/iptables-restore.sh

Solution:

== Manually restore rules ==
iptables-restore < /etc/iptables/rules.v4

== Verify rules are saved correctly ==
iptables-save > /etc/iptables/rules.v4

== Ensure services are enabled ==
systemctl enable netfilter-persistent
systemctl enable openvpn-server@server.service

---

Symptoms:

• Rules exist but forwarding doesn't work

• Interface name mismatch

Diagnostic Steps:

   ip route | grep default
=== Output: default via 87.106.61.1 dev ens6 ... ===

   iptables -t nat -L PREROUTING -n -v | grep 22222
=== Should show: -i ens6 (or your actual interface) ===

   grep "22222" /etc/iptables/rules.v4

Solution:

== Fix the interface in the rules file ==
sed -i 's/-i eth0/-i ens6/g' /etc/iptables/rules.v4

== Or manually edit /etc/iptables/rules.v4 ==
== Change: -A PREROUTING -i eth0 ... ==
== To:     -A PREROUTING -i ens6 ... ==

== Reload rules ==
iptables-restore < /etc/iptables/rules.v4

---

Symptoms:

• Port 22222 is being used by SSH

• Connection connects but to wrong server

Diagnostic Steps:

   ss -tlnp | grep 22222

   grep "^Port" /etc/ssh/sshd_config

Solution:

== Remove port 22222 from SSH config ==
sed -i '/^Port 22222$/d' /etc/ssh/sshd_config

== Restart SSH ==
systemctl restart sshd

== Verify port 22222 is free ==
ss -tlnp | grep 22222  # Should return nothing

---

Symptoms:

• OpenVPN service fails to start

• Error messages about script-security

Diagnostic Steps:

   systemctl status openvpn-server@server.service
   journalctl -u openvpn-server@server.service -n 50

   WARNING: External program may not be called unless '--script-security 2' or higher is enabled

Solution:

== Add script-security to OpenVPN config ==
echo "script-security 2" >> /etc/openvpn/server/server.conf

== Restart OpenVPN ==
systemctl restart openvpn-server@server.service

---

Symptoms:

• Rules exist but forwarding doesn't work

• Can't reach Synology even though VPN is up

Diagnostic Steps:

   cat /proc/sys/net/ipv4/ip_forward
=== Should output: 1 ===

   grep "ip_forward" /etc/sysctl.conf

Solution:

== Enable forwarding ==
echo 1 > /proc/sys/net/ipv4/ip_forward

== Make it persistent ==
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

---

echo "=== Port Forwarding Status ===" && \
echo "" && \
echo "1. DNAT Rule:" && \
iptables -t nat -L PREROUTING -n -v | grep 22222 && \
echo "" && \
echo "2. FORWARD Rules:" && \
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2" && \
echo "" && \
echo "3. POSTROUTING (MASQUERADE):" && \
iptables -t nat -L POSTROUTING -n -v | grep "10.8.0.2\|MASQUERADE" && \
echo "" && \
echo "4. VPN Status:" && \
ip addr show tun0 2>/dev/null | grep "inet " && \
echo "" && \
echo "5. Synology Reachability:" && \
ping -c 1 -W 2 10.8.0.2 2>&1 | grep -E "bytes from|time=" || echo "Not reachable"

==== Watch for incoming connections ====
== Note: On systems using journald, kern.log may not exist. Use dmesg instead. ==
tail -f /var/log/kern.log | grep -E "DNAT-22222|FWD-to-Synology" 2>/dev/null || \
dmesg -w | grep -E "DNAT-22222|FWD-to-Synology"

== Or use tcpdump ==
tcpdump -i ens6 -n tcp port 22222

== Monitor iptables counters ==
watch -n 1 'iptables -t nat -L PREROUTING -n -v | grep 22222'

==== Test direct connection to Synology ====
ssh -o ConnectTimeout=5 -p 22 user@10.8.0.2 "echo 'Direct connection works'"

== Test if port forwarding rule is active (from external IP) ==
timeout 5 nc -zv 87.106.61.62 22222

---

If port forwarding stops working, restore the complete configuration:

=== 1. Restore iptables rules ===
iptables-restore < /etc/iptables/rules.v4

== 2. Verify rules are loaded ==
iptables -t nat -L PREROUTING -n -v | grep 22222

== 3. Restart OpenVPN (will also restore rules via up script) ==
systemctl restart openvpn-server@server.service

== 4. Verify VPN is up ==
ip addr show tun0

== 5. Check Synology connection ==
ping -c 2 10.8.0.2

---

Complete iptables rules including:

• DNAT rule for port 22222

• FORWARD rule for Synology

• MASQUERADE rule for return traffic

• Logging rules for debugging

OpenVPN server configuration with:

• script-security 2 - Allows up/down scripts

• up /etc/openvpn/iptables-restore.sh - Restores rules when VPN starts

Script that restores iptables rules when OpenVPN tunnel comes up.

Contains net.ipv4.ip_forward=1 to enable IP forwarding.

---

After making changes to iptables rules:

==== Save current rules ====
iptables-save > /etc/iptables/rules.v4

== Verify they're correct ==
cat /etc/iptables/rules.v4 | grep 22222

To forward additional ports:

==== Add DNAT rule ====
iptables -t nat -A PREROUTING -i ens6 -p tcp --dport <EXTERNAL_PORT> \
  -j DNAT --to-destination 10.8.0.2:<INTERNAL_PORT>

== Add FORWARD rule ==
iptables -t filter -A FORWARD -d 10.8.0.2 -p tcp --dport <INTERNAL_PORT> -j ACCEPT

== Save rules ==
iptables-save > /etc/iptables/rules.v4

---

Component	Value
External Port	22222
Internal Target	10.8.0.2:22
External Interface	ens6
VPN Interface	tun0
VPN Subnet	10.8.0.0/24
VPS Public IP	87.106.61.62
Synology VPN IP	10.8.0.2
Cloud Provider	IONOS
IONOS Panel	https://dcd.ionos.com/

If issues persist after following this guide:

  * Log in to IONOS Cloud Panel: https://dcd.ionos.com/

  * Navigate to Server & Cloud → Servers → [Your VPS] → Firewall

  * Verify port 22222 is allowed with proper priority