I’ve been trying to understand port forwarding since I keep seeing that I need to set it up for my torrent client to work reliably. But I read that it sends your traffic “outside” of your VPN encryption. Doesn’t it kind of defeat the purpose or am I understanding it wrong?
In a VPN your own machine sits behind a Router from the VPN provider in a NAT configuration (meaning that during VPN tunnel initialization that router gives your machine an IP address from one of the so-called “internal” IP address range - most commonly one in the 192.168.x.x range - which are NOT valid to have visible in the Internet) and which multiple machines all over the world sitting behind other routers can use at the same time (for example: even though it only has 254 valid addresses, there are probably millions of machines running right now with an IP address in the 192.168.1.x range, which is by far the most popular range of internal IP addresses).
The IP address which is visible on the actual Internet has to be one which is not from an internal range or other kinds of special ones, and that’s the one that the VPN provider Router shows to the outside. (There are a few “tell me my IP address” websites out there which will let you know what that address is).
This is also how home routers work in providing multiple machines in your home access to the internet even though its on a single ISP connection which has only one IP address valid for the Internet.
To make all this work, such routers do something called NAT-Translation: connection requests from the INSIDE to the OUTSIDE go to the router, which changes ip:port information of those requests from the internal ip and a port in that machine to be the router external ip and a port the router has available, and then forwards the request the outside. The router also records this association between the external machine, the port the router used for it and the internal machine and the port on it the connection came from, on an internal table so that when the OUTSIDE machine connects to the router on that specific port, the router treats that inbound connection request as associated to the earlier outbound request and does the reverse translation - it forwards that inbound request to the internal machine and port of the original outbound connection.
However - all this only works when your machine first connects from the inside to an machine on the outside, because that’s when the router translates the IP address and Port and memorizes that association. If however you gave the IP address in some other way to that remote machine other than connecting to it via the router (for example, you have registered a Domain Name pointing to it, or you just gave the IP address and port number to a friend and told them “this is my Jellyfin machine”), any connection coming from the outside will not be routed by the router to your machine, because the router never had an original outbound connection to make the association for any return inbound connections: from its point of view some random machine is trying to connect to one if its ports and it simply doesn’t know which internal machine and on which port on it is supposed to get this connection from that unknown external machine.
Also all this is dynamic - after a while of one such association not being used, the router will remove it from memory.
Port Forwarding is a static way to explicitly configure in a router that all connections arriving at a specific port of the router are ALWAYS to be forwarded to a specific internal machine and a specific port on that machine.
Given that the association is static, you can give the outside world in any way you like without involving the router (for example, listing in some kind of shared list, which is what the Torrent protocol does), the IP of the router + the forwarded router port, as the address for a “service” that’s running on your internal machine, and any request coming from the outside on that port even if your machine never connected to that remote machine, ever gets forwarded to the internal machine and the port you configured there.
With port forwarding you can for example host your own website behind a VPN or in a home machine that’s not directly connected to the internet because any requests coming into a specific port on the router that does have a direct connection to the internet always get forward to that machine and the port on it you configured.
In the old days Port Forwarding had to be manually configured on the Router (for example, via a web-interface), but nowadays there is a protocol called uPNP that lets programs running on your machine automatically request that the router sets up a Port Forwarding for them so this is often done transparently, which how most networked applications sitting on a machine at home behind a home routers, work just fine since those routers always support port forwarding.
PS: All this shit is actually one enormous hack, that only exists because IPv4 doesn’t have sufficient IP addresses for all Internet connected machines in the World. The newer IPv6 does have more than enough, so it’s theoretically possible that all your machines get a valid Internet IPv6 address and are thus directly reachable without any NAT on the router and associated problems. However I’m not sure if VPN provides which do support IPv6 actually have things set-up to just give client machines a direct, valid on the Internet IP address, plus a lot of protocols and applications out there still only work with IPv4 (byte . byte . byte . byte) addresses.
Thank you for taking the time writing all this up for me. That makes me glad I asked because most info I was finding with google-foo was telling me to set up port forwarding the old way with my router and not really doing a good job of laying out how and why it works to begin with. After having switched from Tribbler to a client that has uPNP, now I think I understand why I’m struggling with it less. I’m unsure if my Soulseek is connected and sending data right but this gives me some better ideas of how to find out.
I’ve been trying to understand port forwarding since I keep seeing that I need to set it up for my torrent client to work reliably. But I read that it sends your traffic “outside” of your VPN encryption. Doesn’t it kind of defeat the purpose or am I understanding it wrong?
In a VPN your own machine sits behind a Router from the VPN provider in a NAT configuration (meaning that during VPN tunnel initialization that router gives your machine an IP address from one of the so-called “internal” IP address range - most commonly one in the 192.168.x.x range - which are NOT valid to have visible in the Internet) and which multiple machines all over the world sitting behind other routers can use at the same time (for example: even though it only has 254 valid addresses, there are probably millions of machines running right now with an IP address in the 192.168.1.x range, which is by far the most popular range of internal IP addresses).
The IP address which is visible on the actual Internet has to be one which is not from an internal range or other kinds of special ones, and that’s the one that the VPN provider Router shows to the outside. (There are a few “tell me my IP address” websites out there which will let you know what that address is).
This is also how home routers work in providing multiple machines in your home access to the internet even though its on a single ISP connection which has only one IP address valid for the Internet.
To make all this work, such routers do something called NAT-Translation: connection requests from the INSIDE to the OUTSIDE go to the router, which changes ip:port information of those requests from the internal ip and a port in that machine to be the router external ip and a port the router has available, and then forwards the request the outside. The router also records this association between the external machine, the port the router used for it and the internal machine and the port on it the connection came from, on an internal table so that when the OUTSIDE machine connects to the router on that specific port, the router treats that inbound connection request as associated to the earlier outbound request and does the reverse translation - it forwards that inbound request to the internal machine and port of the original outbound connection.
However - all this only works when your machine first connects from the inside to an machine on the outside, because that’s when the router translates the IP address and Port and memorizes that association. If however you gave the IP address in some other way to that remote machine other than connecting to it via the router (for example, you have registered a Domain Name pointing to it, or you just gave the IP address and port number to a friend and told them “this is my Jellyfin machine”), any connection coming from the outside will not be routed by the router to your machine, because the router never had an original outbound connection to make the association for any return inbound connections: from its point of view some random machine is trying to connect to one if its ports and it simply doesn’t know which internal machine and on which port on it is supposed to get this connection from that unknown external machine.
Also all this is dynamic - after a while of one such association not being used, the router will remove it from memory.
Port Forwarding is a static way to explicitly configure in a router that all connections arriving at a specific port of the router are ALWAYS to be forwarded to a specific internal machine and a specific port on that machine.
Given that the association is static, you can give the outside world in any way you like without involving the router (for example, listing in some kind of shared list, which is what the Torrent protocol does), the IP of the router + the forwarded router port, as the address for a “service” that’s running on your internal machine, and any request coming from the outside on that port even if your machine never connected to that remote machine, ever gets forwarded to the internal machine and the port you configured there.
With port forwarding you can for example host your own website behind a VPN or in a home machine that’s not directly connected to the internet because any requests coming into a specific port on the router that does have a direct connection to the internet always get forward to that machine and the port on it you configured.
In the old days Port Forwarding had to be manually configured on the Router (for example, via a web-interface), but nowadays there is a protocol called uPNP that lets programs running on your machine automatically request that the router sets up a Port Forwarding for them so this is often done transparently, which how most networked applications sitting on a machine at home behind a home routers, work just fine since those routers always support port forwarding.
PS: All this shit is actually one enormous hack, that only exists because IPv4 doesn’t have sufficient IP addresses for all Internet connected machines in the World. The newer IPv6 does have more than enough, so it’s theoretically possible that all your machines get a valid Internet IPv6 address and are thus directly reachable without any NAT on the router and associated problems. However I’m not sure if VPN provides which do support IPv6 actually have things set-up to just give client machines a direct, valid on the Internet IP address, plus a lot of protocols and applications out there still only work with IPv4 (byte . byte . byte . byte) addresses.
Thank you for taking the time writing all this up for me. That makes me glad I asked because most info I was finding with google-foo was telling me to set up port forwarding the old way with my router and not really doing a good job of laying out how and why it works to begin with. After having switched from Tribbler to a client that has uPNP, now I think I understand why I’m struggling with it less. I’m unsure if my Soulseek is connected and sending data right but this gives me some better ideas of how to find out.