private IP (192.168.x.x.) scan for netbios (UDP 137) forwarded to public interface

[chymian]

I did set up a streisand server the last week on one of my VPS. My provider sent me an abuse-mail due to the fact, that a networkscan for ip 192.168.1.0/24 on port 137/UDP was forwarded out of the public interface.

Expected behavior:

Don't forward private IPs to public Net.

Actual Behavior:

forward private IP to public interfaces, which is forbidden. since only shadowsocks and wireguard are actually used, I suggest, it's a wireguard misconfig. can it be a firewall misconf, or a wg-driver pbl?

Modification of ansibel-role

since UBU16.04 is far too old, I modified the roles to use standard debian pks where necessary (old/incompatible ppas), which works fine. due to the fact that the openVPN-networks are overlapping with existing networks, (because everybody uses 10.8.0.0), I changed the openVPN IPs to 10.188.0.0 & 10.189.0.0 see: pastebin

Steps to Reproduce:

?

[ contents of streisand-diagnostics.md here ]

Ansible Information

• Ansible version: 2.9.4
• Ansible system: Linux
• Host OS: Debian
• Host OS version: 10
• Python interpreter: python
• Python version: 3.7.3

Streisand Information

• Streisand Git revision: af5eb7dac157a2416ea64cba96cf32f7f505d9ff
• Streisand Git clone has untracked changes: yes
• Genesis role: existing-server
• Custom SSH key: False

Enabled Roles

• Shadowsocks enabled: True
• Wireguard enabled: True
• OpenVPN enabled: True
• stunnel enabled: True
• Tor enabled: True
• Openconnect enabled: False
• TinyProxy enabled: True
• SSH forward user enabled: True
• Configured number of VPN clients: 20

[chymian]

This behavior renders streisand VPN-Server into a malfunctioning SW, which does not stick to the RFCs and is per se not allowed to access the internet - and nobody of the developers care? really?