Trouble getting to sso login page

HARDWARE:
old dell xps mx 1225 laptop, 4g ram.

ACCESS:
Direct access to server with keyboard and screen
Can log into web interface on local network

ISSUE:
Unable to log in to younohost/sso from external network/yunohost will not recieve/send to external network.

FURTHER INFORMATION:
I am a new user to YH, I am testing it out at the moment.
I have timeout when trying to login to my nohost.me domain
Did a diagnosis which turned up port issues (see log file)
Confirmed Ngingx was running on YH server.
Added port forwarding to my router tried port 80 and 443
Also did Upnp to server with cli command, sudo yunohost firewall reload

The unit can connect to the internet as I have installed applications for testing

None of what I have tried has helped. It may be something very simple that I am missing out.

this is the log file https://paste.yunohost.org/raw/dedizatemu

Thank you everyone for working on this project, I hope it will help us become more independent with technology!!!

I think this is a portforwarding issue. I do not know how to solve this but maybe I do not need to bother you as its not a YH issue really. Does anyone reccomend elsewhere that I can troubleshoot and problem solve portforwarding. I am using a fritz box 7490, has latest firmware installed.

I did a portscan with nmap and it says all 1000 scanned ports are filtered. I am using a mobile internet connection

Hi, welcome to the forums!

Don’t feel troubled: we’re all hosting from home, and run into the same or similar problems!

You mentioning ‘Fritz box’ triggered me thinking it is not a port issue per se. Did you try connecting from outside your LAN, eg, via mobile phone to your nohost.me domain?

Fritz boxes come with a ‘DNS rebind protection’ feature. It prevents websites from pointing to an IP in your LAN, because mostly they don’t have anything to do there.

You can look in the AVM documentation for details; in short, you have to enter your domain here (where it says online.osba.nl in my case):

When you are sick of entering portforwardings via the Fritz-GUI, have a look at editing the configuration as text. After changing anything, you need to generate a checksum for the FB to accept the configuration, the program you need is fritzchecksum (Python). Be sure to have a un-edited backup as well, in case you mess things up (else you have to reset your FB and start all over).

PS: upon re-reading your posts, is the portforwarding itself already solved? Especially

is interesting. Do you mean your Yunohost (and your home network) are connected to the Internet via a mobile internet / 4G connection, instead of fiber or copper?

I have been able in the past to reach a webserver running on my phone via a mobile internet connection, but it was not very reliable (then again, it was a 2G connection…). Mobile broadband goes through a huge number of loops to make things marginally work, but it certainly is not unconstrained internet.

Please clarify!

PPS: to continue configuring your Yunohost locally, even when not reachable from the Internet: configure your /etc/hosts file and add your domain.nohost.me at the internal IP. (If you just visit the IP address, you’ll reach the admin page, instead of the SSO, as you probably have found out already )

thanks, thats good to know, yes I have encountered that issue regarding the admin page! I wonder could you please let me know which “hosts” file i should edit as there are .conf .allow .deny and hosts to choose from.
thank you

thank you for your advice and re assurance regarding my situation and other people in the same scenario with hosting within a home network framework.
I have done a bit more homework with the situation and I am suspicious that my isp might be filtering/firewalling things and I may have a private not public IP address. I think this due to the result I got from an ip scan that said the 1000 ports are filtered.
yes I use a mobile internet connection not fibre or copper. I use a huawei e3372 lte dongle as the modem which is connected to my fritzbox.
I have added my yunohost domain to the network settings on my FB as you reccomended but still come up with the same diagnosis results https://paste.yunohost.org/raw/exeyanimif and am still unable to connect with my nohost domain via another browse on the same pc
I may have some more functionality locally if I edit the hosts file as per wbk reccomendations, I am waiting to hear back as am not sure which file I edit to avoid the yunohost.local returning me to the admin page. However that still wont solve the bigger issue I face with not being able to access my server on the www.
I have not edited the FB config file as text yet.
thanks again its really great to have help because I would be stuck otherwise.

