User avatar
MEMEs
Posts: 91
Joined: Tue Jan 13, 2015 7:25 pm
Location: Rotterdam
Contact: Website

port routing problems

Tue Sep 18, 2018 9:30 pm

Hello everyone,

I have some problems with port routing in netstat and ip tables but i dont seem to be able to figure it out. could anyone of you please help me?

So what was going on, this was the old scenario when everything worked fine:

Domoticz used port 443
openVPN used port 1194 udp

then i found out my job was blocking port 1194 due to implementation of windows 10 so i googled a bit around and found out that i could mask my openvpn by setting it to tcp and forwarding it to port 443.

well my vpn worked fine after the change but then i found out domotcz wasnt working anymore. I figured this was because openvpn now consumed port 443. therefore i changed domoticz to port 444. obviously i did this both in my pi as in my router via port forward.

so what i had now was the following:

Domoticz used port 444 (router and pi)
openVPN uses port 443 tcp (router and pi)

I found out domoticz didnt work on port 444, and later i found i could get openVPN working by routing to a different port as 1194 so I tried to put everything back to the following configuration:

Domoticz 443
openVPN 1196 udp (1195 is used on my router for my tinkerboard)

now the problem is.... neither of the ports are able to establish a connection.... I googled a bit around and found out this could be the result of netstat and iptables having the wrong routing in my pi. i checked and yes, in netstat openvpn is still routed to port 443 while domoticz isnt routed at all. I tried restarting my pi and restarting my router but this doesnt help.

Does anyone know how i can fix this ?

Code: Select all

sudo netstat -anp | grep LISTEN
tcp        0      0 127.0.0.1:46339         0.0.0.0:*               LISTEN 1118/Plex Plug-in [ 
tcp        0      0 127.0.0.1:33675         0.0.0.0:*               LISTEN 1223/Plex Plug-in [ 
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN 560/vncserver-x11-c 
tcp        0      0 0.0.0.0:32400           0.0.0.0:*               LISTEN 551/Plex Media Serv 
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN 1126/motion         
tcp        0      0 127.0.0.1:32401         0.0.0.0:*               LISTEN 551/Plex Media Serv 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN 604/sshd            
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN 457/cupsd           
tcp        0      0 127.0.0.1:32600         0.0.0.0:*               LISTEN 1183/Plex Tuner Ser 
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN 826/exim4           
[b]tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN 425/openvpn[/b]         
tcp        0      0 0.0.0.0:8765            0.0.0.0:*               LISTEN 437/python          
tcp        0      0 127.0.0.1:7999          0.0.0.0:*               LISTEN 1126/motion         
tcp6       0      0 :::5900                 :::*                    LISTEN 560/vncserver-x11-c 
tcp6       0      0 :::8080                 :::*                    LISTEN 828/domoticz        
tcp6       0      0 :::22                   :::*                    LISTEN 604/sshd            
tcp6       0      0 ::1:631                 :::*                    LISTEN 457/cupsd           
tcp6       0      0 ::1:25                  :::*                    LISTEN 826/exim4           
unix  2      [ ACC ]     STREAM     LISTENING     7465     1/init /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     7472     1/init /run/systemd/fsck.progress
unix  2      [ ACC ]     STREAM     LISTENING     7479     1/init /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     13628    560/vncserver-x11-c /tmp/.vnc-vncservice/vncserver-x11.CtrlComms
unix  2      [ ACC ]     SEQPACKET  LISTENING     7496     1/init /run/udev/control
unix  2      [ ACC ]     SEQPACKET  LISTENING     15446    922/bluealsa /var/run/bluealsa/hci0
unix  2      [ ACC ]     STREAM     LISTENING     9830     1/init /run/thd.socket
unix  2      [ ACC ]     STREAM     LISTENING     9832     1/init /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     9835     1/init /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     15738    1073/python3 /var/run/fail2ban/fail2ban.sock
unix  2      [ ACC ]     STREAM     LISTENING     10705    416/dhcpcd /var/run/dhcpcd.sock
unix  2      [ ACC ]     STREAM     LISTENING     10707    416/dhcpcd /var/run/dhcpcd.unpriv.sock
unix  2      [ ACC ]     STREAM     LISTENING     1750     1/init /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12778    541/minissdpd /var/run/minissdpd.sock

