Having trouble getting port forwarding to work for node setup

I setup the port forwarding but when I go to a Port Checker website it says that port 28967 is closed and it even says all ports are closed. My public ip and private ip for my raspberry pi I am pretty sure are already static so I think the issue is that and I don’t think I need a ddns name on noip since it looks like the ip addresses are already static.

I think the issue for port forwarding not working is that the wan ip address on my router is different than the public ip address I get when I go to the yougetsignal website. How do I fix this to get port forwarding to work.

I am using a FRITZ!Box 6490 cable router if that helps at all.

Also with the way I have things setup right now meaning just with the port forwarding settings I set in my router that aren’t working on my raspberry pi I ran the command
sudo netstat -lntup
But it didn’t say it was listening for port 28967 but it did say listening for port 22 which I use to ssh to my pi from my Mac.

I will also add that I started over entirely but before I started over I was able to go to the 14002 gui site and it said that the node was offline and QUIC was not configured correctly which I would assume was because the wan and the public ip addresses are not the same so the port forwarding rule cannot work properly.

If anyone could help with this that would be great because I have been stuck on this looking at any guides online for days at this point which haven’t really helped.

It sounds like your ISP uses CGNAT. Contact them and ask if you can get a public IPv4 address. Doesn’t need to be static. A dynamic IPv4 address will do too. But then you would need to setup DDNS. If they ask for a reason, tell them you need to acces your security cameras.

Hello @Pampas,
Welcome to the forum!

You have several options:

• contact your current ISP and ask for public IPv4, it could be dynamic, but must be a public (your WAN IP will match IP on yougetsignal);
• switch to another ISP, who offer a public IPv4;
• use a VPN provider with a port forwarding option, such as portmap.io, ngrok, PIA, AirVPN, PureVPN, etc.

@Alexey @donald.m.motsinger

So I tried using portmap.io with the configuration but when I go to mapping rules and try to create one this is the error I get in the picture below. It also looks like under configurations I can only add 1 for free which means there would be no udp since it only lets me do tcp or udp one at a time for each configuration which I think would be an issue.

For the ip address under create new rule I am using the local ip address for my raspberry pi. I also tried the public ip address for my pi but that didn’t work either.

Are you able to help me with this and if so how do I even implement this into my node. Is there a guide for this because it doesn’t seem like I would put my pi’s ip address in the ADDRESS section in the docket run command anymore but I could be wrong.

I am getting a new router soon from Fritzbox still so I don’t think it would really be worth trying to contact them which is why I was trying this first. I originally started this just as a test to see if I could get it running and then I would deactivate it and setup an actual one but I haven’t been able to even get this one to run.

Mapping rules

IMG_20031512×2016 1.24 MB

You must not specify the allowed IPs or make them 0.0.0.0/0
In the ADDRESS option of your docker run command you should specify your portmap address with an assigned port, i.e.

-p 28967:28967/tcp \
-e ADDRESS=lanceaddis.portmap.io:64250 \

Since I’m in the same boat here, you can also use Oracle Cloud to set up your own VPN-provider when you are behind GC-NAT. Using a commercial VPN-provider offering this option, is usually quite expensive.

See for example: Hosting services behind a restrictive firewall/CG-NAT using DNAT with iptables on a VPS hosted wireguard endpoint | Trinkets, Odds, and Ends

(But would be using this script, if I were you in that case: GitHub - angristan/wireguard-install: WireGuard VPN installer for Linux servers ).

Also solves the problem that you’re not bound to use only TCP.

For me it was simpler to use a docker container instead.

Sounds promising, especially if someone is running on lower-edge resources like Raspberry Pi or something. But for clarification:

• How did you configure the settings in a docker container? Just passing the config file or something?
• And even more important: how did you connect the storagenode container to this container, so you could use the wireguard connection?

Although promising, I’m wondering despite whether it’s not wiser to isolate the different storagenodes. So, if one storagenode get stuck, it doesn’t have your full CPU or memory for example. I myself am using different virtual machines, in order to prevent this. With every virtual machine just one core as vCPU and 1GiB memory assigned to it. But I can imagine, this might also be able with docker to a certain extent

I used their Readme to setup it on my server. I did not use it for storagenode, only to forward all my client traffic via tunnel.
However, for the node you may use a --link feature in docker (or better to use a docker-compose) to connect both containers to the same internal network and forward only needed ports using their documentation and Google.

So i got PortMap to work and the node finally says online. the QUIC still says misconfigured but is that because portmap only allows one free configuration which i setup TCP only and that is why i am getting the error. if i had both TCP and UDP would it no longer say missconfigured?

When i run the configuration file i got from portmap (which makes it possible for the rule to be active and ultimately the node to be online) in the terminal it doesnt look like it is stopped so i can type more commands. it looks like it just run until i stop it but how do i use the terminal now? is there a way to get it to run in the background or start running upon startup so i dont need to run it everytime i start my raspberry pi. i put what was returned from running the configuration file command down below.

if anyone could answer these last few questions that would be great and then i will probably take a break from all this and just let it run since i have been trying to get it to work for like 4 days now.

