Jump to content

Troubleshooting:Port Forwarding Troubleshooting

From jb-vpn.uk Wiki
Revision as of 13:16, 1 January 2026 by Josh (talk | contribs) (Added troubleshooting guide: Port Forwarding Troubleshooting Guide (troubleshooting))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Port Forwarding Troubleshooting Guide

Overview

This guide covers troubleshooting for SSH port forwarding from the VPS (port 22222) to the Synology NAS (10.8.0.2:22) via OpenVPN.

Port Forwarding Configuration: External Access: ssh -p 22222 user@87.106.61.62 Internal Target: 10.8.0.2:22 (Synology NAS via VPN) Network Interface: ens6 (external interface) VPN Interface: tun0 (OpenVPN tunnel) Cloud Provider: IONOS

IONOS Cloud Provider Configuration

Important: This VPS is running on IONOS. The IONOS firewall must be configured to allow traffic on port 22222.

IONOS Firewall Configuration

IONOS uses a cloud firewall that must be configured through the IONOS Cloud Panel:

Log in to IONOS Cloud Panel:

   Navigate to: https://dcd.ionos.com/
   Select your Data Center → Server & Cloud → Servers

Configure Firewall Rules:

   Select your VPS server
   Go to Firewall section
   Click Add Rule or edit existing rules

Add Firewall Rule for Port 22222:

   Name: SSH Port Forward (or any descriptive name)
   Protocol: TCP
   Port: 22222
   Source: 0.0.0.0/0 (or restrict to specific IPs for security)
   Action: Allow
   Priority: Set appropriate priority (lower numbers = higher priority)

Apply Changes:

   Save the firewall rule
   Changes are applied immediately (no server restart required)

Verify IONOS Firewall:

   Ensure the firewall rule is active and enabled
   Check that no higher-priority DROP rules are blocking the port
   Verify the rule applies to the correct network interface

IONOS-Specific Notes

Firewall Location: IONOS firewall is managed at the cloud infrastructure level, not on the VPS No Security Groups: IONOS uses a direct firewall per server, not security groups Rule Priority: Lower priority numbers are evaluated first Immediate Effect: Firewall changes take effect immediately without server restart Multiple Rules: You can have multiple rules; ensure no conflicting DROP rules have higher priority

Testing IONOS Firewall

If you suspect the IONOS firewall is blocking traffic:

Check IONOS Cloud Panel:

   Verify the firewall rule exists and is enabled
   Check rule priority (lower numbers = higher priority)
   Ensure no DROP rules are blocking the port

Test from different locations:

   # Test from external IP (not from the VPS itself)
   ssh -v -p 22222 user@87.106.61.62

Check if packets reach the VPS:

   # On the VPS, check if packets are hitting iptables rules
   iptables -t nat -L PREROUTING -n -v | grep 22222
   # If packet count doesn't increase, packets are blocked before reaching VPS

Quick Verification Checklist

Run these commands to verify the setup is working: 

= 1. Check if VPN is running =
systemctl status openvpn-server@server.service

= 2. Verify VPN tunnel is up =
ip addr show tun0

= 3. Check if Synology is connected to VPN =
ping -c 2 10.8.0.2
cat /etc/openvpn/server/ipp.txt | grep "10.8.0.2"

= 4. Verify iptables rules are active =
iptables -t nat -L PREROUTING -n -v | grep 22222
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2"

= 5. Check IP forwarding is enabled =
cat /proc/sys/net/ipv4/ip_forward  # Should output: 1

= 6. Verify SSH is NOT listening on port 22222 (should only be on 22) =
ss -tlnp | grep 22222  # Should return nothing

Components Explained

1. iptables NAT Rules (Port Forwarding)

DNAT Rule (PREROUTING): 

iptables -t nat -A PREROUTING -i ens6 -p tcp --dport 22222 -j DNAT --to-destination 10.8.0.2:22

Purpose: Redirects incoming traffic on port 22222 to the Synology NAS Interface: ens6 (external/public interface) Direction: Incoming → Forwarded

MASQUERADE Rule (POSTROUTING): 

iptables -t nat -A POSTROUTING -d 10.8.0.2/32 -o tun0 -p tcp --dport 22 -j MASQUERADE

Purpose: Handles source NAT for forwarded traffic so return packets route correctly Interface: tun0 (VPN tunnel) Direction: Outgoing forwarded traffic

2. iptables Filter Rules (Firewall)

FORWARD Rule: 

iptables -t filter -A FORWARD -d 10.8.0.2/32 -p tcp --dport 22 -j ACCEPT

Purpose: Allows forwarding packets to the Synology SSH port Direction: Forwarded traffic

3. Persistence Configuration

Files: /etc/iptables/rules.v4 - Saved iptables rules /etc/openvpn/server/server.conf - OpenVPN configuration /etc/openvpn/iptables-restore.sh - Script that restores rules when VPN starts /etc/sysctl.conf - Contains net.ipv4.ip_forward=1