User avatar
MEMEs
Posts: 91
Joined: Tue Jan 13, 2015 7:25 pm
Location: Rotterdam
Contact: Website

Re: port routing problems

Tue Sep 18, 2018 10:00 pm

For completeness, this is the info i get when i try to connect to my raspberry pi from my telephone:

Code: Select all

2018-54-18 23:54:43 1

2018-54-18 23:54:43 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep 4 2018 09:41:09

2018-54-18 23:54:43 Frame=512/2048/512 mssfix-ctrl=1250

2018-54-18 23:54:43 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
11 [verify-x509-name] [XX] [name] 
15 [verb] [3] 

2018-54-18 23:54:43 EVENT: RESOLVE

2018-54-18 23:54:43 Contacting [XXX]:1196/UDP via UDP

2018-54-18 23:54:43 EVENT: WAIT

2018-54-18 23:54:43 Connecting to [XXX]:1196 (XXX) via UDPv4

2018-54-18 23:54:53 Server poll timeout, trying next remote entry...

2018-54-18 23:54:53 EVENT: RECONNECTING

2018-54-18 23:54:53 EVENT: RESOLVE

2018-54-18 23:54:53 Contacting [XXX]:1196/UDP via UDP

2018-54-18 23:54:53 EVENT: WAIT

2018-54-18 23:54:53 Connecting to [XXX]:1196 (XXX) via UDPv4

2018-55-18 23:55:03 Server poll timeout, trying next remote entry...

2018-55-18 23:55:03 EVENT: RECONNECTING

2018-55-18 23:55:03 EVENT: RESOLVE

2018-55-18 23:55:03 Contacting [XXX]:1196/UDP via UDP

2018-55-18 23:55:03 EVENT: WAIT

2018-55-18 23:55:03 Connecting to [XXX]:1196 (XXX) via UDPv4

2018-55-18 23:55:13 EVENT: CONNECTION_TIMEOUT [ERR]

2018-55-18 23:55:13 Raw stats on disconnect:
BYTES_OUT : 1566
PACKETS_OUT : 29
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2

2018-55-18 23:55:13 Performance stats on disconnect:
CPU usage (microseconds): 80327
Network bytes per CPU second: 19495
Tunnel bytes per CPU second: 0

2018-55-18 23:55:13 EVENT: DISCONNECTED

2018-55-18 23:55:13 Raw stats on disconnect:
BYTES_OUT : 1566
PACKETS_OUT : 29
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2

2018-55-18 23:55:13 Performance stats on disconnect:
CPU usage (microseconds): 80943
Network bytes per CPU second: 19346
Tunnel bytes per CPU second: 0

and this are my settings of pivpn:

Code: Select all

@server:~ $ pivpn -d
::: Generating Debug Output
:::                                     :::
::              PiVPN Debug              ::
:::                                     :::
::      Latest Commit                    ::
:::                                     :::
commit
Merge: 
Author: redfast00 <[email protected]>
Date:   Tue May 29 22:38:46 2018 +0200

    Merge pull request #541 from pivpn/test
    
    Merge test branch into master
:::                                     :::
::      Recursive list of files in       ::
::      /etc/openvpn/easy-rsa/pki        ::
:::                                     :::
/etc/openvpn/easy-rsa/pki/:
Default.txt
ca.crt
chromebook.ovpn
chromebook2.ovpn
crl.pem
dh2048.pem
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
ipad.ovpn
iphone.ovpn
issued
linuxmain.ovpn
private
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/issued:
chromebook.crt
chromebook2.crt
ipad.crt
iphone.crt
linuxmain.crt
server_XXX
/etc/openvpn/easy-rsa/pki/private:
ca.key
chromebook.key
chromebook2.key
ipad.key
iphone.key
linuxmain.key
server_
:::                                     :::
::      Output of /etc/pivpn/*           ::
:::                                     :::
:: START /etc/pivpn/DET_PLATFORM ::
Raspbian
:: END /etc/pivpn/DET_PLATFORM ::
:: START /etc/pivpn/INSTALL_PORT ::
1194
:: END /etc/pivpn/INSTALL_PORT ::
:: START /etc/pivpn/INSTALL_PROTO ::
udp
:: END /etc/pivpn/INSTALL_PROTO ::
:: START /etc/pivpn/INSTALL_USER ::

