Ynh-vpnclient: LAN access gone

dmaroulidis · February 10, 2020, 8:29pm

Hello everyone,

My YunoHost server

Hardware: VM running on local proxmox server with VPN (like Brique Internet)
YunoHost version: 3.6.5.3
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If yes, please explain:

Description of my issue

I have a pure YunoHost installation and I installed the VPN client. I got a VPN subscription from one of the FFDN members and uploaded the .cube file to the client. The system connects successfully to the VPN server and all services function normally.

My issue is the following: I’d like to have access to the server from the local LAN (IP subnets: 192.168.3.0/24, 192.168.11.0/24), other than through the VPN. Currently I can make outgoing connections from YunoHost to other LAN IPs (ssh) but I cannot ssh to the YunoHost server using the local IP (192.168.3.203) (from other LAN hosts).

Before the vpnclient establishes connection to the VPN server I can connect through ssh to YunoHost, but afterwards when I run ssh 192.168.3.203 I get ssh: connect to host 192.168.3.203 port 22: Connection timed out, like traffic cannot get out through to the local LAN from YunoHost.

Please note that I haven’t changed the firewall settings in any way other than through the administration UI.

My iptables -S:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-dovecot
-N f2b-nginx-http-auth
-N f2b-pam-generic
-N f2b-postfix
-N f2b-postfix-sasl
-N f2b-recidive
-N f2b-sshd
-N f2b-sshd-ddos
-N f2b-synapse
-N f2b-yunohost
-N vpnclient_fwd
-N vpnclient_in
-N vpnclient_out
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-yunohost
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-synapse
-A INPUT -p tcp -j f2b-pam-generic
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -m multiport --dports 25,587,143,993,110,995 -j f2b-postfix-sasl
-A INPUT -p tcp -m multiport --dports 110,995,143,993,587,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 25,587 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i ens18 -j vpnclient_in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5349 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5350 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49153:49193 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
-A INPUT -p udp -m udp --dport 5350 -j ACCEPT
-A INPUT -p udp -m udp --dport 49153:49193 -j ACCEPT
-A INPUT -p udp -m udp --dport 60000:60050 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -o ens18 -j vpnclient_fwd
-A OUTPUT -o ens18 -j vpnclient_out
-A f2b-dovecot -j RETURN
-A f2b-nginx-http-auth -j RETURN
-A f2b-pam-generic -j RETURN
-A f2b-postfix -j RETURN
-A f2b-postfix-sasl -j RETURN
-A f2b-recidive -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
-A f2b-synapse -j RETURN
-A f2b-yunohost -j RETURN
-A vpnclient_fwd -j DROP
-A vpnclient_in -p icmp -j ACCEPT
-A vpnclient_in -s 10.0.0.0/8 -j ACCEPT
-A vpnclient_in -s 172.16.0.0/12 -j ACCEPT
-A vpnclient_in -s 192.168.0.0/16 -j ACCEPT
-A vpnclient_in -s 169.254.0.0/16 -j ACCEPT
-A vpnclient_in -p tcp -m tcp --dport 22 -j ACCEPT
-A vpnclient_in -p tcp -m tcp --dport 443 -j ACCEPT
-A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpnclient_in -j DROP
-A vpnclient_out -d 89.234.141.94/32 -p udp -m udp --dport 443 -j ACCEPT
-A vpnclient_out -d 89.234.141.66/32 -p udp -m udp --dport 53 -j ACCEPT
-A vpnclient_out -d 10.0.0.0/8 -j ACCEPT
-A vpnclient_out -d 172.16.0.0/12 -j ACCEPT
-A vpnclient_out -d 192.168.0.0/16 -j ACCEPT
-A vpnclient_out -d 169.254.0.0/16 -j ACCEPT
-A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpnclient_out -j DROP

and my iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

Any help is appreciated!

pitchum · February 16, 2020, 12:44pm

Not sure it is a firewall issue. I have similar iptables rules and I can reach my yunohost from the LAN.

Maybe you have a routing issue instead. Check that your yunohost can reach your computer without involving the VPN.

ip route get 192.168.3.XXX

(192.168.3.XXX being the IP of your computer on the LAN)

If you see something like this:

192.168.3.XXX via ... dev tun0 ...

then there is a missing route that you can add manually like this:

ip route add 192.168.3.0/24 dev ens18

dmaroulidis · February 16, 2020, 2:02pm

It seems you 're right. I can access the server from its local LAN (192.168.3.0/24) but not from the other subnet 192.168.11.0/24, where I’m testing from.

The server didn’t have a route for 192.168.11.0/24 via ens18 so I added it.

sudo ip route add 192.168.11.0/24 dev ens18

but I still cannot get the server to route back the reply to an ssh session (connection time-out).

dmaroulidis · February 16, 2020, 7:52pm

I solved it! I just needed to add a route for 192.168.11.0/24 via 192.168.3.1.

ip route add 192.168.11.0/24 via 192.168.3.1 dev ens18