Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have a server at home and another on a VPS hosting. I tried to create L2TP/IPsec tunnel between them. The tunnel works and one server can access HTTP services from the other server (VPS server is client and server at home is VPN server to which I am connecting and runs HTTP and HTTPS services that I am trying to access from VPS server). But when I try to connect via HTTPS, the connection does not work.
This is what happens when I run this command from the remote server connected to the other one via L2TP/IPsec: openssl s_client -connect SERVER:443:
CONNECTED(00000003)
And if I try wget --verbose https://SERVER/:
Resolving SERVER (SERVER)... SERVERIP
Connecting to SERVER (SERVER)|SERVERIP|:443... connected.
So the connection is started, but no data is exchanged. I have tested with nmap and the port is detected as open.
I tried to connect to this VPN via my laptop and from there, I can access both HTTP and HTTPS services, but from this server, I can only use HTTP. I have tried turning off all firewalls that are on the path of the packets but the problem persists.
I know this is a very specific case so if there is no actual answer to what the problem might be, I am at least looking for guidelines to how to debug this as wget, curl and openssl s_clinent don't provide me any details as they stay on the connection established state.
UPDATE: I have opened 443 port on NAT on the home server and tried to connect to HTTPS service directly from VPS server without VPN and it worked. So only when I access HTTPS via VPN, the connection does not work.
The problem was the MTU setting of the L2TP connection. I had to lower the MTU to 1300 as HTTPS + IPSec add so much overhead that the packet was over 1500, which is the upper limit of the Ethernet and SSL packages set DF (Do not fragment) flag on Layer 3 which disables package fragmentation.
Normally, the server would send special ICMP message to notify the VPN server about this problem but I had ICMP blocked by the firewall so there was no error, just connection was not able to establish as packages had too big size and were just dropped.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 3 days ago.
Improve this question
Could you help me?
there is a local area network where some machines. On one of the machines, a web server with Apache was raised and a Letsencrypt certificate was installed via a sertbot.
If I access the domain name from outside the local area, everything is fine. everything opens up.
but if I access from inside the local area from any of the devices, I get sent to hell with the error sslv3 alert handshake failure (if I request via curl) or ERR_SSL_VERSION_OR_CIPHER_MISMATCH in the browser...
Server on Debian 10.
Local network behind NAT on Mikrotik.
I disabled sslv3 in the apache config and in general wherever it was mentioned on the server.
alrd find an answear..
"It sounds like the issue you're experiencing is due to the way that SSL/TLS works with local networks and NAT.
When you access the web server from outside of your local network, the connection goes directly to your server and the SSL certificate works fine. However, when you access the web server from inside your local network, the connection goes through your NAT router and is then forwarded to the server. This means that the SSL certificate is not valid for the local IP address of the server because it was issued for the domain name. As a result, you get the SSL error message.
To resolve this issue, you can try the following:
Make sure that the local devices are using the domain name to access the web server instead of the IP address. This will ensure that the SSL certificate is valid for the domain name and not for the IP address.
Configure your NAT router to allow hairpinning. Hairpinning is a technique that allows devices on your local network to access the server using the domain name even though the connection is going through the NAT router. To enable hairpinning on a Mikrotik router, you can follow these steps:
Open the Mikrotik web interface and go to the "IP" menu.
Click on "Firewall" and then click on the "NAT" tab.
Click on the "+" button to add a new NAT rule.
Set the chain to "dstnat", the protocol to "tcp", and the destination port to the port used by your web server (usually 80 or 443).
In the "Action" section, set the action to "dst-nat" and the to-addresses to the local IP address of your web server.
Finally, enable the "srcnat" checkbox in the "Extra" section to ensure that the source address of the packets is translated correctly.
After configuring hairpinning, you should be able to access the web server using the domain name from devices on your local network without any SSL errors."
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 8 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I am using coTurn as my turn server in my application.
what is the minimum configuration to do to make my Turn server work behind NAT?
what are all ports I have to open for it to work behind NAT?
As I have read coturn comes with inbuilt STUN so can I use STUN address in my application instead of default google STUN mentioned here https://github.com/coturn/coturn/wiki/CoturnConfig
if so what should be my configuration there to be modified in the javascript object in RTCPeerConnection
I'm assuming work behind NAT refers to the TURN server, and not to the application.
In this case, you can refer to the external-ip parameter in coturn configuration:
TURN Server public/private address mapping, if the server is behind NAT. In that situation, if a -X is used in form "-X " then that ip will be reported as relay IP address of all allocations.
This works for example in NAT scenarios like AWS of GCP, where there's a 1:1 mapping between a private IP address, where coturn can listen on, and an ephemeral public IP address.
Your application can just be configured to use coturn in the ice settings as if coturn was listening directly on the public IP.
e.g.:
listening-ip=172.10.1.1
external-ip=3.3.3.3/172.10.1.1
Furthermore, coturn will respond to Allocate requests with relay transport addresses with the public IP in the XOR-RELAYED-ADDRESS of the Allocate Success response.
The port will be the same as the one allocated on the private interface. So for example if the relay is allocated on 172.10.1.1:40032, the XOR-RELAYED-ADDRESS will contain 3.3.3.3:40032.