:: END /etc/pivpn/INSTALL_USER ::
:: START /etc/pivpn/NO_UFW ::
0
:: END /etc/pivpn/NO_UFW ::
:: START /etc/pivpn/pivpnINTERFACE ::
eth0
:: END /etc/pivpn/pivpnINTERFACE ::
:: START /etc/pivpn/setupVars.conf ::
pivpnUser=lotus
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=8.8.8.8
IPv4addr=192.168.2.100
IPv4gw=192.168.2.254
pivpnProto=udp
PORT=1196
ENCRYPT=2048
APPLY_TWO_POINT_FOUR=false
DOWNLOAD_DH_PARAM=false
PUBLICDNS=
OVPNDNS1=8.8.8.8
OVPNDNS2=8.8.4.4
:: END /etc/pivpn/setupVars.conf ::
:::                                     :::
:: /etc/openvpn/easy-rsa/pki/Default.txt ::
:::                                     :::
client
dev tun
proto udp
remote XXX 1196
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3
:::                                     :::
::      Debug Output Complete            ::
:::                                     :::
::: 
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::

User avatar
MEMEs
Posts: 91
Joined: Tue Jan 13, 2015 7:25 pm
Location: Rotterdam
Contact: Website

Re: port routing problems

Wed Sep 19, 2018 3:29 pm

biep bop boop, anyone ?

iticus
Posts: 10
Joined: Thu Sep 20, 2018 8:42 pm
Location: Romania
Contact: Website

Re: port routing problems

Fri Sep 21, 2018 9:18 am

Hello,

Your setup will depend on how your corporate (job) network filters traffic so you will need to test this.
Perhaps they only block UDP so you should be able to use TCP for OpenVPN using any port you want (like 1443) and keep Domoticz on port 443.
If they block all traffic except packets on ports like 80 and 443 you should still be able to access your services by running OpenVPN on port 443 TCP and Domoticz on port 80.
You mentioned you changed OpenVPN from TCP/443 back to UDP/1196 but your netstat output reported it still listening on TCP/443

Code: Select all

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN 425/openvpn
Please note that you need to restart your OpenVPN server for changes to be applied.

Best wishes,
iticus
I'm interested in Linux, Python, Raspberry Pi, PostgreSQL, Tornado, GIS
Relevant projects:
- https://github.com/iticus/alfred
- https://github.com/iticus/picamweb

User avatar
MEMEs
Posts: 91
Joined: Tue Jan 13, 2015 7:25 pm
Location: Rotterdam
Contact: Website

Re: port routing problems

Fri Sep 21, 2018 9:46 am

Hi there,

Thanx for the reply! The problem was, that even after a reboot the port stayed the same, i could not change that.

Could it possibly have anything to do with iptables-presistent ?

Thanx!

iticus
Posts: 10
Joined: Thu Sep 20, 2018 8:42 pm
Location: Romania
Contact: Website

Re: port routing problems

Sun Sep 23, 2018 10:09 am

You already have a firewall in front of your Pi (the router) so why use iptables on the Pi as well?
Try to simplify your setup first.
OpenVPN will listen on whatever port you set it (and that port will be listed by netstat regardless of iptables rules).
Also make sure you are editing the correct configuration file.
I'm interested in Linux, Python, Raspberry Pi, PostgreSQL, Tornado, GIS
Relevant projects:
- https://github.com/iticus/alfred
- https://github.com/iticus/picamweb

User avatar
MEMEs
Posts: 91
Joined: Tue Jan 13, 2015 7:25 pm
Location: Rotterdam
Contact: Website

Re: port routing problems

Sun Sep 23, 2018 10:15 am

hi there,

I use iptables because pivpn installes that. and actually i first thought iptables was a data direction management application, then i found out it was a firewall.

i found the solution yesturdaynight! it was indeed the configuration file of openvpn. I found a forum that stated i needed to change 3 config files, the ones you see when you get the debug function of pivpn. it turned out that you also need to change the config file of openvpn. i found this out when i opened netstat and saw that the port i was using was still pointing towards udp rather than tcp.

thanx for the help and guidance!

Return to “Advanced users”