Services: netfilter-persistent - Loads iptables rules on boot openvpn-server@server.service - OpenVPN server service

Common Issues and Solutions

Issue 1: Connection Timeout from External

Symptoms: ssh -p 22222 user@87.106.61.62 times out No response from the server

Diagnostic Steps:

Check if packets are reaching the VPS:

   # Watch kernel logs for DNAT rule hits
   # Note: On systems using journald, kern.log may not exist. Use dmesg instead.
   tail -f /var/log/kern.log | grep "DNAT-22222" 2>/dev/null || \
   dmesg -w | grep "DNAT-22222"
   
   # Or check recent logs
   dmesg | tail -30 | grep "DNAT-22222"

Check IONOS cloud firewall:

   IONOS Cloud Panel: Log in to https://dcd.ionos.com/
   Navigate to: Server & Cloud → Servers → [Your VPS] → Firewall
   Verify TCP port 22222 has an ALLOW rule configured
   Check rule priority (lower numbers = higher priority)
   Ensure no DROP rules with higher priority are blocking the port
   This is the most common cause of timeouts on IONOS
   See "IONOS Cloud Provider Configuration" section above for detailed steps

Verify VPN is running:

   systemctl status openvpn-server@server.service
   ip link show tun0

Check if Synology is connected:

   ping -c 2 10.8.0.2
   cat /etc/openvpn/server/ipp.txt

Solution: If no logs appear: Check IONOS firewall in Cloud Panel (most common issue) 

  Verify port 22222 is allowed in IONOS firewall rules
  Check rule priority and ensure no blocking rules override it

If logs appear but connection fails: Check Synology VPN connection If Synology is not in ipp.txt: Reconnect Synology to VPN

Issue 2: Port Forwarding Not Working After Reboot

Symptoms: Port forwarding works initially After reboot, connections time out

Diagnostic Steps:

Check if iptables rules are loaded:

   iptables -t nat -L PREROUTING -n -v | grep 22222

   If rule is missing, rules weren't loaded

Verify persistence services are enabled:

   systemctl is-enabled netfilter-persistent
   systemctl is-enabled openvpn-server@server.service

Check OpenVPN configuration:

   grep "script-security\|up" /etc/openvpn/server/server.conf

   Should show: script-security 2 and up /etc/openvpn/iptables-restore.sh

Verify iptables-restore script exists:

   ls -la /etc/openvpn/iptables-restore.sh
   cat /etc/openvpn/iptables-restore.sh

Solution: 

= Manually restore rules =
iptables-restore < /etc/iptables/rules.v4

= Verify rules are saved correctly =
iptables-save > /etc/iptables/rules.v4

= Ensure services are enabled =
systemctl enable netfilter-persistent
systemctl enable openvpn-server@server.service

Issue 3: Wrong Network Interface

Symptoms: Rules exist but forwarding doesn't work Interface name mismatch

Diagnostic Steps:

Identify the correct external interface:

   ip route | grep default
   # Output: default via 87.106.61.1 dev ens6 ...

Check iptables rule interface:

   iptables -t nat -L PREROUTING -n -v | grep 22222
   # Should show: -i ens6 (or your actual interface)

Check saved rules file:

   grep "22222" /etc/iptables/rules.v4

Solution: 

= Fix the interface in the rules file =
sed -i 's/-i eth0/-i ens6/g' /etc/iptables/rules.v4

= Or manually edit /etc/iptables/rules.v4 =
= Change: -A PREROUTING -i eth0 ... =
= To:     -A PREROUTING -i ens6 ... =

= Reload rules =
iptables-restore < /etc/iptables/rules.v4

Issue 4: SSH Conflicts with Port Forwarding

Symptoms: Port 22222 is being used by SSH Connection connects but to wrong server

Diagnostic Steps:

Check what's listening on port 22222:

   ss -tlnp | grep 22222

Check SSH configuration:

   grep "^Port" /etc/ssh/sshd_config

Solution: 

= Remove port 22222 from SSH config =
sed -i '/^Port 22222$/d' /etc/ssh/sshd_config

= Restart SSH =
systemctl restart sshd

= Verify port 22222 is free =
ss -tlnp | grep 22222  # Should return nothing

Issue 5: VPN Not Starting

Symptoms: OpenVPN service fails to start Error messages about script-security

Diagnostic Steps:

Check OpenVPN status:

   systemctl status openvpn-server@server.service
   journalctl -u openvpn-server@server.service -n 50

Common error:

   WARNING: External program may not be called unless '--script-security 2' or higher is enabled

Solution: 

= Add script-security to OpenVPN config =
echo "script-security 2" >> /etc/openvpn/server/server.conf

= Restart OpenVPN =
systemctl restart openvpn-server@server.service

Issue 6: IP Forwarding Disabled

Symptoms: Rules exist but forwarding doesn't work Can't reach Synology even though VPN is up

Diagnostic Steps:

