Can't join server via VPN
Can't join server via VPN
Hey!
So I've just setup a VPN to be able to access my home network from remote locations. I have a Minetest server running on the same computer as my VPN server. The problem is, I can't join (timeout) when connecting via VPN.
I suspect this might be because Minetest and the VPN server are on the same machine. Is something that can be configured or is it a known limitation?
I can join Minetest from other computers when I'm physically at home, connecting over LAN.
I can ssh to the Minetest server via VPN.
If I add port forwarding in my router I can join using my public IP address.
For reference, I have a Minecraft server running on the same machine and I can connect to that via VPN.
So I've just setup a VPN to be able to access my home network from remote locations. I have a Minetest server running on the same computer as my VPN server. The problem is, I can't join (timeout) when connecting via VPN.
I suspect this might be because Minetest and the VPN server are on the same machine. Is something that can be configured or is it a known limitation?
I can join Minetest from other computers when I'm physically at home, connecting over LAN.
I can ssh to the Minetest server via VPN.
If I add port forwarding in my router I can join using my public IP address.
For reference, I have a Minecraft server running on the same machine and I can connect to that via VPN.
- Festus1965
- Member
- Posts: 4181
- Joined: Sun Jan 03, 2016 11:58
- GitHub: Festus1965
- In-game: Festus1965 Thomas Thailand Explorer
- Location: Thailand ChiangMai
- Contact:
Re: Can't join server via VPN
Check what ports are supported, as here the 30000, and near over
Human has no future (climate change)
If urgend, you find me in Roblox (as CNXThomas)
If urgend, you find me in Roblox (as CNXThomas)
Re: Can't join server via VPN
Minetest is running on port 30000.
- Festus1965
- Member
- Posts: 4181
- Joined: Sun Jan 03, 2016 11:58
- GitHub: Festus1965
- In-game: Festus1965 Thomas Thailand Explorer
- Location: Thailand ChiangMai
- Contact:
Re: Can't join server via VPN
IS the VPN supporting other ports than 80 ?
Human has no future (climate change)
If urgend, you find me in Roblox (as CNXThomas)
If urgend, you find me in Roblox (as CNXThomas)
Re: Can't join server via VPN
As I wrote in my first post, I can use ssh and also login to my Minecraft server on port 50xxx on the same machine. The problem is specific to Minetest.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Can't join server via VPN
The question still remains unchanged: is the VPN supporting port 30000 and is it configured properly to forward that port to the same port on the machine where the Minetest server is running on?
Re: Can't join server via VPN
It's a default installation of openvpn, nothing configured regarding ports so I doubt it would block 30k but not above and below that. I'll test on Monday when I'm back in the office.
Re: Can't join server via VPN
The vpn server doesn't control what ports are allowed. That's your server's firewall. If you're using openvpn, the default server port is 1194. So all clients connect to the vpn through port 1194. Each client knows if it's connected to the vpn server or not, and a new network interface with a vpn address will show up. Once the vpn connection has been established and verified, it's then a matter of 2 things: 1) the minetest server is running 2) the port for minetest server is allowed through the host machine's firewall.
A simple setup on a Debian linux machine would be something like this:
1) home router forwards port 1194 to the computer running the openvpn server
2) openvpn server, which uses (listens on) port 1194, protocol udp, for client connections.
3) minetest server, which uses (listens on) port 30000, protocol udp, for client connections
4) ufw to manage the computer's firewall.
So you have people from the Internet requesting access into your home network on port 1994, and your router allowing that, then 2 different servers running on the server computer. You use ufw on the server to allow or disallow connections to those servers.
With an openvpn server, the computer gets a new network interface, which will show up as "tun0". You can see this by doing "ifconfig" in the command line, which will also show other network interfaces, such as "eth0" and your LAN address on that. The I.P. address of the server on the tun0 interface is 10.8.0.1 by default. This address value is set by the openvpn config file at /etc/openvpn/server.conf. All clients that connect to the server also get a new network interface called "tun0" (or tun1 if that's already taken), and the addresses for that interface start with 10.8.0.6, and go up by values of 4 for each new client. So 10.8.0.6, 10.8.0.10, 10.8.0.14, etc. (There's a technical reason for this which you can research, or just accept it for now).
