Accessing remote LAN custom ports behind AS

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
reindeerduck
OpenVpn Newbie
Posts: 1
Joined: Tue Sep 14, 2021 7:53 pm

Accessing remote LAN custom ports behind AS

Post by reindeerduck » Tue Sep 14, 2021 7:57 pm

How do I trace a dropped packet / traffic flow?

Problem:
When VPN'd to home network, I am unable to access the various Web UI's of the Docker containers running on custom port numbers.
This behaviour does not happen when on the local network. Specific containers are accessible, my best guess is due to the Docker network(s) they are placed on(?)

Current configuration:
A single Ubuntu "home server". It has existed for many years, and has seen transformation from services or applications running natively, with many Apache virtual hosts, MySQL database and other packages installed.
More recently, Docker was deployed and where possible all existing uses were transformed / converted to container equivalents where possible. The MySQL was retained, as a permanent store.
The server has 1 main NIC with an IP address of 192.168.0.5, located on a 192.168.0.0/24 network. .1 is the LAN router and gateway to the internet (ISP provided router, running in router-only mode).

As an example, I have 1 container running on port 6789 which is running on a virtual NIC called "docker0" (172.17.0.0/16). It has an actual IP of 172.17.0.2. When connected to the VPN (also a container workload) I am able to route to this container's web UI with the "http://hostname:6789".

Most other containers are on different networks, which are not able to route when connected to the VPN. The rest of the network configuration looks the same between all containers. I picked 1, running on port 9001, for this troubleshooting.

Only while troublshooting this problem did I open the IPTables configuration. I did this via Webmin interface. I did not make any of this existing configuration, and I am now trying to reverse engineer it. I assume that the traffic flows top-to-bottom down the various tables listed in the Webmin interface. The various tables (top to bottom) are:
- Incoming Packets (INPUT)
- Forwarded Packets (FORWARD) = most rules, with jumps to the DOCKER table
- Outgoing Packets (OUTPUT)
- AS0_ACCEPT
- AS0_IN
- AS0_IN_NAT
- AS0_IN_POST
- AS0_IN_PRE
- AS0_IN_ROUTE
- AS0_OUT
- AS0_OUT_LOCAL
- AS0_OUT_POST
- AS0_OUT_S2C
- AS0_WEBACCEPT
- DOCKER = has most of the custom ports in containers i recognise, combined with virtual NICs starting with "br-"
- DOCKER-ISOLATE-STAGE-1
- DOCKER-ISOLATE-STAGE-2
- DOCKER-USER

I have tried putting in a new "Log Packet" rule at the top of each table to see which table contains the dropped packet(s) of the failed port 9001 traffic after I test a request to this page, but it never appears. This involved:
- Add "Log Packet" rule to table. All other rule options were left at "ignore"
- Clicked the "Apply configuration" button to apply these changes
- Return to the browser and start a connection to both web UI's for ports 6789 and 9001
- Removed the "Log Packet" rule
- Re-applied the configuration, to disable the logging.

From all this, I have not found a single occasion where the port 9001 rule is logged - does this mean it is not being processed? I have found log file references to the port 6789 requests I made. Specifically the "docker0" table with many rules for the custom ports specified in the container configurations.

Using a similar approach to above to apply new rules, I found a number of references to other custom port number rules in the tables. I cloned these for my specific port 9001, but none had any effect.

I can only test remotely connecting via the VPN, so wary of a config change that will wipe out any remote access. This is stopping me checking Portainer to view / validate the existing Docker configuration too, which is my container on port 9001.

Can someone identify what process I should use? What I may have done incorrectly above? Pointers to the solution, if others can identify this from what I have stated above?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Accessing remote LAN custom ports behind AS

Post by openvpn_inc » Wed Sep 15, 2021 7:05 am

Hello reindeerduck,

Sorry but this means that there are iptables rules interfering on the Access Server itself, and we don't provide support for that. Access Server relies heavily on iptables to do its job. When there's other programs doing things with iptables too, things can break. Therefore we simply do not provide support for that situation. Perhaps you can set up another system that runs the docker instances, separate from the Access Server.

If you wish to continue debugging this, I think it would be good if you have access to this system other than only through the network, so that you can do some more drastic changes in iptables to track down the problem. You could try for example to create a new iptables chain that logs dropped packets and push stuff through that chain.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply