OSMC on PI2 and OPENVPN client : unable to connect to the PI from outside the LAN (ssh, transmission, ...)

I recently installed the last OSMC on a PI2 (12/1/17, Kodi 17.6), the perfect mediacenter, download station, and many more…
Everything works like a charme except one things :

When I’m connected to a vpn server through openvpn I can’t access to the osmc server from internet nether ssh nor transmission ports.

When I try from inside my LAN everythings are ok and when I stop the vpn that works from ouside the LAN too.

My VPN provider support, told me that I have to “play” with “routes”…
Once it works but I was on an older version of OSMC and I’ve had to launch these command after openvpn have started :

route del default
ip route del 0.0.0.0/1 via 10.10.2.53 dev tun0

But now, nothing (that I have already tried) works…

Here my “route -n” result :

Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         10.10.0.21      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.10.0.1       10.10.0.21      255.255.255.255 UGH   0      0        0 tun0
10.10.0.21      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.10.0.21      128.0.0.0       UG    0      0        0 tun0
151.80.10.10    192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0

ifconfig :

eth0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
        inet 192.168.1.17  netmask 255.255.255.0  broadcast 192.168.1.255
        ether b8:27:eb:bb:a8:32  txqueuelen 1000  (Ethernet)
        RX packets 12174505  bytes 2994797604 (2.7 GiB)
        RX errors 0  dropped 11942  overruns 0  frame 0
        TX packets 11733280  bytes 2370396306 (2.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Boucle locale)
        RX packets 129  bytes 14828 (14.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 129  bytes 14828 (14.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.0.22  netmask 255.255.255.255  destination 10.10.0.21
        inet6 fe80::2397:f37d:f5ff:951e  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 11170286  bytes 9399956352 (8.7 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10432452  bytes 7170763465 (6.6 GiB)
        TX errors 0  dropped 458875 overruns 0  carrier 0  collisions 0

That I have already tried and that don’t work :

sudo route del default
sudo ip route del 0.0.0.0/1 via 10.10.0.21 dev tun0
sudo ip route add 0.0.0.0/1 via 192.168.1.17 dev eth0

Another information, I’ve dcpdump the pi connected to the vpn and when i call it from outside (internet) I see inbound requests but no outbound responses whereas when I call it form inside (LAN) I see inbound requests and outbound responses…

If someone has ideas, I’ll be glad… (I’m not familiar with routes so be kind :slight_smile:

I’s the only one problem I have to fix for a perfect server !

Best,

Maxime

Hi,

Logs would help:

https://osmc.tv/wiki/general/how-to-submit-a-useful-support-request/

Also whats the the output of:

ip a

Sometimes the interfaces are listed different in ip (iproute2) than with ifconfig and it looks like you are using iproute2 to setup the routes.

Also if the ips have changed on your pi, you may be required to make some changes on your router; if you are trying to access osmc from the internet.

Thanks Tom.

OpenVPN will let everything go via the tunnel so it is normal you cannot access your device. I am curious about the solution that previously worked for you. For me, I need a similar solution with OpenVPN to open a port for Transmission, not the WebUI, I do not want to expose the WebUI to internet. But Transmission works better with port 51413 open. Not sure how to do that with OpenVPN.

But to access SSH and SFTP, I do this:
RPi3 runs OpenVPN and transmission, local IP is 192.168.1.11. No port forwarding setup in my router.
Vero4k does not run OpenVPN. For this device I have setup portforwarding in my router: LAN port 22, outside port 9000 (could be any high number).

On my remote computer I have set up Putty like this:
Putty > SSH > Tunnels > add forwarding with source port 9000 and destination 192.168.1.11:22.
You can save this by clicking on Putty>Session and hit SAVE.

Now when I open the SSH session with Putty to my Vero4K, after logging in I run this command:
ssh osmc@192.168.1.11
Now you can login to the RPi3 which runs OpenVPN and Transmission.

While this session is open, I can even access the RPi3 with SFTP via Filezilla and also Transmission WebUI! For this you need to add the ports in Putty>SSH>Tunnels.

Hi,

You can ask your vpn provider to open this port or provide a port to forward. Its not recommended as its an security exposure in the vpn tunnel you have setup. Torrents will still work, but are a bit slower; this is how I run it on my setup.

