Cannot access nohost.me domain, cannot port-forward

Hi everyone,
I am very new to yunohost and self-hosting at all, I’ve installed yunohost on my raspberry today. I was following official tutorial and everything went without error. I can access my yunohost from my local network thru SSH, web admin and I can also connect keyboard/mouse/monitor to it, but I am unable to load my nohost.me page, that I’ve registered by that tutorial, it said, that it would automatically setup everything, but I can’t access it. Also, I’ve installed synapse server, since I primarily want to use it as matrix server. I was thinking, that I may need to open some ports on router, but that’s 1.) not very secure 2.) I don’t have any access to my router administration, so not possible for me.

My YunoHost server

Hardware: Raspberry Pi 4 4GB at home, official power supply
YunoHost version: 4.1.7.2 (testing)
I have access to my server : Through SSH | through the web admin | direct access via keyboard / screen | …
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no, only installed synapse (not sure how much that counts)

Description of my issue

I can’t access my nohost.me website nor any of it’s parts (like “/_matrix”)
I also can’t allow port-forwarding on my router, since I am not admin (and admin won’t allow it)

SO, first, is the issue really that I need to allow port-forwarding and other router setup ? or am I completely wrong and issue is somewhere else ?
In both cases, what would you recommend me to do ?

Thanks in advance for any help

EDIT:
SO, yes, I think it’s port-forwarding issue, here is system diagnosis output: https://paste.yunohost.org/raw/ojopolekoc
it says a lot of port accessibility issues and link points to guide for port-forwarding…

Hi blboun and welcome!

yeah, you have to portforward all your applications. To me it sounds that you need to change your router?

Oh crap… isn’t there another option ? Like for Minecraft server I was using ngrok… you can “bypass” that problem when device from inside initiates connection to outside, that it’s OK. But problem with ngrok is that it’s slow and it can work on only one port.
Also I can’t change my router, because it’s not exactly mine =) and I don’t have access to it (admin page password)…
Has anyone here any idea ?

Did you try to enable upnp in yunohost settings?
Tools > firewall

IMG_20210809_1322181080×1955 138 KB

thanks for help, I tried it, it gave me this error:

YunoHost encountered an internal error
Really sorry about that.
You should look for help on the forum or the chat to fix the situation, or report the bug on the bugtracker.
The following information might be useful for the person helping you:

Error: "500" Internal Server Error

Action: "PUT" /yunohost/api/firewall/upnp/enable

Error message:
Could not open port via UPnP

While processing the action the server said:
Firewall reloaded
Port 1900 is already closed for IPv4 connections
Port 1900 is already closed for IPv6 connections
Firewall reloaded

Port forwarding is mandatory to run a YunoHost server. If you don’t have administrative rights on your router you can consider using a VPN to bypass this problem. See this wiki article for more explanations.

Sooo… that article in Frog-eater’s language ( joke, please don’t take it as insult against French ) basically says that I can setup VPN to do what I described in my last post ngrok did, but it will not open only one port, but entire network ?
Also, do you now what that UPnP error is ? and how to fix it ?

I’ve got an idea how to bypass this all, what if, I will put a switch before our router and place my raspberry and router on same level ? that would mean, that if someone hacks into raspberry, it will not be directly connected to our network, so it will not potential security issue, that’s why I am not allowed to get those ports forwarded,

it’s not enough secure, it’s not enterprise grade solution (=> paid) and it wasn’t setup by professional, so it’s very dangerous to our network.
-my network admin =)

but as I said, I could connect it on the same level as our router, so it will be router for itself, but I am not sure if that switch would work, from my understanding of basic network switches for homes, it shouldn’t work, but I don’t really now.

Thanks

I had been careful to go to the English version of the wiki but I didn’t notice that this page had not been translated. It’s a pity because the article is interesting I think. Here is a translation until it arrives on the site.

Advantage of a VPN for self-hosting

Since setting up a server at home is an uncommon practice, most Internet connections provided to individuals are unsuitable for this purpose. A VPN respecting net neutrality and providing a fixed IPv4 address and IPv6 addresses can help to circumvent some limitations or difficulties.

Be careful: not all existing VPN providers meet these conditions, make sure the one you choose meets them.
Advantages
Plug & Play

By configuring a VPN on your server, you will be able to make it accessible to the rest of the Internet without having to change the configuration of the router you connect it to. This can be really handy if you are going on vacation, moving or have an Internet outage, as you will be able to easily connect it to someone you trust without having to configure the router of the person helping you.

Likewise, you save yourself the trouble of opening your router’s ports and bypassing hairpinning.
No micro DNS outages

If your Internet connection does not have a fixed public IP, you will be forced to set up a dynamic domain name (Dynamic DNS). This solution may be acceptable, but the DNS will only be updated at regular intervals (every two minutes if it is a noho.st or nohost.me domain name). So there is a chance that this will cause display errors in the browser from time to time, or even that another site will be displayed (the risks are however reduced because the practice of self-hosting is not widespread).

With a neutral VPN, this problem is circumvented because the VPN can be compared to a Virtual Internet connection, which has its own fixed IPv4 address, so there is no need to update the domain name.
The case of email

Email is one of the most complex protocols to self-host, usually it is the last thing a user self-hosts. Indeed, it is very easy to find yourself in a situation where emails sent by the server are refused by the recipient SMTP servers.