p.s. I think I have sorted out the port forwarding bu using the Upnp option on the FB and enabling in the Yunohost Firewall settings. it returned a positive result stating that there were 8 ports enabled (in the FB interface

It is the file /etc/hosts, on your desktop/laptop/phone, not on Yunohost (edit: in your case, if you are working on the laptop that is your Yunohost, you have to edit it there of course; be sure to remove it once your public connection works) :

$ cat /etc/hosts
192.168.178.2 yourdomain.nohost.me # give it the IP of your server, and its domain of course

If you check the status page in your Fritzbox, what is the external/WAN IP?
If it starts with 10.x.y.z, with 172.x.y.z or with 192.168.x.y, it is a private IP.
What IP does Yunohost thinks is the external IP? Or if you use a webiste on the internet to check your public IP?

Is IPv6 enabled? What does the WAN IPv6 in your Fritzbox look like, does it start with FC…:… / FD…:… / FE…:… ? Then it is most probably not a public IP.

Mobile internet seems very rarely to have IPv6 enabled, but if it is assigned to your Fritzbox, it should work.

Ah, great!

I have narrowed the external IP down to these few…

In the FB on the Internet/Online monitor I get this

when I do an external IP scan I get this.

IPv6 is not enabled on the machine

So im not sure which IP Yunohost thinks is my external IP

I have been reading more and wondered if I set up a VPN if that can help https://www.reddit.com/r/selfhosted/comments/b6no79/bypass_isp_port_forward_blocking/ and another page that talks about VPN Advantage of a VPN for self-hosting | Yunohost Documentation

It seems that a VPN might help?

p.s. please be aware I am not familiar with the relationships/heirachy and uses of all these different addressing protocols. for example what is DMZ? other than de militarized zone I dont know what you use it for, and what does the DNS actually do? is it something that each individual network have that helps it communicate amongst itself and then with another independent network to avoid duplicate IP addressing issues… these are things I will probably become familiar with in time but right now I am feeling around in the dark mostly. but I am determined and will learn eventually!

thankyou everyone

oh also I did edit the hosts file and it loaded me to the sso page, yay! and I thought I had solved the server user account issue but when logged in with any account ive created it took me to the admin interface and I was expecting to be able to use the applications that ive installed like Diagram etc I am not using the laptop that Yunohost is serving from to access the web interface, I am using a laptop that is on the same home network.

I just learned something new! 100.64.0.0/10, which includes your 100.70.112.94:

$ whois 100.70.112.94
NetRange:       100.64.0.0 - 100.127.255.255
CIDR:           100.64.0.0/10
NetName:        SHARED-ADDRESS-SPACE-RFCTBD-IANA-RESERVED

is also a private IP address. It supposedly is intended especially for the use where you encounter it, ‘carrier grade NAT’ (CGN), the curse of mobile internet.

The 115.189.131.149 address is (one of) the public facing exit point(s) of the provider (Spark?).

A VPN should help; a more versatile (and possibly cheaper) option is a lightweight VPS, on which you install a VPN server yourself.

Great! I have trouble parsing the rest of the paragraph, could you write it in another way?

Sorry, I skipped that bit

You got the right words for DMZ. It is meant as a place in your network, that is an ‘unsafe’ place. Normally, your internet connection is picked up by your router which almost always has a firewall integrated, to block traffic from the wider internet from accessing the computers, phones and fridges at home (Internet, after all, is a network of networks, connecting all machines it can reach).

Often it is (sadly enough) good that other people can not reach those computers, phones and fridges in your house, lest they program your phone do DoS your fridge. Sometimes you want a computer at home to be reachable by the wider internet, but still keep all other machines protected by the firewall.