Needless to say, whatever port range is configured in coturn's configuration needs to be reachable from the applications. For example if min-port is 40000 and max-port is 50000, there must be a Security Group for that EC2 instance which allows accessing to UDP 40000-50000.
By default coturn acts also as a STUN server (even fully RFC-5780 compatible if listening on more than one IP address).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
i want to telnet or ssh my pc (mac) at home from my office. How can i do this ? the problem i'm using router with private ip .Gateway is 192.168.1.1 and my pc is 192.168.1.100. I think i should be able to do this when i forward the port in the router setting. But the problem i don't have public ip. My isp only give my dynamic ip (DHCP) , my router's external ip is just another private ip which is connected to another gateway (another level of LAN) which of course i don't have any access. so is it still possible to get access using telnet to my computer ? i read about the reverse ssh but that only works if i have to setup the connection first from my pc. In my case now there's no body near my pc. i just turn it on so i can hopefully access it.
Is there any workaround ? or it's just impossible to do that ?
Thanks
As you don't have a stable IP, I can only think of two options:
VPN
Were you to make a VPN with your local network, and then connect to said VPN, it would give you access to everything on on the network.
Reverse SSH
With reverse SSH you make use of an external server, and set up a listening ssh session. Then, on the external server you can connect to the device behind the router without being bothered by firewalls/port forwarding/etc...
You could do this with:
Device on home network ssh -f -N -R 1234:localhost:22 remote_user#remote.server.example
Where 1234 is the port that remote would use forward to the device
remote.server.example is the remote's address
Then, on the remote server ssh -p 1234 -t device_user#localhost
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've set up a Minecraft server on OpenShift, a free PaaS. OpenShift requires internal applications (like my server) to bind to a port in the range of 15000 to 35530 or port 8080. However, it also requires external client to access the server in one of these ports:
22,
25,
80,
109,
110,
143,
220,
443,
465,
587,
993,
or 995.
In other words, none of the internally exposed ports are exposed externally; however, there are two ways to communicate. One is SSH port tunneling, which I have setup on my computer already. The second one is through HTTP, which is automatically forwarded to 80 when it is sent through 8080 internally. The problem with SSH tunneling is that one needs to add a client's public key through OpenShift, and the client needs to setup their private key, which is too complicated for most of my friends.
I would like to make the connection process easier, so I thought of two possible ways of doing this. The first, which would be simpler to setup, would be to "unsecure" the SSH connections by not requiring a certain public or private key to connect. It's a game server, so security isn't an issue for me at all, but I think that this may not be possible, as SSH was built to be secure. The other way, which would be harder, would be to embed Minecraft packets into HTTP packets, which the OpenShift system automatically forwards. Perhaps this would be possible using an existing HHTP proxy system?
If anyone could help me solve this either of those two ways (or another way, if you can think of one), I would be very grateful!
Why not just create an ssh key pair specifically for this application and create a script that opens the tunnel using that specific key and then launches the program? You can also put restrictions on what any connection using that key is allowed to do (nothing).
#!/bin/sh
ssh -i ~/pathtoidfile -L 25565:localhost:yourport -f -N
# run minecraft to local server?
This is just off the cuff - probably not exactly correct. Also, assumes a unix (Mac or Linux) system. For windows, you'd have to install an ssh client (mingw?) and use cmd syntax.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am running Apache/php on my localhost and would like to be able to make this publicly accessible from the internet.
I think this is achieved by port forwarding? Can someone point me in the right direction?
Well sir you should try ngrok it is free and works with everything that I throw at him (node servers, xampp etc.)
It depends on the connection you have.
If your machine has a public IP address, it's on the Internet already. Then all you need is to allow connections to port 80, both on the local firewall and the home/corporate firewall.
If your machine is behind a set-top-box, or inside a corporate network, chances are that you're not on the Internet. In some instances, a router does NAT (Network Address Translation) between a local (non-routable) network and the Internet. In this particular case, you need to set up port forwarding on the set-top-box or router.
You might want to check out Pagekite - it's an open-source software that allows you to expose your local resources to the outer internet without you needing to reconfigure your router or firewall.
There's a similar service called Show off which does much the same thing, although it seems a bit more limited.
You could try beame-insta-ssl, it's a good way to get free tunneling services and a free SSL certificate to expose your localhost. It's open source on git here: https://github.com/beameio/beame-insta-ssl/
Only port forwarding would work but you would need to connect to your server thru it's IP.
take a look at dyndns.com, there you can get a DNS ID that points to your server.
After that you set your router port 80 (HTTP) or 443(HTTPS) to point to your PC HTTP server port ( this can be any port you wish)
It depends of what do you mean localhost? Each system has its own "localhost".
If you mean that you have something like: "your system"<-->"gateway/wifi router"<-->Internet than you should configure port mapping from your router external interface to your server' IP address. Check your gateway/router documentation for more information.
Another tool for port forwarding through OpenVPN or SSH tunnel is https://portmap.io . If you're running multiple vhosts on local Apache, you can set host-header with required hostname.