Exactly the same 'restrictive' setup as scenario 1 above (so no port-forwarding enabled and UPNP off on the hardware gateway router) but this time I use a paid for VPN service and establish a connection to a VPN server/exit-node in, say, France.
What exactly happens to my port-forwarding preferences, including the settings I've made on the hardware gateway and on the local Linux/Windows boxes?
@MrTumnusInfosec port forwarding won’t work through a vpn provider like that. The VPN *should* stomp on the default route, meaning that your port forwarding won’t work.
@jerry right, that's my initial thought but then does that mean there are two places where port-forwarding needs to happen and be identical - on your endpoint's firewall AND on the VPN servers (with your local gateway's settings being ignored/bypassed with the VPN tunnel of course). Is there a protocol for communicating this to a VPN servers exit points?
@MrTumnusInfosec no, there’s no protocol for that. If you run the VPN, for example terminating at a Linux VPS, you can set up your own port forward rules, but otherwise no go. What are you trying to accomplish?
@jerry Learning/Thought experiment , if i'm honest. I want to know how one can use a VPN and be in control of what ports on the 'other end' are used and/or forwarded as I'd imagine that I share the VPN service providers public IP but then lose the ability to publish services (tor, torrent, ftp, nextcloud). Who can set affect this setting?
@MrTumnusInfosec the VPN provider is the only one that can. Typically, VPN providers don’t provide a 1:1 address translation - the use hide-nat. In such cases, it’s really not feasible to permit inbound connections and divert them somewhere.
I am sure this would work fine if you are your own VPN provider - for example, using a VPS, where you can set up those port forwarding rules.
A Mastodon instance for info/cyber security-minded people.