Can't join server via VPN

Post Reply
johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Can't join server via VPN

by johalun » Post

Hey!

So I've just setup a VPN to be able to access my home network from remote locations. I have a Minetest server running on the same computer as my VPN server. The problem is, I can't join (timeout) when connecting via VPN.
I suspect this might be because Minetest and the VPN server are on the same machine. Is something that can be configured or is it a known limitation?

I can join Minetest from other computers when I'm physically at home, connecting over LAN.
I can ssh to the Minetest server via VPN.
If I add port forwarding in my router I can join using my public IP address.

For reference, I have a Minecraft server running on the same machine and I can connect to that via VPN.

Festus1965
Member
Posts: 1435
Joined: Sun Jan 03, 2016 11:58
In-game: bye bye

Re: Can't join server via VPN

by Festus1965 » Post

Check what ports are supported, as here the 30000, and near over
Minetest has no future

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

Minetest is running on port 30000.

Festus1965
Member
Posts: 1435
Joined: Sun Jan 03, 2016 11:58
In-game: bye bye

Re: Can't join server via VPN

by Festus1965 » Post

johalun wrote:
Fri Oct 23, 2020 16:28
Minetest is running on port 30000.
IS the VPN supporting other ports than 80 ?
Minetest has no future

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

As I wrote in my first post, I can use ssh and also login to my Minecraft server on port 50xxx on the same machine. The problem is specific to Minetest.

User avatar
Linuxdirk
Member
Posts: 2670
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: Can't join server via VPN

by Linuxdirk » Post

The question still remains unchanged: is the VPN supporting port 30000 and is it configured properly to forward that port to the same port on the machine where the Minetest server is running on?

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

It's a default installation of openvpn, nothing configured regarding ports so I doubt it would block 30k but not above and below that. I'll test on Monday when I'm back in the office.

onid246
New member
Posts: 6
Joined: Sun Oct 25, 2020 07:40

Re: Can't join server via VPN

by onid246 » Post

The vpn server doesn't control what ports are allowed. That's your server's firewall. If you're using openvpn, the default server port is 1194. So all clients connect to the vpn through port 1194. Each client knows if it's connected to the vpn server or not, and a new network interface with a vpn address will show up. Once the vpn connection has been established and verified, it's then a matter of 2 things: 1) the minetest server is running 2) the port for minetest server is allowed through the host machine's firewall.

A simple setup on a Debian linux machine would be something like this:

1) home router forwards port 1194 to the computer running the openvpn server
2) openvpn server, which uses (listens on) port 1194, protocol udp, for client connections.
3) minetest server, which uses (listens on) port 30000, protocol udp, for client connections
4) ufw to manage the computer's firewall.

So you have people from the Internet requesting access into your home network on port 1994, and your router allowing that, then 2 different servers running on the server computer. You use ufw on the server to allow or disallow connections to those servers.

With an openvpn server, the computer gets a new network interface, which will show up as "tun0". You can see this by doing "ifconfig" in the command line, which will also show other network interfaces, such as "eth0" and your LAN address on that. The I.P. address of the server on the tun0 interface is 10.8.0.1 by default. This address value is set by the openvpn config file at /etc/openvpn/server.conf. All clients that connect to the server also get a new network interface called "tun0" (or tun1 if that's already taken), and the addresses for that interface start with 10.8.0.6, and go up by values of 4 for each new client. So 10.8.0.6, 10.8.0.10, 10.8.0.14, etc. (There's a technical reason for this which you can research, or just accept it for now).

But the clients can only connect to the openvpn server if port 1194 is open in both your home router and on the server. After logging into your router and forwarding port 1194 to your server, you then have to allow this port on the server using the ufw command:

Code: Select all

sudo ufw allow from any to any port 1194 proto udp comment 'allow vpn connections'
(note: this is a very liberal policy which allows everyone in the world access on port 1194, but openvpn server only accepts those with encryption keys. You can set it to only allow specific addresses if you want):

Clients connect by installing openvpn and setting up their client config file at /etc/openvpn/client.conf to use your home I.P. address and port 1194. The clients don't usually need to set up any firewall rule.

So at this point you have an openvpn server running, and clients can connect to it. The server and the clients are all using the address allocation of 10.8.0.0/24, which means the address range from 10.8.0.1 to 10.8.0.255.

Now you need to get a minetest server running. By default, it runs on port 30000, protocol udp. So after you have one set up and running, and it's on port 30000, you'll want to allow that for just the vpn clients. So you'll open port 30000 on the server using the 'ufw' command:

Code: Select all

sudo ufw allow from 10.8.0.0/24 to any port 30000 proto udp comment 'minetest server'
So that this point, on the server machine it's allowing everyone on the Internet to try to access openvpn on port 1194/udp, and that's the only port open to the internet, while it allows any computer that's a member of the 10.8.0.x network, access to port 30000/udp. The server's vpn I.P. address is 10.8.0.1 while the first 2 clients will have addresses 10.8.0.6 and 10.8.0.10.

