Ynh-vpnclient: LAN access gone

Hello everyone,

My YunoHost server

Hardware: VM running on local proxmox server with VPN (like Brique Internet)
YunoHost version:
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If yes, please explain:

Description of my issue

I have a pure YunoHost installation and I installed the VPN client. I got a VPN subscription from one of the FFDN members and uploaded the .cube file to the client. The system connects successfully to the VPN server and all services function normally.

My issue is the following: I’d like to have access to the server from the local LAN (IP subnets:,, other than through the VPN. Currently I can make outgoing connections from YunoHost to other LAN IPs (ssh) but I cannot ssh to the YunoHost server using the local IP ( (from other LAN hosts).

Before the vpnclient establishes connection to the VPN server I can connect through ssh to YunoHost, but afterwards when I run ssh I get ssh: connect to host port 22: Connection timed out, like traffic cannot get out through to the local LAN from YunoHost.

Please note that I haven’t changed the firewall settings in any way other than through the administration UI.

My iptables -S:

-N f2b-dovecot
-N f2b-nginx-http-auth
-N f2b-pam-generic
-N f2b-postfix
-N f2b-postfix-sasl
-N f2b-recidive
-N f2b-sshd
-N f2b-sshd-ddos
-N f2b-synapse
-N f2b-yunohost
-N vpnclient_fwd
-N vpnclient_in
-N vpnclient_out
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-yunohost
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-synapse
-A INPUT -p tcp -j f2b-pam-generic
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -m multiport --dports 25,587,143,993,110,995 -j f2b-postfix-sasl
-A INPUT -p tcp -m multiport --dports 110,995,143,993,587,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 25,587 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i ens18 -j vpnclient_in
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5349 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5350 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49153:49193 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
-A INPUT -p udp -m udp --dport 5350 -j ACCEPT
-A INPUT -p udp -m udp --dport 49153:49193 -j ACCEPT
-A INPUT -p udp -m udp --dport 60000:60050 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -o ens18 -j vpnclient_fwd
-A OUTPUT -o ens18 -j vpnclient_out
-A f2b-dovecot -j RETURN
-A f2b-nginx-http-auth -j RETURN
-A f2b-pam-generic -j RETURN
-A f2b-postfix -j RETURN
-A f2b-postfix-sasl -j RETURN
-A f2b-recidive -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
-A f2b-synapse -j RETURN
-A f2b-yunohost -j RETURN
-A vpnclient_fwd -j DROP
-A vpnclient_in -p icmp -j ACCEPT
-A vpnclient_in -s -j ACCEPT
-A vpnclient_in -s -j ACCEPT
-A vpnclient_in -s -j ACCEPT
-A vpnclient_in -s -j ACCEPT
-A vpnclient_in -p tcp -m tcp --dport 22 -j ACCEPT
-A vpnclient_in -p tcp -m tcp --dport 443 -j ACCEPT
-A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpnclient_in -j DROP
-A vpnclient_out -d -p udp -m udp --dport 443 -j ACCEPT
-A vpnclient_out -d -p udp -m udp --dport 53 -j ACCEPT
-A vpnclient_out -d -j ACCEPT
-A vpnclient_out -d -j ACCEPT
-A vpnclient_out -d -j ACCEPT
-A vpnclient_out -d -j ACCEPT
-A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpnclient_out -j DROP

and my iptables -t nat -S


Any help is appreciated!

Not sure it is a firewall issue. I have similar iptables rules and I can reach my yunohost from the LAN.

Maybe you have a routing issue instead. Check that your yunohost can reach your computer without involving the VPN.

ip route get 192.168.3.XXX 

(192.168.3.XXX being the IP of your computer on the LAN)

If you see something like this:

192.168.3.XXX via ... dev tun0 ...

then there is a missing route that you can add manually like this:

ip route add dev ens18

It seems you 're right. I can access the server from its local LAN ( but not from the other subnet, where I’m testing from.

The server didn’t have a route for via ens18 so I added it.

sudo ip route add dev ens18

but I still cannot get the server to route back the reply to an ssh session (connection time-out).

I solved it! I just needed to add a route for via

ip route add via dev ens18