Please help me configure networking on a VPS

Hi,

I’m still struggling to have a fully functional nethserver installed on a remote VPS or dedicated server with public IP. I’m thinking the problem lies with the configuration of the network but I’m unable to figure out what I need to do.
I’ve tried this with both a VPS in a KVM environment and on a dedicated server from OHV to make sure it was not specific to that network/machine. In both i face the same issues.

First thing i notice is that I am unable to issue a letsencrypt certificate through the webgui, I’ve had to do it manually and import the certificate to the correct folder through shell. I keep getting the same error:

Failed authorization procedure. nethserver.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nethserver.mydomain.com.well-known/acme-challenge/x7h7iY1Db0Puw2bsn6Y8AoOjYBbLYjLEsUW1qu4gxfI: Timeout

I then tried to configure transparent proxy server but, altough the clients are able to connect, there is no internet traffic going through as it’s getting blocked for some reason?when i tail the log i see this:

1497275428.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275430.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275432.679 0 176.185.23.20 TCP_DENIED/403 4063 CONNECTcommunity.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275433.678 0 176.185.23.20 TCP_DENIED/403 4087 CONNECT community.nethserver.org:443 - HIER_NONE/- text/html
1497275434.678 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275435.002 0 176.185.23.20 TCP_DENIED/403 4036 CONNECT 127.0.0.1:59243 - HIER_NONE/- text/html
1497275436.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275437.630 1 176.185.23.20 TCP_DENIED/403 5420 POST http://community.nethserver.org/message-bus/a9be173714d54eea8eac682eaecec493/poll? - HIER_NONE/- text/html
1497275438.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275440.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html

I also have the same issue with the VPN server. I’ve created a client, enabled roadwarrior server routing all traffic through vpn and downloaded the client certificate. Although it connects without any problem, I can’t access the internet. when i tail /var/log/messages I get a lot of “martian sources”:

Jun 17 14:13:23 neth kernel: ll header: 00000000: ff ff ff ff ff ff 0c c4 7a b5 38 c3 08 06 …z.8…
Jun 17 14:13:58 neth kernel: IPv4: martian source 152.789.345.87 from 127.0.0.1, on dev ens3
Jun 17 14:13:58 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:13:59 neth kernel: IPv4: martian source 152.789.345.87 from 127.0.0.1, on dev ens3
Jun 17 14:13:59 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:14:00 neth kernel: IPv4: martian source 152.789.345.87 from 127.0.0.1, on dev ens3
Jun 17 14:14:00 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:14:56 neth kernel: IPv4: martian source 152.789.345.4 from 127.0.0.1, on dev ens3
Jun 17 14:14:56 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:14:57 neth kernel: IPv4: martian source 152.789.345.4 from 127.0.0.1, on dev ens3
Jun 17 14:14:57 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:15:05 neth kernel: IPv4: martian source 152.789.345.4 from 127.0.0.1, on dev ens3
Jun 17 14:15:05 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:15:06 neth kernel: IPv4: martian source 121.149.345.9 from 127.0.0.1, on dev ens3
Jun 17 14:15:06 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:15:07 neth kernel: IPv4: martian source 89.74.208.3 from 127.0.0.1, on dev ens3
Jun 17 14:15:07 neth kernel: ll header: 00000000: ff ff ff ff ff ff 00 25 90 47 aa 22 08 06 …%.G."…
Jun 17 14:15:08 neth kernel: IPv4: martian source 126.190.251.6 from 127.0.0.1, on dev ens3
Jun 17 14:15:08 neth kernel: ll header: 00000000: ff ff ff ff ff ff 0c c4 7a b5 38 c3 08 06 …z.8…

The network interface is configured green, as per the install instructions.

Another thing that worries me is that in trusted networks, it assumes the entire shared network where the VPS is sitting as trusted, which i think may be a security risk from an attack coming from another VPS in the same network. Any way to restrict this? I’m unable to edit the default trusted network config.

Any help would be much appreciated and thanks in advance.

Your port 80 is probably closed.

This is because squid allow web browsing only from trusted networks by default.

The green network should contain only your public IP and gateway, it’s the same for trusted network.
If you want, you can further restrict access using firewall rules.

Hi @giacomo,

Thank you for your help.

Unless I’m missing something I dont think this is the case - in “network services” I see http (both ports 80 & 443) are allowed in green and red interface; In “firewall rules” I also see httpd and httpd-admin set to accept on both green and red. I haven’t changed anything here - shouldn’t port 80 be allowed by default? requesting a letsencrypt certificate is one of the first things I’ve done after installation and before configuring/installing anything else.

That would defeat the purpose of the proxy for me as I would like to configure it in the clients and be able to connect from any network, including mobile networks and public hotspots. Does that mean I need to authorise each IP address I’m connecting from beforehand? Any way to add trusted clients instead of trusted networks? And how can I add an IP/network to trusted networks without adding the all ISP network range?

In “Network”, the interface ins3 is configured with the IP address and netmask 255.255.255.0 as static; Because of that nethserver assumes that the entire network (with all the other VPS’s ips) is trusted - in trusted networks I do not see my ip but the network (if my ip is 176.181.78.45 I see 176.181.78.0 with a netmask 255.255.255.0); I don’t think there is a way to restrict this behaviour except by firewall rules, am I right? Any wiki or instructions on how to set up those firewall rules?

Thanks,

Fred

Yes, you’re right.
But it seems the LE server can’t reach your machine on port 80 to exchange the challenge.

You need a template custom to do such a thing.

Only the address of your green interface (along with its mask) is added to trusted networks.
You can change this behavior only by modifying a library.

Apart for squid ACLs, you can ignore the trusted networks in your scenario ad add any custom rule from the “Firewall rules” page.

I finally figured out the problem with the letsencrypt certificate! Besides both instances of Nethserver I also had issues with renewing a certificate in a freepbx instance i have. But the error message there revealed that letsencrypt was detecting both A and AAAA DNS records and using the ipv6 to authenticate. Deleting the AAAA records solved the issue and allowed renewal. Same problem with Nethserver, I also had ipv6 DNS records for each instance and deleting the record allowed to complete the authentication.

I’m guessing this is a recently introduced bug as I’ve had AAAA DNS records for most of the servers I have issued letsencrypt certificates before.

Hi @giacomo, thanks for the help.

This is not the behaviour I’m experiencing - in “trusted networks” what was automatically added (and can’t be edit) is the base ip address and it’s netmask, NOT the VPS individual IP address. As per my example above, if the VPS has an IP 176.181.78.45 the “trusted networks” show a default 176.181.78.0 with a netmask 255.255.255.0. This implies that the server is exposed to all other VPS with an ip from 176.181.78.1 to 176.181.78.254 no?

Sorry, I’m too ignorant to be able to edit even that small piece of code - any chance this has been done before and/or is it easy to do? Would love to learn how to if you can point me in the right direction?

Thanks in advance for your help.

Yes, because your provider gives you an wide netmask.
Please ignore it, and customize firewall rules according to your needs.

Not so easy to do, sorry.

  1. You need to learn about the template system: http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html
  2. You need to create a template custom for this fragment: https://github.com/NethServer/nethserver-squid/blob/master/root/etc/e-smith/templates/etc/squid/squid.conf/20acl_00_localnet

In the end you can try this procedure (quick and dirty):

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf
echo "acl localnet src <your net>" >> /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_00_localnet
echo "acl localnet_dst src <your net>" >> /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_00_localnet
signal-event nethserver-squid-update