Check if forwarding is enabled:

   cat /proc/sys/net/ipv4/ip_forward
   # Should output: 1

Check if it's in sysctl.conf:

   grep "ip_forward" /etc/sysctl.conf

Solution: 

= Enable forwarding =
echo 1 > /proc/sys/net/ipv4/ip_forward

= Make it persistent =
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Diagnostic Commands

Check Complete Forwarding Chain

echo "=== Port Forwarding Status ===" && \
echo "" && \
echo "1. DNAT Rule:" && \
iptables -t nat -L PREROUTING -n -v | grep 22222 && \
echo "" && \
echo "2. FORWARD Rules:" && \
iptables -t filter -L FORWARD -n -v | grep "10.8.0.2" && \
echo "" && \
echo "3. POSTROUTING (MASQUERADE):" && \
iptables -t nat -L POSTROUTING -n -v | grep "10.8.0.2\|MASQUERADE" && \
echo "" && \
echo "4. VPN Status:" && \
ip addr show tun0 2>/dev/null | grep "inet " && \
echo "" && \
echo "5. Synology Reachability:" && \
ping -c 1 -W 2 10.8.0.2 2>&1 | grep -E "bytes from|time=" || echo "Not reachable"

Monitor Connection Attempts

= Watch for incoming connections =
= Note: On systems using journald, kern.log may not exist. Use dmesg instead. =
tail -f /var/log/kern.log | grep -E "DNAT-22222|FWD-to-Synology" 2>/dev/null || \
dmesg -w | grep -E "DNAT-22222|FWD-to-Synology"

= Or use tcpdump =
tcpdump -i ens6 -n tcp port 22222

= Monitor iptables counters =
watch -n 1 'iptables -t nat -L PREROUTING -n -v | grep 22222'

Test Connection from VPS

= Test direct connection to Synology =
ssh -o ConnectTimeout=5 -p 22 user@10.8.0.2 "echo 'Direct connection works'"

= Test if port forwarding rule is active (from external IP) =
timeout 5 nc -zv 87.106.61.62 22222

Restore Configuration After Issues

If port forwarding stops working, restore the complete configuration: 

= 1. Restore iptables rules =
iptables-restore < /etc/iptables/rules.v4

= 2. Verify rules are loaded =
iptables -t nat -L PREROUTING -n -v | grep 22222

= 3. Restart OpenVPN (will also restore rules via up script) =
systemctl restart openvpn-server@server.service

= 4. Verify VPN is up =
ip addr show tun0

= 5. Check Synology connection =
ping -c 2 10.8.0.2

Configuration Files Reference

/etc/iptables/rules.v4

Complete iptables rules including: DNAT rule for port 22222 FORWARD rule for Synology MASQUERADE rule for return traffic Logging rules for debugging

/etc/openvpn/server/server.conf

OpenVPN server configuration with: script-security 2 - Allows up/down scripts up /etc/openvpn/iptables-restore.sh - Restores rules when VPN starts

/etc/openvpn/iptables-restore.sh

Script that restores iptables rules when OpenVPN tunnel comes up.

/etc/sysctl.conf

Contains net.ipv4.ip_forward=1 to enable IP forwarding.

Maintenance

Update Rules

After making changes to iptables rules: 

= Save current rules =
iptables-save > /etc/iptables/rules.v4

= Verify they're correct =
cat /etc/iptables/rules.v4 | grep 22222

Add More Port Forwards

To forward additional ports: 

= Add DNAT rule =
iptables -t nat -A PREROUTING -i ens6 -p tcp --dport <EXTERNAL_PORT> \
  -j DNAT --to-destination 10.8.0.2:<INTERNAL_PORT>

= Add FORWARD rule =
iptables -t filter -A FORWARD -d 10.8.0.2 -p tcp --dport <INTERNAL_PORT> -j ACCEPT

= Save rules =
iptables-save > /etc/iptables/rules.v4

Quick Reference

Component Value
External Port 22222
Internal Target 10.8.0.2:22
External Interface ens6
VPN Interface tun0
VPN Subnet 10.8.0.0/24
VPS Public IP 87.106.61.62
Synology VPN IP 10.8.0.2
Cloud Provider IONOS
IONOS Panel https://dcd.ionos.com/

Contact & Support

If issues persist after following this guide:

Check all diagnostic commands above

Review kernel logs: dmesg | tail -50

Check OpenVPN logs: journalctl -u openvpn-server@server.service -n 100

Verify IONOS firewall settings (most common issue):

   Log in to IONOS Cloud Panel: https://dcd.ionos.com/
   Navigate to Server & Cloud → Servers → [Your VPS] → Firewall
   Verify port 22222 is allowed with proper priority

Check IONOS support documentation or contact IONOS support if firewall is correctly configured

Retrieved from "https://wiki.jb-vpn.uk/index.php?title=Troubleshooting:Port_Forwarding_Troubleshooting&oldid=173"