From the server, you can see which openvpn clients are currently connected by doing:

Code: Select all

sudo cat /var/log/openvpn/openvpn-status.log
The client at 10.8.0.6 will open their minetest client and tell it to connect to 10.8.0.1 on port 30000 and it should just work. The client at 10.8.0.10 will do the same.

User avatar
FreeGamers
Member
Posts: 651
Joined: Sat May 25, 2019 00:15
GitHub: is proprietary I use NotABug
Location: United States
Contact:

Re: Can't join server via VPN

by FreeGamers » Post

Did you set Minetest to listen on the LAN interface and not the localhost interface? I don't know why, but from previous issues I've had, I'd check that too int he /etc/minetest.conf file.
FreeGamers.org has moved to MeseCraft.net | FreeGamers on the forum is now MeseCraft

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

I can connect to the minetest server if I use 10.8.0.1, but not the usual 192.168.0.XX. It's not a big deal to keep different favorites for home or remote. However, I should not have to do this since I can connect to all other services on the same machine using the 192.168.0.XX address when I'm remote and using the vpn.

The difference I can see between minetest and minecraft is that minecraft uses tcp and minetest udp.
'ss -l' show that minetest is listening on 0.0.0.0:30000 so connecting from any address should be OK. I'm not familiar with Linux firewall rules but I'll take a look and see if that's the issue.

Edit: ufw is disabled on the box.

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

FreeGamers wrote:
Wed Oct 28, 2020 11:40
Did you set Minetest to listen on the LAN interface and not the localhost interface? I don't know why, but from previous issues I've had, I'd check that too int he /etc/minetest.conf file.
Those settings are left at default. bind_address is commented out.

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

Another difference that I don't understand is that MC listens to *:25550 and MT 0.0.0.0:30000. They should have the same meaning and I don't know why they are listed differently.
# ss -l | egrep "30000|25550"
udp UNCONN 0 0 0.0.0.0:30000 0.0.0.0:*
tcp LISTEN 0 4096 *:25550 *:*

johalun
Member
Posts: 24
Joined: Sat Sep 26, 2020 14:18
GitHub: johalun

Re: Can't join server via VPN

by johalun » Post

I found a fix but it still it doesn't explain the problem.

I set bind_address=192.168.0.39 (the server's lan address) in minetest.conf.
"ss -l" now reports that it listens to 192.168.0.39:30000.
Now I can connect to the minetest server using 192.168.0.39 via the vpn.
I can no longer connect to minetest using the "vpn" address 10.8.0.1 which is fine.

User avatar
Linuxdirk
Member
Posts: 2670
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: Can't join server via VPN

by Linuxdirk » Post

onid246 wrote:
Mon Oct 26, 2020 08:00
The vpn server doesn't control what ports are allowed.
This highly depends on the server that's used and if it is a commercial VPN service. Some services disallow ports outside a specific range or list of ports to be routed over their servers.

onid246
New member
Posts: 6
Joined: Sun Oct 25, 2020 07:40

Re: Can't join server via VPN

by onid246 » Post

johalun wrote:
Wed Oct 28, 2020 18:51
I found a fix but it still it doesn't explain the problem.

I set bind_address=192.168.0.39 (the server's lan address) in minetest.conf.
"ss -l" now reports that it listens to 192.168.0.39:30000.
Now I can connect to the minetest server using 192.168.0.39 via the vpn.
I can no longer connect to minetest using the "vpn" address 10.8.0.1 which is fine.
I've never had to do that. Running Minetest on a Debian or Ubutnu server, on a vpn, has always been simple and straightforward for me. I think you just need to set a firewall rule to allow vpn addresses to access the server. On linux, how you set the firewall depends on what distro you are using. For Debian/Ubuntu, I've found it's easiest to just use "ufw", which is disabled by default. To enable it:

Code: Select all

sudo ufw enable
Then you have to allow the vpn set of addresses:

Code: Select all

sudo ufw allow from 10.8.0.0/24 to any port 30000
The "0/24" part has to do with binary stuff and really just means the last number can be 0-255. The port number is whatever port number minetest is running on.

To view the list of firewall rules, do:

Code: Select all

sudo ufw status verbose
An easy way to delete a rule is to first view the list as a numbered list, then just tell it to remove a number:

Code: Select all

sudo ufw status numbered
If for example you want to delete rule #3, do:

Code: Select all

sudo ufw delete 3
An easier command to see what ports services are currently listening on, on Debian/Ubuntu, is:

Code: Select all

netstat -ln |grep -v unix
On mine, it displays the port Minetest is running on as:

Code: Select all

udp        0      0 0.0.0.0:30000           0.0.0.0:* 
When it looks like this, it means that it's listening on port 30000 for all interfaces, which means you can access it on it's LAN address, VPN address, WAN address, whatever.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests