AirVPN port confusion

I got AirVPN and have Qbittorrent and Plex working fine. I would also like to be able to access Sonarr and the Qbit web UIs on the same computer over the internet. But I can’t seem to get my head around port forwarding. I have always had the Qbit UI port 7171 and Sonarr port 8989 set up in my router Port Forwarding and those have always been accessible from the internet. But now that I use AirVPN they are not accessible.

I set up a port on AirVPN website for public 10975 > local 8989 for Sonarr, but when I try to connect to Sonarr via [IP reported by whatismyip]:10975, it still doesn’t get through. Same with qbit UI. When I exit the Eddie app and use my regular IP reported by whatismyip:8989, it works.

Also should I be changing my router port forward to allow 10975? Or stick with 8989 since (I think) AirVPN is forwarding internet 10975 traffic to 8989 on my computer, so as far as my computer is concerned my Sonarr connections are still coming in on 8989 as always? At any rate I’ve tried both and still nothing. Eddie ON = doesn’t work over internet, Eddie OFF = works over internet.

​

Holy Red Flags Batman!

Why the f*** are you exposing your admin UI’s to the entire internet? If you want to access your computer remotely you should be setting up a single proxy or VPN connection to it (that only you can access) and then access the local UI ports from there instead of forwarding everything through the router (which anyone can access).

That aside, you have a fundamental misunderstanding of how port forwarding functions, locally and with AirVPN. AirVPN does not forward one public port to another local port so I don’t know how you think you forwarded 10975>8989 “on AirVPN website”. That’s a function of your router. If you actually want AirVPN to forward a public port to you, it will forward it to your VPN address. < That’s it. Whatever device is using the VPN will then have to provide a service on that forwarded port.

That’s why it’s expected behavior that your “Eddie ON = doesn’t work over internet” in this case. The public forwarded port that AirVPN provides will show as open on your >VPN address<.

Having said all that, if you haven’t figured this out yet, what you are doing is a really really bad idea. If all you need to do is gain remote access to your computer there are way better methods. They all involve making a point-to-point VPN connection from your remote computer to your local computer, NOT opening all your ports to the internet. You could simply use something like Tailscale for this, or you could build your own VPN connection, but don’t open multiple ports to the internet. You only need one open port (none if using Tailscale) and one service (VPN server) listening on it. In your use case, you don’t even need a commercial VPN provider except for the purpose of masking the QBit address if you are downloading or sharing copyrighted materials.

No need to do anything on your router if you’re using Eddie.

When you test your port forwards make sure to have qbit, sonarr, etc. running and then use the tester function of the port forward rule on the AirVPN web site. If you’re going to your VPN IP from your VPN the test will fail. It needs to be from something external to your network. Using a mobile phone on mobile network will also work. Or Open Port Check Tool - Test Port Forwarding on Your Router

Ok yeah I definitely don’t understand port forwarding! And I will reconsider security…

But again for now how do I make this work?

You said AirVPN does not foward a public port to a local port but it’s right there in their config UI for setting up a port forward:

​

And in their docs: "You can map a remotely forwarded port to a different local port: this is useful for a variety of cases, for example when your service listens to a hard-coded port lower than 2048 or when the port is already reserved. More details about it here below.

Once you reserve an inbound remote port for your account, you have two options:

1. Leave the “Local” field empty. In this case, packets arriving to the VPN server exit-IP address port n will be forwarded to your machine IP address inbound local port with the very same number n
2. Fill in the “Local” field with a different port number x. In this case packets arriving to port n will be forwarded to your system inbound local port x."

In any case I’d be happy to use the same port public>local. But that doesn’t work either.

Full breakdown of what’s going on:

I’ve got web UIs for Qbit and Sonarr set up. On AirVPN I have port forwarding set up for those same ports (same port in both public/local).

With Eddie off, from mobile data, ispIP:qbitport and ispIP:sonarrport work.

With Eddie on, AirvpnIP:qbitport and AirvpnIP:sonarrport do not work.

AirVPN and other VPNs certainly can map public ports to different “local” ports. It seems you’re the one that doesn’t understand things Just look at a port forwarding rule on the AirVPN website. You can specify whatever local port you want for each rule.

Tester function on AirVPN site and yougetsignal.com all fail. If Eddie is on, it doesn’t work, period. As soon as I exit Eddie all work again.

Let’s maybe take a step back to clarify. The fact that you mentioned you are using the web client for QBit makes me wonder. Are you running this (VPN, Plex, Sonarr, QBit) all on the same machine and if so, what is it and what operating system? It might make a difference to this advice.

Although the AirVPN docs you are referring to may not be clear, what they are saying is you can choose a public port for them to forward to you and it will go to the machine/device that is running the VPN client on your end. You will need to have a corresponding service ‘listening’ on that port because it’s an inbound connection. Its address will be [AirVPN-IP]:[forwarded-port]

Most often in the case of a non-VPN connection, ‘mapping’ (aka ‘forwarding’) of an inbound port to a local port is done on your router but if you want to do it while running a VPN you would have to be running the VPN on your router or be able to do port mapping on whatever device the VPN is running on. Regardless, it’s not necessary if you do this properly.

You seem to be saying you want multiple services to listen like this on different ports. Again, that’s not necessary and really not advisable. If you want to admin your arr’s and so on from the outside you should do it via Tailscale or other direct point-to-point private VPN. Even if you just want to ‘get it working’ for now and then go back and revisit the security later, please realize how vulnerable you are and you cannot fix that vulnerability in less time than it takes for a bot to scan your ports and get in. You will lose that race every time. But I’m not going to lecture you; if you insist on not taking the advice then go ahead, but be prepared for some damage.

What I would do in this use case is have AirVPN forward their external port to whatever VPN client device is running QBit. Then go into QBit in the Advanced config section and bind ‘all IPv4 addresses’ to the VPN interface (usually ‘tun0’). Then in the Connection tab, if uPnP/NAT-PMP forwarding is on, turn it OFF, then set the inbound (listening) port manually to match whatever port AirVPN is forwarding to you. Remember to save that config. Now QBit is the ‘listening’ service on that port (notice you didn’t have to do port mapping?). As an aside, I’d also advise globally turning off IPv6 on your device as it can cause leaks. Next I would install Tailscale on the device that is running all this stuff, and on the device you want to use for remote access. This literally takes about 10 minutes to get working and it’s free for up to 3 devices and very secure. Now you can make a remote connection to the Tailscale IP and the port of whatever service you want to admin, in the form [tailscale-IP]:8989 or whatever local port you are using.

You can then refine this setup by split-tunneling the AirVPN client such that QBit is the only service using the VPN connection, since you really don’t need it for the other services and so why have the additional overhead for them? Remember, a VPN doesn’t ‘protect’ them so there’s no advantage. QBit (or rather, what you do with it) is the only service that needs to mask your real IP through a VPN.

If you do the steps in the prior paragraph you should have a working QBit service over AirVPN and a secure means to get in remotely for administration.

I understand just fine thank you, but maybe you didn’t understand my point - in this case OP is talking apples and oranges, confusing the admin UI port(s) with one that QBit needs open in order to seed to other users.

then I would say you don’t have the apps setup properly to work with the VPN port forwarding rule.

I will look into Tailscale. I have no idea what it is or what it does and lots of what you’re saying is over my head at the moment. Right now I really am just trying to get my system working under AirVPN the same as it has always worked for me prior to AirVPN.

AirVPN does not have split tunneling so everything on that computer is going through it, you are correct, all I need or want going through it really is Qbit but I don’t have a choice.

I’m using Windows 10. With no router rules, the ports I have set up in Qbit and Sonarr work fine with Eddie off but are closed with Eddie on even though I have those same ports set up to forward in the AirVPN web config. Qbit is set to use Eddie as its interface, Sonarr does not have options to choose interface.

I guess I wasn’t clear, I’m not confused about that. In any case to simplify troubleshooting I am now (in AirVPN) using the same external/local port numbers.

Yeah I guess not but I can’t imagine what else I can do. Sonarr log says this:

2023-11-11 21:15:52.2|Info|OwinHostController|Listening on the following URLs:

2023-11-11 21:15:52.2|Info|OwinHostController| http://*:46135/

And then in AirVPN web config I have it set to forward port 46135. Fails their test, fails yougetsignal, and of course just plain doesn’t work.

AirVPN does not have split tunneling

Uh, yes it does. Sometimes they use different terminology though and unfortunately they don’t make it as easy as some other providers.

https://airvpn.org/forums/topic/55876-split-tunnel/?do=findComment&comment=217741

Well you said “You can then refine this setup by split-tunneling the AirVPN client such that QBit is the only service using the VPN connection” and your link says nothing of the sort, instead only saying you can split by destination IP which is not helpful, unless you are counting the 20-step user process for doing per-app splitting with linux and a bunch of other software which I’m not using.

And since I can’t even get Port Forwarding to work which seems to involve exactly one step in their UI, installing a bunch of other stuff and jumping through 20 hoops for split tunneling doesn’t seem like a good route for me even if it didn’t leave me with the same port forwarding problems lol.