QUESTION: Cloudron.io blocking VPN server connections

[andrewlimaza]

Please describe the question you wish to ask I have setup the server and it shows that the service is running and enabled.

I am unable to connect via the iOS app (it just gets stucks on 'connecting' in VPN settings) and never connects. Is there another way I can test this and or troubleshooting steps?

[andrewlimaza]

I'm running it on Digital Ocean (Cloudron.io running on the same droplet). I have forwarded the ports as per this guide - https://docs.uh-vpn.com/en/latest/setup-guides/digital-ocean/index.html

[jwsi]

Hi @andrewlimaza ,

First things to check:

1. Make sure the server IP and port is correct in the edit server page on the website.
2. Check that you have no firewalls enabled on the Ubuntu instance either with the cloud provider or on the instance itself.
3. Check the logs to make sure that you can see connection activity on the server side. Check `/var/log/uh-vpn-server/token.log

Let me know how you get on with that and we can go from there 😊

[andrewlimaza]

Thanks for getting back to me so soon @jwsi.

1. I've checked this to be correct, can I add screenshots here?
2. Checked ufw in terminal and that returns 'inactive'.
3. There's no token.log (only a random long .log file and a daemon.log).

Please let me know if screenshots will help.

[andrewlimaza]

I'm going to try another port, maybe something is using that port?

[jwsi]

Hi @andrewlimaza ,

Please can you send screenshots of the daemon.log and the long filename log. The long filename is the secret server token used.

If you can post screenshots of both those issues we can go from there .

[andrewlimaza]

Sure here you go :)

[andrewlimaza]

Doh, it says port already in use. (I restarted the server - UPDATE: No more fatal errors, above screenshots are still valid)

Did a quick search, can I use 8443 port instead?

[andrewlimaza]

Also on a sidenote, I noticed "openvpn" has open ports on our server. I setup a cloudron.io server which helps make things easier (I'm not running openvpn at all, not sure if this affects it? - I'm keen to get uhvpn working rather)

[andrewlimaza]

[jwsi]

Hi @andrewlimaza ,

The set up looks good. UH VPN uses a custom version of OpenVPN as it's underlying VPN core, that's why you see it running.

The logs indicate no client activity on the server. Are you on a cloud service? If so you'll have to add rules on their firewall or security group sections to allow traffic to UH VPN on port 443 or whatever you're using.

Where is the server hosted?

[andrewlimaza]

Great, thanks!

It’s through Digital Ocean, checked. The ports are open.

Server IP is: 68.183.119.86

I’ve tried both UDP and TCP (no luck). It seems nginx is on this server too and Port 443 may be in use?

[AnthonyWharton]

If you're delivering HTTPS on your nginx server it almost certainly is in use (edit: for TCP)! Feel free to try other ports that aren't in use - we only recommend 443 as this is a port that is regularly unblocked. If you don't need to deal with censorship you can definitely try other ports!

Edit: This shouldn't be the case for UDP, so might be worth some further digging... can you post the output to:

sudo ss -tulw

(This should list in-use ports on the system)

[jwsi]

The server wouldn't show "initialisation sequence complete" if the port was already in use so that's not the issue here at all. Traffic simply isn't able to get to the server in question.

Are you able to ping the server's IP?

Please to keep things simple can you keep the original set up with UDP 443 and can you screenshot the digital ocean firewall rules please.

[andrewlimaza]

@jwsi here's a screenshot, I even set it to "ALL TCP" and "ALL UDP" for now. I've tried various ports: 443, 8443, 44301 etc.

After the tests I'll remove these from the firewall. If I run a simple: ping -c 5 68.183.119.86 it timesout but I've logged into the server via SSH/custom dashboard.

I'll remove the "ALL" ports when this issue is resolved :)

[andrewlimaza]

Thanks @AnthonyWharton I've tried a whole bunch of ports too, head scratcher lol. I can SSH into the server, whenever I change the ports I did restart the VPN on my server too (just to make sure).

I haven't been able to connect via Mac/iPhone, happy for you to try connect from your side. :)

[jwsi]

Hey @andrewlimaza,

Can you try using TCP 8443 as the protocol and port? You can do this by setting the protocol and port on the edit server page in the website.

[jwsi]

Hey @andrewlimaza,

I forgot to add, when you update the server on the web interface, do you receive any errors E.g. timeout?

In any case if you update the protocol + port to TCP 8443, then issue the command:

sudo service uh-vpn-server restart

Test it, if it doesn't work, I'll give you my public key so you can give me temporary SSH access to the VPN server and I'll see if I can spot any abnormalities/errors that we can fix easily.

[andrewlimaza]

Thanks @jwsi, I still haven't been able to get this right.

I've tried the port on 8443 and restarted the service. I also tried on different ISPs (mobile, fiber etc).

The server was initially setup with Cloudron.io, maybe this is interfering with it?

[jwsi]

Hey @andrewlimaza,

Yes this seems rather puzzling now. From my end everything looks ok. Would you be open to giving temporary SSH access to the server so I can see if there's something that would be conflicting or preventing operation?

Given the logs, this really does look like something is blocking traffic from ever reaching the VPN server. Sorry for restating the obvious, but if you can please also check again that the firewall with the rules you screenshotted earlier is actually associated to the Droplet in question and that there are no other firewalls with more specific rules associated to it as well.