But the clients can only connect to the openvpn server if port 1194 is open in both your home router and on the server. After logging into your router and forwarding port 1194 to your server, you then have to allow this port on the server using the ufw command:
(note: this is a very liberal policy which allows everyone in the world access on port 1194, but openvpn server only accepts those with encryption keys. You can set it to only allow specific addresses if you want):
Clients connect by installing openvpn and setting up their client config file at /etc/openvpn/client.conf to use your home I.P. address and port 1194. The clients don't usually need to set up any firewall rule.
So at this point you have an openvpn server running, and clients can connect to it. The server and the clients are all using the address allocation of 10.8.0.0/24, which means the address range from 10.8.0.1 to 10.8.0.255.
Now you need to get a minetest server running. By default, it runs on port 30000, protocol udp. So after you have one set up and running, and it's on port 30000, you'll want to allow that for just the vpn clients. So you'll open port 30000 on the server using the 'ufw' command:
So that this point, on the server machine it's allowing everyone on the Internet to try to access openvpn on port 1194/udp, and that's the only port open to the internet, while it allows any computer that's a member of the 10.8.0.x network, access to port 30000/udp. The server's vpn I.P. address is 10.8.0.1 while the first 2 clients will have addresses 10.8.0.6 and 10.8.0.10.
From the server, you can see which openvpn clients are currently connected by doing:
The client at 10.8.0.6 will open their minetest client and tell it to connect to 10.8.0.1 on port 30000 and it should just work. The client at 10.8.0.10 will do the same.
A simple setup on a Debian linux machine would be something like this:
1) home router forwards port 1194 to the computer running the openvpn server
2) openvpn server, which uses (listens on) port 1194, protocol udp, for client connections.
3) minetest server, which uses (listens on) port 30000, protocol udp, for client connections
4) ufw to manage the computer's firewall.
So you have people from the Internet requesting access into your home network on port 1994, and your router allowing that, then 2 different servers running on the server computer. You use ufw on the server to allow or disallow connections to those servers.
With an openvpn server, the computer gets a new network interface, which will show up as "tun0". You can see this by doing "ifconfig" in the command line, which will also show other network interfaces, such as "eth0" and your LAN address on that. The I.P. address of the server on the tun0 interface is 10.8.0.1 by default. This address value is set by the openvpn config file at /etc/openvpn/server.conf. All clients that connect to the server also get a new network interface called "tun0" (or tun1 if that's already taken), and the addresses for that interface start with 10.8.0.6, and go up by values of 4 for each new client. So 10.8.0.6, 10.8.0.10, 10.8.0.14, etc. (There's a technical reason for this which you can research, or just accept it for now).
But the clients can only connect to the openvpn server if port 1194 is open in both your home router and on the server. After logging into your router and forwarding port 1194 to your server, you then have to allow this port on the server using the ufw command:
Code: Select all
sudo ufw allow from any to any port 1194 proto udp comment 'allow vpn connections'
Clients connect by installing openvpn and setting up their client config file at /etc/openvpn/client.conf to use your home I.P. address and port 1194. The clients don't usually need to set up any firewall rule.
So at this point you have an openvpn server running, and clients can connect to it. The server and the clients are all using the address allocation of 10.8.0.0/24, which means the address range from 10.8.0.1 to 10.8.0.255.
Now you need to get a minetest server running. By default, it runs on port 30000, protocol udp. So after you have one set up and running, and it's on port 30000, you'll want to allow that for just the vpn clients. So you'll open port 30000 on the server using the 'ufw' command:
Code: Select all
sudo ufw allow from 10.8.0.0/24 to any port 30000 proto udp comment 'minetest server'
From the server, you can see which openvpn clients are currently connected by doing:
Code: Select all
sudo cat /var/log/openvpn/openvpn-status.log
- FreeGamers
- Member
- Posts: 650
- Joined: Sat May 25, 2019 00:15
- GitHub: is proprietary I use NotABug
- Location: United States
- Contact:
Re: Can't join server via VPN
Did you set Minetest to listen on the LAN interface and not the localhost interface? I don't know why, but from previous issues I've had, I'd check that too int he /etc/minetest.conf file.
