[Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

bowlin · 2025-04-05 12:11:49

I'm switching VPN providers and the one I decided to go with is ProtonVPN, as it works the same way with wireguard that I'm used to. Just move the .conf file to /etc/wireguard/ and then control it through WG.

Now the main issue comes in the port forwarding part. I'm used to static port forwarding, which is for example provided by AirVPN. I could just set a default rule to deny all incoming and then allow specific ports to come through. But with dynamic port forwarding I'm really not sure how to go about it in terms of the firewall rules. One solution in NordVPN's documention (https://protonvpn.com/support/port-forw … ual-setup/) is related to using a script utilizing natpmpc, but I don't really like that approach.

Is there no other way? I also heard that it might not a good idea to by default deny all incoming (As a firewall rule), and instead it is better to "know what you're doing", although I have no basis for that statement.

Thanks in advance.

Last edited by bowlin (2025-04-05 20:32:16)

-thc · 2025-04-05 13:19:28

I'm struggling to understand the issue.

My best guess is this: You treat the endpoint of your VPN provider as a SOHO router and want to forward a port (or ports) from the public VPN-provided-IP to your private tunnel-IP for whatever reason.

What do you mean with "static" and "dynamic" in this context? What is changing? And why?

bowlin · 2025-04-05 13:25:29

My bad, let me try to explain a bit more clearly:

Static in this case is referring to the port number being static. I can just assign a port to be forwarded on the VPN and the port number stays the same. With dynamic forwarding, the port number essentially changes every time I connect to the VPN. This is assumably done to prevent abuse (?)

-- Edit --
End goal here is to switch to lets say ProtonVPN and be able to use it although the port changes often.

On another provider I just had a UFW rule which allowed port X to come in and since it never changed, it worked perfectly. Also the purpose of it all is torrenting.

Last edited by bowlin (2025-04-05 13:31:19)

-thc · 2025-04-05 13:38:22

I've read through the ProtonVPN documentation for clarification and that's what I think happens: You can only activate NAT-PNP on the server (ProtonVPN) side. You need a NAT-PNP client to initiate port forwarding from a random port outside of your control.

And now you want to set up a UFW rule allowing incoming traffic with only this port number?

Correct?

bowlin · 2025-04-05 13:49:55

Yep, that's right. If UFW rules weren't in the way it'd be easy. But I also want to be relatively secure.

Thank you for taking the time to read through the documentation to understand my issue a bit better

Last edited by bowlin (2025-04-05 13:50:21)

-thc · 2025-04-05 13:58:26

I can only see a manual way.

Since you already have to manually change the port for your torrent client you can write a small shell script replacing the port forwarding rule with a new one with the new port number like:

./changefwdport 51187

bowlin · 2025-04-05 14:28:11

Yeah I guess there's no way around it It just kinda freaks me out to rely on scripts for something like firewall rules.

Arch Linux

#1 2025-04-05 12:11:49

[Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

#2 2025-04-05 13:19:28

Re: [Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

#3 2025-04-05 13:25:29

Re: [Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

#4 2025-04-05 13:38:22

Re: [Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

#5 2025-04-05 13:49:55

Re: [Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

#6 2025-04-05 13:58:26

Re: [Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

#7 2025-04-05 14:28:11

Re: [Solved]Firewall (UFW) rules in regards to VPN dynamic port forwarding

Board footer