Do you need to forward the 1st NAT interface IP in the hardware router?

[kibblesandbits]

EDIT
Regarding my question below. I guess you don't need to forward it on the hardware router as the VPN is handling it locally. That might be another story if I was running OpenVPN on the router directly.

=========================

In qBit’s execution log, I have successfully listening on IP. IP: "10.2.0.2". (which is the common IP of the first NAT interface) and then my Port: "UDP/x x x x x number from Proton's port service"
Do I need to also open and forward this 1st NAT interface IP and port in my hardware router? I’m not worried about the windows firewall because there are incoming rules of Allow-All for qBit by default. But how does this 10.2.0.2 address get past the NAT on my hardware router if I don't open a port for it?

According to their website, “Proton VPN’s implementation of the protocol uses double NAT to dynamically provision sessions. This means when your app connects to one of our VPN servers via WireGuard, the first NAT will rewrite the 10.2.0.2 IP address to a random but unique internal IP address that is assigned to your session. “

[Peter]

If you use a VPN, you set up port forward on their website or in the client. You MUST look for a provider that has active port forwarding!!! For example, Proton, Windscribe, PIA has port forward. Sometimes providers discontinue port forward and other features so always look before you purchase.

On Proton, you forward like so: https://protonvpn.com/support/port-forwarding

So if you use a VPN, you don't have to mess with your local router, dhcp, any of that. Just do the steps of your provider.

[LilTroy]

EDIT
Regarding my question below. I guess you don't need to forward it on the hardware router as the VPN is handling it locally. That might be another story if I was running OpenVPN on the router directly.

=========================

In qBit’s execution log, I have successfully listening on IP. IP: "10.2.0.2". (which is the common IP of the first NAT interface) and then my Port: "UDP/x x x x x number from Proton's port service"
Do I need to also open and forward this 1st NAT interface IP and port in my hardware router? I’m not worried about the windows firewall because there are incoming rules of Allow-All for qBit by default. But how does this 10.2.0.2 address get past the NAT on my hardware router if I don't open a port for it?

According to their website, “Proton VPN’s implementation of the protocol uses double NAT to dynamically provision sessions. This means when your app connects to one of our VPN servers via WireGuard, the first NAT will rewrite the 10.2.0.2 IP address to a random but unique internal IP address that is assigned to your session. “

If you're running your VPN client on the same device/computer then you don't have to forward anything in your router. Instead you'd forward it at the VPN provider. Like Peter said some providers have you log into your account on their site where you can configure it in your browser. Others, like Proton in your case, have you do it directly from their VPN client app. They'll randomly assign you an available TCP/UDP port from their pool and all you have to do is set it in qBittorrent. That's it. Proton's VPN client on Linux, however, requires you to run the natpmpc command alongside it because the port mapping functionality wasn't built-in for some strange reason. For Windows this isn't necessary.

If you're running your VPN client on your router then yes you'd have to forward the port on your router in addition to forwarding it on the VPN provider's end. It has to explicitly know which host on the local network to route the inbound traffic to. With a VPN client running on the same device that you're using the tunnel has already been established between both endpoints (client & server). It knows to route it to your machine because the port mapping request you made was created over the same session/connection. The recipient for the forwarded traffic is already known.

“But how does this 10.2.0.2 address get past the NAT on my hardware router if I don't open a port for it?”

Your router doesn't know about it because it has no visibility into any of your VPN traffic unless of course you're running the VPN client on there. VPNs stuff their own raw IP packet inside so there's always an inner and outer packet involved when sending & receiving data over the tunnel. It's a process called encapsulation. No intermediary network devices along the path can see the payload data because it's all been encrypted.