FreeGamers.org has moved to MeseCraft.net | FreeGamers on this forum is now MeseCraft
Re: Can't join server via VPN
I can connect to the minetest server if I use 10.8.0.1, but not the usual 192.168.0.XX. It's not a big deal to keep different favorites for home or remote. However, I should not have to do this since I can connect to all other services on the same machine using the 192.168.0.XX address when I'm remote and using the vpn.
The difference I can see between minetest and minecraft is that minecraft uses tcp and minetest udp.
'ss -l' show that minetest is listening on 0.0.0.0:30000 so connecting from any address should be OK. I'm not familiar with Linux firewall rules but I'll take a look and see if that's the issue.
Edit: ufw is disabled on the box.
The difference I can see between minetest and minecraft is that minecraft uses tcp and minetest udp.
'ss -l' show that minetest is listening on 0.0.0.0:30000 so connecting from any address should be OK. I'm not familiar with Linux firewall rules but I'll take a look and see if that's the issue.
Edit: ufw is disabled on the box.
Re: Can't join server via VPN
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
Re: Can't join server via VPN
Those settings are left at default. bind_address is commented out.FreeGamers wrote: ↑Wed Oct 28, 2020 11:40Did you set Minetest to listen on the LAN interface and not the localhost interface? I don't know why, but from previous issues I've had, I'd check that too int he /etc/minetest.conf file.
Re: Can't join server via VPN
Another difference that I don't understand is that MC listens to *:25550 and MT 0.0.0.0:30000. They should have the same meaning and I don't know why they are listed differently.
# ss -l | egrep "30000|25550"
udp UNCONN 0 0 0.0.0.0:30000 0.0.0.0:*
tcp LISTEN 0 4096 *:25550 *:*
# ss -l | egrep "30000|25550"
udp UNCONN 0 0 0.0.0.0:30000 0.0.0.0:*
tcp LISTEN 0 4096 *:25550 *:*
Re: Can't join server via VPN
I found a fix but it still it doesn't explain the problem.
I set bind_address=192.168.0.39 (the server's lan address) in minetest.conf.
"ss -l" now reports that it listens to 192.168.0.39:30000.
Now I can connect to the minetest server using 192.168.0.39 via the vpn.
I can no longer connect to minetest using the "vpn" address 10.8.0.1 which is fine.
I set bind_address=192.168.0.39 (the server's lan address) in minetest.conf.
"ss -l" now reports that it listens to 192.168.0.39:30000.
Now I can connect to the minetest server using 192.168.0.39 via the vpn.
I can no longer connect to minetest using the "vpn" address 10.8.0.1 which is fine.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Can't join server via VPN
This highly depends on the server that's used and if it is a commercial VPN service. Some services disallow ports outside a specific range or list of ports to be routed over their servers.
Re: Can't join server via VPN
I've never had to do that. Running Minetest on a Debian or Ubutnu server, on a vpn, has always been simple and straightforward for me. I think you just need to set a firewall rule to allow vpn addresses to access the server. On linux, how you set the firewall depends on what distro you are using. For Debian/Ubuntu, I've found it's easiest to just use "ufw", which is disabled by default. To enable it:johalun wrote: ↑Wed Oct 28, 2020 18:51I found a fix but it still it doesn't explain the problem.
I set bind_address=192.168.0.39 (the server's lan address) in minetest.conf.
"ss -l" now reports that it listens to 192.168.0.39:30000.
Now I can connect to the minetest server using 192.168.0.39 via the vpn.
I can no longer connect to minetest using the "vpn" address 10.8.0.1 which is fine.
Code: Select all
sudo ufw enable
Code: Select all
sudo ufw allow from 10.8.0.0/24 to any port 30000
Code: Select all
To view the list of firewall rules, do:
Code: Select all
sudo ufw status verbose
Code: Select all
sudo ufw status numbered
Code: Select all
sudo ufw delete 3
Code: Select all
netstat -ln |grep -v unix
Code: Select all
udp 0 0 0.0.0.0:30000 0.0.0.0:*
Who is online
Users browsing this forum: No registered users and 5 guests