To avoid this you need to :

• configure the reverse DNS of the server’s Internet connection (or VPN)
• a fixed IPv4
• that this IPv4 is removable from all blacklists (notably the IP must not be on the DUL)
• to be able to open port 25 (as well as the other SMTP ports)

Unfortunately, none of the most common French ISPs respect all these points.

To overcome this, the use of a VPN respecting these points can be an alternative.
Trust

Finally, if you do not want the content of your server’s communications to be spied on by equipment present on your ISP’s network, you can use a VPN to encrypt your communications and deport your trust to a VPN provider. As a reminder, since 2015, the government officially deploys black boxes at the large network operators whose objective is to tap all French digital communications in order to preserve the scientific, economic and industrial interests of France.
Disadvantage
Cost

A neutral VPN has a cost since the operator who provides it must run a server and use bandwidth. The prices of the FFDN’s associative VPN are around 6 € per month.
Packet path

When you set up a VPN on your server, if you don’t set up any particular configuration, the transfer of a file from a computer on the local network to the server using the VPN, will go through the end of the VPN i.e. through the server of the VPN provider.

To solve this problem, there are two solutions:

• transform the server into a router and connect the home equipments to it, these equipments will then benefit from the VPN confidentiality too.
• use the YunoHost server as a DNS resolver when you are at home, in order to redirect the server’s domain names to the local IP rather than the public IP. This operation can be done either on each equipment or on the router (if the latter allows it).

This is not a bad idea, especially if you put your pi in a DMZ to try to isolate it from the rest of the network. However the rest of the network is also connected to the same switch, so you increase the risks by ricochet if your pi is infected. If I were your system administrator I would probably refuse to do so as a precautionary measure.

Soo… you are saying, that my options are to buy a VPN and set it up and connect thru VPN or put my raspberry to DMZ ?
I don’t really understand this part:

However the rest of the network is also connected to the same switch, so you increase the risks by ricochet if your pi is infected. If I were your system administrator I would probably refuse to do so as a precautionary measure.
If it would be connected to our LAN and there will be ports-forwarded, than if any attacker would come thru those forwarded ports to raspberry, he can hack my raspberry, which is probably easier than hack router and he’s in our LAN. But if I would connect my raspberry outside of our network, than if he would hack into my raspberry, he would still need to hack thru our router’s firewall, and therefore there is no difference between having my RPi there or not, right ?

These are two different solutions. The VPN works regardless of the location of the pi on the network. A DMZ just isolates a part of the equipment from the rest of the network. In your case I think VPN is easier to set up, but as you said it implies an additional cost.

The switch you are talking about will have two outputs if I understand correctly

• the network on which the router is located and which must be “protected”
• your pi

It would create a link between the two, likely to be exploited for an attack.

yes, but if you will exploit “the link” you will be at same place as you will be now… you are standing in front of locked doors ( firewall protected router) so that switch does no difference right ?
Also, VPN will cost me about 6$ a month, and one of the reasons why I am building this project is because renting a VPS will cost me probably about same 6$ a month (as buying a VPN), and raspberry at max. uses 15W and that’s with our energy price is much much cheaper (internet cost will not change).
So… how hard is to setup a DMZ ? any tested tutorial ? etc. (don’t know much about it)

Thanks

Yes I think it would make very little difference indeed.

From what I understand you don’t have administrator rights on the network on which you want to implement your pi. Only your administrator will be able to set up a DMZ, a separate subnet, or any other solution to isolate your pi from the rest of the network, as well as to forward the ports necessary for the proper functioning of YunoHost. You should see with him what is possible or not.

If you have the motivation to deploy a self-made one, you can get away with it for less than $20 a year.

Well, I talked to my admin, and he said, that he would agree to put that switch before router if
a) It’s possible ( From what I’ve searched I am not sure, if you can put switch directly on to WAN cabel and split it, or if you need to put a router there… do you now anything about that ? )
b) He would talk to his friend about it, and if there will be nothing that he has to say about it ( so, if he says, that it’s, I don’t know, like, dangerous or something, which I think it shouldn’t, than no)
c) I will find someone who will use it (that’s just my problem =) )

So, do you know, if placing switch on to WAN cabel and putting on of the outputs to our router and second to raspberry, what it will do ? or any solution how to do it ?

Thanks

Also, VPN will cost me about 6$ a month

Just another note about this, as stated previously, if you run your own VPN you can do much cheaper.

I was using Hertzner before (2.96 EUR) a month for a VPS. https://www.hetzner.com/cloud
Then, I installed OpenVPN Open Access Server on it. Download The World's Best VPN | OpenVPN (free for 2 concurrent connections or less)

If you have no access to your router, a better route for you to take might be just to get a VPS, and install Yunohost on it. Then you will have a public IP, and you can do whatever you want without asking your network administrator. You could try it for 1 month and see what you think.

Digital Ocean is the easiest for VPS newbs but it is $5 USD a month for the cheapest plan. It might be worth paying the $5 for one month to give it a shot and see what it could be like for you.

It is possible that it works. It all depends on what’s at the input of your router. It is possible that you need a manageable switch, if for example there are several vlan’s and you want to connect the pi to only one, etc. Without knowing more about the architecture of the network it’s hard to say what will work or not.

That said, if your router is in reality a modem router, then your solution won’t work because only one device can identify itself simultaneously with the same identifier on an ISP’s network.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.