help needed for configuring gateway firewall/port fowarding

rapiz1 / rathole

A lightweight and high-performance reverse proxy for NAT traversal, written in Rust. An alternative to frp and ngrok.

Apache License 2.0

9.8k stars 488 forks source link

help needed for configuring gateway firewall/port fowarding #253

Closed harborwater closed 1 year ago

harborwater commented 1 year ago

I have created two separate networks when I drop the firewall (locally) I am able to connect to my rathole service. However when I reenable the rules, I am unable to reach my rathole services. Are there any ports needed to be forwarded on the gateway besides 25568 and 2333? The rathole server does not have a public IP directly attached to it.

Here are my configs, the IPs have been changed for privacy.

[server]
bind_addr = "172.10.0.9:2333"

[server.transport]
type = "tcp"

[server.transport.tcp]
nodelay = true

[server.services.minecraft]
token = "USER-GENERATED-KEY"
bind_addr = "0.0.0.0:25568" 
type = "tcp"
nodelay = true

------------------------------------------

[client]
remote_addr = "16.27.2.117:2333" 

[client.services.minecraft]
token = "USER-GENERATED-KEY" 
local_addr = "192.8.0.6:25565"

fernvenue commented 1 year ago

Hi @SumDevv, what is your firewall rules? And how you enable it?

harborwater commented 1 year ago

The rules I have set in the firewall to the rathole server (gate way firewall rules) are as follows, allow from any IP to 2333 allow from any IP to 25568

fernvenue commented 1 year ago

To be clear, I'm gonna tell you that there is no other ports needed for rathole connection. May I know what exactly do you use as your firewall?

harborwater commented 1 year ago

I am using a UDM Pro from ubiquiti

fernvenue commented 1 year ago

I am using a UDM Pro from ubiquiti

I'm not quite familiar with it, given that you're able to connect to your rathole service when firewall droped, I think you may need to double check your firewall, and make sure your firewall really opened required ports. For example, you can use nc, nmap or something like that on your client side to check if your rathole server opened those ports or not.

harborwater commented 1 year ago

So I have done some more testing and it appears that the client connection to the rathole server keeps timing out ERROR handle{service=minecraft}: rathole::client: Failed to run the control channel: Failed to connect to X.X.X.X:51820: Connection timed out (os error 110). Retry in 452.696407ms... it doesn't out right fail to connect immediately there is a 20-30 second delay before it fails to connect. When I close the ports that I have opened for it then it immediately fails: ERROR handle{service=minecraft}: rathole::client: Failed to run the control channel: Failed to connect to X.X.X.X:51820: Connection refused (os error 111). Retry in 1.078405796s...

harborwater commented 1 year ago

Lesson learned, always make sure that you have the ports open on UFW.

nemanjam commented 5 months ago

Will opening TCP port work for noise protocol?

fernvenue commented 5 months ago

Will opening TCP port work for noise protocol?

@nemanjam Yes, noise protocol is based on TCP.