Routers & Modems

DD-WRT VPN Port Forwarding with iptables - Complete Guide

Last updated: September 11, 2025
Table of Contents

🌐 What is VPN Port Forwarding?

Port forwarding through VPN allows external connections to reach specific devices on your network while maintaining VPN protection. This is essential for hosting services, torrenting, gaming, and remote access while using TorGuard VPN on your DD-WRT router.

Common Use Cases

🎮 Gaming Servers

Host game servers (Minecraft, CS:GO, etc.) accessible to friends while maintaining VPN protection.

📥 Torrenting

Improve torrent speeds and connectivity by allowing incoming peer connections through specific ports.

🖥️ Remote Access

Access home devices (NAS, cameras, servers) remotely while everything remains VPN-protected.

📡 Media Servers

Run Plex, Jellyfin, or other media servers accessible outside your network.

Prerequisites

✅ Before You Begin

  • TorGuard Port Forward: Purchase and activate port forwarding addon
  • Activation Email: Contains your assigned VPN IP, port number, and protocol
  • DD-WRT Router: Running OpenVPN client connected to TorGuard
  • SSH/Telnet Access: Or access to Administration → Commands in DD-WRT
  • Target Device: Know the LAN IP of the device receiving forwarded traffic

⚠️ Important Security Notice

Port forwarding exposes services to the internet. Only forward ports for services you intend to make publicly accessible. Always use strong passwords and keep software updated.

Understanding the Components

Key Variables

Variable Description Example
destIP LAN IP of your target device 192.168.1.100
port Port number from TorGuard email 54321
interface VPN tunnel interface name tun1, tun0, or tun11
protocol TCP, UDP, or both tcp/udp

Finding Your TUN Interface

ifconfig | grep tun

Or in DD-WRT web interface: Status → OpenVPN → Look for interface name

Step-by-Step Configuration

1Access DD-WRT Commands

Navigate to: Administration → Commands

2Add iptables Rules

Copy and modify these rules with your specific values:

Complete Rule Set (TCP & UDP)

# Allow forwarding from VPN to LAN device iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT # NAT incoming VPN traffic to LAN device iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

3Real-World Example

Example: Torrent Client Port Forward

Let's say your TorGuard email shows:

  • Port: 54321
  • Your torrent client PC: 192.168.1.100
  • VPN interface: tun1

Your rules would be:

iptables -I FORWARD -i tun1 -p udp -d 192.168.1.100 --dport 54321 -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.100 --dport 54321 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 54321 -j DNAT --to-destination 192.168.1.100 iptables -t nat -I PREROUTING -i tun1 -p udp --dport 54321 -j DNAT --to-destination 192.168.1.100

4Save as Firewall Rules

After entering your rules:

  1. Click "Save Firewall" button
  2. Rules will persist across reboots

Visual Traffic Flow

How Port Forwarding Works

Internet
TorGuard VPN
DD-WRT (tun1)
LAN Device

Port 54321 → iptables NAT → 192.168.1.100:54321

Advanced Configurations

Multiple Port Forwards

For multiple ports/devices, add rules for each:

# Torrent client on PC (192.168.1.100:54321) iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.100 --dport 54321 -j ACCEPT iptables -I FORWARD -i tun1 -p udp -d 192.168.1.100 --dport 54321 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 54321 -j DNAT --to-destination 192.168.1.100 iptables -t nat -I PREROUTING -i tun1 -p udp --dport 54321 -j DNAT --to-destination 192.168.1.100 # Game server on another PC (192.168.1.101:25565) iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.101 --dport 25565 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 25565 -j DNAT --to-destination 192.168.1.101

Port Range Forwarding

For a range of ports:

# Forward ports 6881-6889 for torrenting iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.100 --dport 6881:6889 -j ACCEPT iptables -I FORWARD -i tun1 -p udp -d 192.168.1.100 --dport 6881:6889 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.100 iptables -t nat -I PREROUTING -i tun1 -p udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.100

Different Internal Port

Forward to a different internal port:

# External port 54321 → Internal port 8080 iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.100 --dport 8080 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 54321 -j DNAT --to-destination 192.168.1.100:8080

DD-WRT Settings to Check

OpenVPN Client Settings

Disable these options:

  • ❌ Inbound Firewall on TUN
  • ❌ Firewall Protection

NAT/QoS Settings

Ensure no conflicts:

  • Check Port Forwarding section
  • Remove duplicate port rules

Firewall Settings

Verify firewall allows:

  • ✓ SPI Firewall enabled
  • ✓ Filter WAN NAT Redirection

Testing Your Port Forward

  1. Configure Application

    Set your application (torrent client, game server) to use the forwarded port

  2. Check External Access

    Use online port checker: YouGetSignal Port Check

    • Enter your VPN IP (from TorGuard email)
    • Enter your forwarded port number
    • Should show as "open"

  3. Monitor Traffic

    # View active connections iptables -t nat -L PREROUTING -n -v iptables -L FORWARD -n -v | grep 192.168.1.100

Troubleshooting

Port Shows as Closed
  • Verify you're using the exact port from TorGuard email
  • Check VPN is connected and using correct server
  • Ensure application is listening on the port
  • Disable Windows/device firewall temporarily to test
  • Verify TUN interface name is correct
Rules Don't Persist After Reboot
  • Make sure you clicked "Save Firewall" not just "Run Commands"
  • Check Administration → Commands → Firewall tab
  • Verify rules are listed there
  • Try saving as startup script instead
Multiple Devices Need Same Port

You can only forward a port to one device. Solutions:

  • Purchase additional port forwards from TorGuard
  • Use different ports for each device
  • Set up a reverse proxy to distribute traffic
Intermittent Connection Issues
  • Check if device IP changed (use static DHCP reservation)
  • Monitor VPN connection stability
  • Increase connection tracking timeout:
    echo 3600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

Security Best Practices

🔒 Security Recommendations

  • Limit Exposure: Only forward ports you actively use
  • Strong Passwords: Use complex passwords on all exposed services
  • Regular Updates: Keep forwarded applications updated
  • Monitor Access: Check logs for unauthorized access attempts
  • Service Hardening: Disable unnecessary features in exposed apps

Alternative Solutions

UPnP (Not Recommended)

While DD-WRT supports UPnP, it's a security risk and doesn't work well with VPN.

DMZ Host

Placing a device in DMZ exposes ALL ports - use only if absolutely necessary.

VPN on Device

Run VPN directly on the device needing port forwards instead of router-level.

Common Applications Port Reference

Application Default Ports Protocol
qBittorrent 6881-6889 TCP/UDP
Deluge 58846 TCP/UDP
Minecraft Server 25565 TCP
Plex Media Server 32400 TCP
SSH 22 TCP
RDP 3389 TCP

Need Help?

If you're having trouble with port forwarding on DD-WRT:

Contact Support

Include your DD-WRT version, TUN interface name, and port forward details

Was this article helpful?

Share:

Ready to Get Help?

Our support team is available 24/7 to assist you with any questions.

Submit a Ticket Email Support