Configuration command output:
sudo openvpn --config Lance_Addison.Storj.ovpn

2023-05-15 17:25:47 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add ‘–data-ciphers-fallback BF-CBC’ to your configuration and/or add BF-CBC to --data-ciphers.

2023-05-15 17:25:47 OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021

2023-05-15 17:25:47 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10

2023-05-15 17:25:47 TCP/UDP: Preserving recently used remote address: [AF_INET]193.161.193.99:1194

2023-05-15 17:25:47 Attempting to establish TCP connection with [AF_INET]193.161.193.99:1194 [nonblock]

2023-05-15 17:25:47 TCP connection established with [AF_INET]193.161.193.99:1194

2023-05-15 17:25:47 TCP_CLIENT link local: (not bound)

2023-05-15 17:25:47 TCP_CLIENT link remote: [AF_INET]193.161.193.99:1194

2023-05-15 17:25:47 [193.161.193.99] Peer Connection Initiated with [AF_INET]193.161.193.99:1194

2023-05-15 17:25:48 TUN/TAP device tun1 opened

2023-05-15 17:25:48 net_iface_mtu_set: mtu 1500 for tun1

2023-05-15 17:25:48 net_iface_up: set tun1 up

2023-05-15 17:25:48 net_addr_ptp_v4_add: 10.9.188.26 peer 10.9.188.25 dev tun1

2023-05-15 17:25:48 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this

2023-05-15 17:25:48 Initialization Sequence Completed

This is it and it just looks like it will keep running but not in the background.

Hi,
i use two configs for Portmap. One for UDP and one for TCP. This resolves the Quic misconfigured problem.
I run both VPN Connection in a sceen command, so i can exit and use the terminal normaly. But i haven´t got it to work, that it will start at reboot. (Maybe my command in crontab is wrong?)
There are maybe better ways, but it works for me. But because the system should run 24/7 it shouln´t be that big of a problem.

But I have to say, that I don’t know if it is necessary to have UDP. Maybe someone else can tell, what would happen, if you don’t enable UDP.

You can run openvpn just as a service.
Besides, you can also use the command with an ampersand (&) behind it. That will run it in background.

But why openvpn? It’s less performant than wireguard and also less permissive to temporary connection loss.

I mainly just wanted to get it to work since I have spent over 10 hours at least in the past 4 days fighting with my router and trying to get it set up. This was just a test to see if I could even get it running. When I get my new router I will probably deactivate it and set up an actual one with a public ip address provided by my isp by contacting them or I might use wireguard or something else.

Any tips on how to deactivate it or do I just stop the docker container? There is already some data on my drive which I don’t know if it will be lost or if I will be penalized for just turning off the node.

Thanks for all the help though everyone. I greatly appreciate it.

Sounds like you’re dealing with GC-NAT.

But, this contradicts…

Because, you then would have really no data on your drive. Unless you switched ISP recently or have a dynamic IP after all.

This is something you should be able to figure out.

Even openvpn itself isn’t a solution, because you then should be able to forward ports over the connection which isn’t possible with most VPN providers. So that the reason you’re probably using portmap.io. But according to their site you’re only able to use one hostname and rule for free:

So, if it’s really the case, that the public IP-address in your router (so not your LAN-IP, which looks to be 192.168...), is different from the IP-adress you see on for example https://whatismyipaddress.com/ then I really refer to you back to my previous post. Because it will deliver you a free working VPN with support for TCP and UDP. Which is also more permissive for temporary connection loss because it’s a stateless protocol. And if you’re lucky, you’ll have an IP in almost unused range. If you want to prices with portmap.io (and be bound to only TCP of you’re using the free plan), than Alexey already told you, the CIDR settings have to be changed in such a way that allowed-IPs is “0.0.0.0/0”.
Then you have to remove your old docker container “docker stop storagenode; docker rm storagenode”. Then restart with changing the relevant parameters, Alexey already showed you. Ports still have to be 28967 on your docker, since portmap.io is apparently doing the portmapping from 64250 to that port.

Otherwise, if public IP in the router is however the same as you see online (but it’s different from what it earlier was), you’ll have to implement a DDNS like duckdns in order to get it working.

If this doesn’t help, you’ll have to show some code.

But you’re using the paid version in that case?

Usually it works the way: systemctl enable openvpn@{configfile-name-without-.ovpn} on Linux distributions using systemd. See also: https://community.openvpn.net/openvpn/wiki/Systemd
This also takes care of restarting the service if internet is down for whatever reason.

Yes, i am using the paid version. Did a neighbors lookup and there are currently 13 Nodes in that subnet.

Many thanks for the systemd info. Changed it to systemctl and it works like a charm. (And a better solution than the good old screen command )