Trying to setup Yunohost at home with njal.la vpn

Support
,
1

What type of hardware are you using: Other(?)
What YunoHost version are you running: 12.1.37 (stable)
How are you able to access your server: The webadmin
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no tweaking, just the defaulot installation

Describe your issue

Thanks for the great project!
I have got a BeeLink AMD minipc and installed Yunohost on it a few months ago, but struggling to get the internet connection set up properly.

First I tried a few DynDNS services, but couldn’t get that to work, so I decided to setup a VPN connection, from njal.la, with a dedicated IP.

Inside the YH webinterface I installed the VPN client and tried to upload the .ovpn file configured by njal.la, but it doesn’t allow me to. It asks me for the IPv6 prefix, and their public DNS is at 2001:67c:2354:2::53 (dns.njal.la) If I understand correctly the “53” is the IPv6 prefix part and the rest the IPv6 address? In any case, trying to save the VPN config it doesn’t allow me.

In short, I’m not sure whether this VPN service works, whether this VPN client app is the way to go, or whether I am configuring it incorrectly or something else.

Your suggestions will be very much appreciated. TIA.

Share relevant logs or error messages

I am not allowed to post links…
paste yunohost org / kapupukuwa

paste yunohost org /raw/jikokohusu

2

Hi wout1,

Welcome to the forums!

Too bad the configuration doesn’t work out immediately.

I haven’t used VPN in front of my server, but I’ll take a go at answering your question :wink:

The 53 in the address is the interface ID. When getting tired of typing 0’s, IPv6 allows to, once per address, use :: to say “Just fill up with zero’s”. The ‘::’ hardly ever is used in the prefix (the first part of the address), but quite often in the tail (interface id).

In this case, 2001:67c:2354:2 is the prefix, and ::53 is address of “their computer”

Your first link is empty on my side, jikokohusu shows the log of the diagnostics.

I tried to have a look at their documentation, I found https://dns.njal.la/ to show the IPv6 you mentioned, as well as the IPv4. Apart from that, not so much..

I think the VPN service works. As I said, I never used a VPN in front of my server, so I didn’t install a VPN client app.

Looking at apps.yunohost.org/catalog?search=vpn , I see VPN Client, is that the one you installed? I’d say it is the right tool for the job, and an OpenVPN file should be enough.

I was thinking about the error you got, about the IPv6 prefix. I’d say it would be in the configuration; so: either

  • There is no IPv6 in the ovpn-conf, and Yunohost expects it (and asks you), or
  • There is no IPv6 on Yunohost, while OpenVPN wans to connect to it, and asks you.

I don’t know if either of the two is correct, but:

  • if IPv6 is enabled on Yunohost, you could try disabling it and retry
  • If YPv6 is disabled, the other way around
  • Alse see if Njalla provides configurations with or without IPv6

Does Njalla provide only OpenVPN access? OpenVPN has been on the backburner a bit, many VPN providers switched to Wireguard. If you can’t get OpenVPN to work, and Njalla provides another option you could try that.

A totally other option is to create a VPN yourself, using a cheap VPS. For 5 euro per year there is quite a bit of choice already.

Going back to your first attempts: dynamic DNS should work as well.

3

thanks for your kind reply!

Indeed I am using the ‘VPN client’ app inside YH. Initially with OpenVPN, but now following your suggestion of Wireguard, Njalla also provides config for that. Easy.

But somehow I don’t get it to work, you see that I filled out the IP address as indicated at the dns-njal-la page inside the DNS server of my domain registar. And the diagnosis tool of YH says this:

Some DNS records are missing or incorrect for domain commons.tools (category basic)

  • Please check the documentation at docs dns_config if you need help configuring DNS records.

  • The following DNS record does not seem to follow the recommended configuration:
    Type: A
    Name: @
    Current value: 95.215.19.53
    Expected value: 198.167.206.147

  • The following DNS record does not seem to follow the recommended configuration:
    Type: AAAA
    Name: @
    Current value: 2001:67c:2354:2::53
    Expected value: 2a02:6f8:2020:206:b::147

  • The following DNS record does not seem to follow the recommended configuration:
    Type: A
    Name: grist
    Current value: 95.215.19.53
    Expected value: 198.167.206.147

  • The following DNS record does not seem to follow the recommended configuration:
    Type: AAAA
    Name: grist
    Current value: 2001:67c:2354:2::53
    Expected value: 2a02:6f8:2020:206:b::147

That’s really weird? as the current IP is the same as on the njalla DNS page. Would you have any clue?

Otherwise I’d try once more how I could get the DynDNS to work. I already had set up HE-net but at my router at home I couldn’t seem to get it to work with HE-net (although I had moved the name servers to HE)

4

I also checked with the Njal.la VPN support. Here’s their (same day) response:

Hi Wout.

All ports on the VPN are forwarded, but the IP rotate every 24th hours, so if you have a domain you want to able to use with the VPN you need so setup dynamic DNS for that, and then you of course need to open for that port on your own network, and possible handle NAT.

You local network configuration is our of scope for this support.

Hope you figure out a solution.

Kind regards, Njalla

So I do need to master Dynamic DNS anyway! So let’s return to that. A while ago I concluded that almost all DynDNS services listed in the YH docs have some issues, i.e. you cannot seem to sign up at DNSexit anymore, NOip requires confirmations every 30 days, so I decided to go all the way with HE-net

Setup:

  • Yunohost install @ Beelink

  • Internal wifi network with Tplink Deco X50: address reservation to keep the local IP assigned: 192.168.68.57

  • internal route from Sagem router (how???) to point yunohost.local to local IP address for local access

  • (isn't necessary now, but could provide an additional security level VPN: Njal.la wireguard service + Wireguard client in YH + my domain pointing to Njal.la IP)

  • the DynDNS service, account created at Hurricane Electric Internet Services, the free service at HE.net: 1) move DNS name servers from registrar to use HE.net nameservers 2) configure DynDNS with HE username inside Sagem router (unsure if this is set up correctly), 3) how to route this to the Yunohost box? Ok, so here is the script linked from the Docs to the DynDNS-with-HE-net github page. Let's see the steps:

    • I connect over SSH to the YH box, all fine
    • apt-get to install curl, but the dnstools package cannot be located.
    • breaking off. at least temporarily.

Is this the way to go? I’m stuck at the dnstools package. Please let me know that this is a path that leads to success.

thanks in advance.

5

Hi wout1,

Sorry, I got distracted and didn’t follow up any sooner.

How frustrating!

I’m in the somewhat lucky situation that only my mobile phone has a dynamic IP, so I have limited experience setting up DynDNS. My DNS is also at dns.he.net though, so I recognize the ‘Enable entry for dynamic dns’. I might make some time to enable it for my telephone to find out.

To see whether I got the picture, I’ll rewrite your listing

Local infra:

  • ISP-provided modem/router (Sagem; any specifics?)
    • ‘bridge mode’ or router?
  • WiFi access point (Tplink Deco X50)
    • only as WiFi access point, in ‘bridge mode’, or as router
    • in case of bridge mode: no problem, it’s mostly out of the picture
    • in case of router: double NAT → headaches
  • Beelink
    • connected to the LAN side of the Deco X50
    • connected by wire or by radio?
    • fixed local IP via DHCP reservation

External infra:

  • ISP-provided modem/router (Sagem)
    • Dynamic IP
    • IPv4 and IPv6?
    • If you don’t mind the internet to know in which country you live: which ISP?
    • There may be existing blogposts or howto’s for the specific ISP/modem combination
  • DNS for the domain provided by dns.he.net
    • with HE providing DynDNS
  • Traffic routed via njal.la
    • Njalla provides a dynamic IP address as well
    • Pvoviding a layer of privacy when browsing the internet from home
    • Providing a layer of complexity for hosting a server

OK, so, worst case, to reach beelink.wout1.org (to give it a name), the path is:

  • Dynamic IP (Njalla)
  • Dynamic IP (ISP)
  • Carrier grade NAT (CGNAT)
  • Routing + NAT (Sagem)
  • Routing + NAT (Deco X50)
  • WiFi connection to Beelink

For outgoing traffic, it adds some latency but for day-to-day internet browsing, you wouldn’t notice. Outgoing traffic, as in, using your laptop or mobile phone at home (there’s incoming traffic as well of course, but it is initialized internally)

A less complex path would be:

  • Dynamic IP (ISP)
  • Routing + NAT (Sagem)
  • Wired connection to Beelink

First thing to find out, is how much NAT is involved. Sagem is widely used by ISPs, and mostly not lauded for providing lots of options for users. With drying up supplies of IPv4, some ISPs implement CGNAT for ‘some kind of connectivity’, that would open a host of additional restraints.

To check:

  • Do you have access to the configuration of the Sagem modem/router?
    • Does it have a ‘routable’ IPv4 as WAN IP :
      • not starting with 10.*
      • not starting with 172.16.-172.31.
      • not starting with 192.168.*
    • That IPv4 should be the same as when you go to a site such as whatismyip.com
  • Is Sagem only working as a modem, or also as router?
  • Does Sagem include a switch, ie, multiple LAN ports?
  • Deco X50:
    • Is it in router or bridge mode?

While looking through the manual for the Deco X50 v3, I noticed it most probably is in router mode; your Beelink’s address is in its default DHCP range (mostly routing and DHCP are switched on and off together). Things I noticed in that document:

  • The advanced settings at the end of the document
    • Switch between router ↔ access point (bridge mode)
    • Register for DynDNS via TPlink
      • no idea whether this is desirable
      • you’ll probably get a wout1.users.tplink.com domain, or something like that
      • it may be worthwhile to try this out temporarily, to find out whether you can then reach your Yunohost
    • make DHCP reservations (you already did that with 192.168.68.57 for Beelink)
    • set up NAT / port forwarding
  • Creating an isolated network (IoT they call it, but your Yunohost could be in there as well; disadvantage: it seems WiFi only)
  • It may be that you can use the integrated VPN functionality to make a connection between your Deco X50 and Njalla, but you’re a bit on your own figuring out whether that might work

Ok, let’s start with that :wink:

PS: on the Beelink/Yunohost side of things:

  • Yunohost admin → domains → yourdomain.tld → DNS: you can configure your credentials for HE, and use the automatic DNS feature to have Yunohost set the values at HE. I think it will use your public IP address as it is at the moment. It will change, but at least you can check it’s working.
  • Yunohost admin → tools → firewall : you could enable UPnP, as it seems that TPLink has enabled it by default.
  • Yunohost admin → Domains → Add domain allows to use a domain provided by Yunohost and partners, it is set up for DynDNS by default. It isn’t your own domain, but again: it’ll allow you to test things
  • Debian has the ddclient package, that you can configure to contact dns.he.net to tell it the current dynamic IP it has.

Good luck!