If you'd like to give SSH access temporary please add my key:

ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKZYbWcbzzzT/vjAaL70BuncNgfJXrl1SyTQ6XA5/KwtLVVPzbYTntPwZ+zR0ID7tZPDn9FV9UiBMT0E/3nuBNaRO/5fnmwucKN1S0YCWVTk16BLByvK2PvS11sm7bHIEw== JamesWebb

to the file ~/.ssh/authorized_keys

[andrewlimaza]

Sorry for only replying now James. I don't work on weekends and definitely don't work on Sundays.

[jwsi]

Hey @andrewlimaza,

No problem. I only closed this issue as it's one that is specific to your use case and probably won't benefit the wider community, but I am happy to work with you on this until your problem is solved and we get everything up and running 🙂.

James.

[andrewlimaza]

Thanks, I understand and makes sense. Your site just said that you have to post issues to Github. I'd be happy to discuss this via email.

However, I really think it's due to cloudron.io (Server app management software) so if I really really need this VPN, I'll just spool up another DO droplet. Would love to see uhvpn on Cloudron :)

[AnthonyWharton]

Hi @andrewlimaza,

I've just taken a look at cloudron.io, whilst we do not support it nor use it ourselves currently, I had a quick look at the documentation and spotted some settings about firewall options. It looks to me like by installing cloudron it sets up a software firewall on your OS which is likely blocking the ports - meaning that even if you are running behind a DO/AWS firewall which has the ports exposed, you will not have access as cloudron is blocking access.

You can find the docs page I am talking about here: https://docs.cloudron.io/networking/

Perhaps it would be worth trying to whitelist a port here?

Anthony

[andrewlimaza]

Thanks Anthony, going to look at that. I do think it's Cloudron interfering at the moment. Didn't realize that I had to do this :/ Will keep you posted.

[andrewlimaza]

This has helped, I have opened the port TCP 8443 (I had to use iptables as their firewall config file didn't work for me).

I now connect but cannot get internet access when connected to the VPN. I'm guessing something else is being blocked by Cloudron 👎

If I knew Cloudron would 'cut off' my server this bad I probably wouldn't have used it.

[AnthonyWharton]

Glad to hear that this has partially solved the issue. Could you let us know what IP tables commands you used?

For reference, uh-vpn-server requires:

1. Inbound access to your chosen VPN port/protocol.
2. Outbound access to your routed subnets (e.g. the local network only or access to the entire internet)..
3. (Optional) Inbound TCP access on 2802 for live updates to the server

In your case:

1. It sounds like you have this as connections are being made.
2. Could you let us know what you have set your "IPv4/IPv6 Tunnel Network" as in the uh-vpn.com server edit page?
   It's unusual to have a system where outbound access is restricted, but it's also not unheard of. If Cloudron wants to maintain some sort of security promises against "malicious" third party apps it may be doing something here.
   It may also be helpful to check your outbound IP tables rules.
3. We don't need to worry about this for now, but note that if you do not have access through TCP 2802 then you will need to restard the uh-vpn-server service every time you make an edit to the server on uh-vpn.com.

Finally, is there a support channel with cloudron that you can ask for assistance with? I'm afraid I am not familiar with how they set up the system once installed, so you might have more luck asking for assistance there as we obviously can't provide support for a product we do not make!

[andrewlimaza]

Thanks for sticking through this, I've added TCP2802 to the Cloudron firewall + iptables.

Here's a screenshot of the uh-vpn settings page:

[andrewlimaza]

Thanks for sticking through this with me, I'm guessing it's just Cloudron locking down the whole server not just their 'ecosystem'. I'll try figure it out and share what it is for any future cases.

[AnthonyWharton]

No problem, that's what we're here for! Also sorry I didn't mean the Tunnel Network settings - been a long day! Thanks for the screenshot though, that has what I was after!

Might need to wait for @jwsi for this one (he leads development on the server application) and I know that UH VPN does some iptables operations when "Add Forwarding Rules" is enabled.. but my memory is a bit shakey here. I'll be able to look into this properly a bit later when I get some free time if James isn't about until then!

[jwsi]

@andrewlimaza Sorry I misread the above comments and didn't realise you could connect.

Please can you send screenshots of the following commands:

sudo iptables --list

sudo iptables -t nat --list

Thanks.

[andrewlimaza]

Thanks for the help here @jwsi, I got tired of Cloudron so I've migrated the server apps to a standard DO droplet on Ubuntu 18.04, I'm just going to setup uhvpn again from scratch (It should be easier).

I'll keep you posted.

[jwsi]

Hey @andrewlimaza ,

Sounds good. We actually have a digital ocean droplet available directly from their marketplace.

If you follow this guide you should be set up very quickly: https://docs.uh-vpn.com/en/latest/setup-guides/digital-ocean/index.html

[andrewlimaza]

Thanks @jwsi I followed the Ubuntu guide as I already have other software installed on this droplet and things connected to the IP Address.

All works well and I can connect through Digital Ocean now! :) Cheers

[jwsi]

Glad to hear that @andrewlimaza!

Let us know if you encounter any other issues 👍

James.