That single machine is placed in ‘the DMZ’, or any other name the router manufacturer chose to use. If you got eight machines at home that are connected to the internet, you could chose one of them to reach all external traffic. More finely grained, you could open and forward specific ports (depending on router, called ‘NAT’, ‘port forwarding’, ‘firewall configuration’, I can’t remember all the different names I have seen it given).

That story goes up for ‘traditional’ residential internet connections, either via fibre, cable or ADSL, where on the ‘outside’ of the router there actually is, for most purposes, ‘the internet’.

In case of mobile broadband there almost always is only the internal network of the mobile phone provider. Their network was never envisaged for any other use than media consumption by their customers, meaning there was no need to have a public representation (in an IP address) for each subscriber on the net. One of their internet-facing IP’s is shared by thousands of their mobile customers. No way they all will get a chance to run a blog on their phone! Or on their Yunohost, in your case.

This is where the VPN comes in. Virtual private networking creates a ‘private’ network over the public internet, by giving some extra information to all data being transfered between two points in the VPN (and encrypting the regular part of the data, for your eyes only). The connection is called a tunnel, because it tunnels invisably through another network, and something can be transported through it. The other end, the exit, of the tunnel is now your representation in the real internet, with the tunnel piercing through the internal network of the broadband provider.

Because at the exit the tunnel is a regular IP, with all of its thousands of separate ports available, any kind of service one might want to access will have a port available. The VPN software will transparently forward the traffic to the identical port on your Yunohost.

Sorry for the long post; I hope all this text was able to make you some wiser I’m sure I skipped over some points that are clear to me, but raise more questions for you. Perhaps I can explain those things later, give a shout.

I think renting a small VPS and installing Wireguard (either in combination with Yunohost or by itself on the OS) on it is the cheapest and most versatile way forward. How fast or slow are connections overseas? European VPS’s seem more affordably priced than Asia/Pacific or US locations.

thanks for all the info, its good learning for me.

If I bought a domain name and used that for the yunohost domain would that solve the whole thing or would I still be stuck behind a firewall by my isp?

Also if yunohost can host as a vpn can I just use that?

I see that a vps may be helpful. though what I was aiming for was a completely independent system that was physically relocatable if necessary and only needed an internet connection. I guess in that case a VPN would be the solution there! could I run a server on my own hardware and avoid needing a VPS.

I may be confused.

Or you may be learning

The (free) nohost-domain you already got has exactly the same possibilities as any (bought) domain you could find at a domain reseller; and as it is integrated in Yunohost, with less trouble.
The only reason to buy another domain would be to have a locally recognizable country ending, or, if you still can find it, a much shorter domain name.

Yes indeed. The domain (either bought/rented by you, or one of those offered via Yunohost) does not solve that issue. It is not a firewall as such; the traffic is ‘not routed’, meaning: traffic can only go from Internet to your home if you (or your devices) asked for it, not if the connection is initiated from the Internet.

Yunohost can run as a VPS, but only for connections that can reach it. Chicken and egg salad!

Yes, but you still need a VPN, which is short for “Someone else’s VPS running VPN software for many people”. As long as it is much cheaper and easier to use than a small VPS, it could be the better option.

The first search result I clicked for NZ (is that correct?) VPN’s, show monthly prices of NZ $5-$10.
My VPS is 2 Euro/month, so less than NZ $4, at the current exchange rate.

It is a pity you have to rely on mobile broadband! The least complex solution, in my eyes, would be to run Yunohost on a small VPS to see how things work. My VPS only has 20 GB of storage, versus ‘limitless’ at home, but it is lightning fast; the connection is faster than my 50/50 Mbps fibre link at home. I have (and use) the benefit of combining the two, using storage at home in the VPS (via SSHFS), that is still an option in your case.

Later on you can decide whether to migrate your installation to a laptop at home (migration is very easily done with Yunohost backups) and run via either a separate VPN or a VPN on a VPS. By then you already are familiar with running your server, and you can focus on the problems that are caused by your ISP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.