Thanks, guess that makes sense.
I was waiting for a week for 1 torrent (stuck at 3%) and last night just stopped OpenVPN for a while, within 40min the torrent was finished. This was a rare case, and I rather have a temporary port forward for such cases instead of stopping OpenVPN completely

Hi,

Ok, you vpn provider should be able to advise what the port forward is and how to set it up.

Thanks Tom.

That looks fine.

Your problem – which I don’t actually have – is that when you SSH to the Pi, the return path is probably being sent through the VPN tunnel, rather than back through the eth0 interface. Since your routing table has this line:

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

which says that traffic to IP addresses 192.168.1.* should be sent to eth0, it looks like your router might not be NAT-ing (also known as masquerading) the port-forwarded traffic.

It should be possible to add some rules to the Pi but first, preferably with the VPN running, please run netstat -tn from the command line on OSMC and from another session try to SSH from an outside IP address (eg through a VPN). Do you see anything trying to connect, even if it doesn’t succeed?

Hi Tom,
Thank for your replay and sorry for the delay I wasn’t at home and I can’t ssh my pi from outside my network as you know :wink:

here above what you asked me :

osmc@osmc:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:bb:a8:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.17/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.10.0.22 peer 10.10.0.21/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9f64:5a51:d80e:9dc9/64 scope link flags 800 
       valid_lft forever preferred_lft forever

and logs are here : https://paste.osmc.tv/vumecowuzu

My router have DHCP mode enabled but I’ve fixed the pi IP to 192.168.1.17 by mac address.

Another question, have I to enable port forwarding ? (/proc/sys/net/ipv4/ip_forw
ard = 0 for now)

Thanks for your help

Maxime

Hi dillthedog,
My f**cking router is a “Livebox 3” and maybe it’s the problem… I saw that it could make some issue… but I don’t know what to do, I’ve just NAT-ed every port i have to forward to the Pi from outside.

For the cmd

netstat -tn

I don’t see anything neither on 22 nor on 9091 port

but as I said before

tcpdump port 9091

receive some inbound packet but never send anything in response…

I don’t know what to do…

Best,

Maxime

It seems that the Livebox 3 is from Orange, the same company that gave us the problematic Funbox 2 a few days ago…

Let’s leave transmission alone for now and focus on SSH.

  • Are you port-forwarding from port 22 outside to port 22 on your Pi?
  • Is SSH listening on port 22?

Could you post any packet(s) you see from running:

sudo tcpdump -i eth0 port 22 and not host  <your IP>

(assuming SSH is listening on port 22). The and not host <your IP> part should exclude traffic to/from your PC. Then try to SSH into the Pi from outside your network.

Hi dillthedog,

It seems that the Livebox 3 is from Orange

exactly

Are you port-forwarding from port 22 outside to port 22 on your Pi?
Is SSH listening on port 22?

Yes, I have port-forwarded port 22 and others on the Pi ! as I explained, everything works fine if the Pi isn’t connected to the vpn. in this case, ssh and transmission are ok from outside!

I receive some packets with your cmd but of course I can’t succeed to connect :

osmc@osmc:~$ sudo tcpdump -i eth0 port 22 and not host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:08:23.065392 IP 193.56.242.106.21249 > osmc.ssh: Flags [S], seq 207162205, win 64240, options [mss 1400,sackOK,TS val 6229549 ecr 0,nop,wscale 8], length 0
23:08:24.058506 IP 193.56.242.106.21249 > osmc.ssh: Flags [S], seq 207162205, win 64240, options [mss 1400,sackOK,TS val 6229649 ecr 0,nop,wscale 8], length 0
23:08:26.060532 IP 193.56.242.106.21249 > osmc.ssh: Flags [S], seq 207162205, win 64240, options [mss 1400,sackOK,TS val 6229849 ecr 0,nop,wscale 8], length 0
23:08:30.069072 IP 193.56.242.106.21249 > osmc.ssh: Flags [S], seq 207162205, win 64240, options [mss 1400,sackOK,TS val 6230250 ecr 0,nop,wscale 8], length 0
23:08:38.088648 IP 193.56.242.106.21249 > osmc.ssh: Flags [S], seq 207162205, win 64240, options [mss 1400,sackOK,TS val 6231052 ecr 0,nop,wscale 8], length 0
23:08:54.704932 IP 193.56.242.106.21249 > osmc.ssh: Flags [S], seq 207162205, win 64240, options [mss 1400,sackOK,TS val 6232656 ecr 0,nop,wscale 8], length 0

a big thanks for your help !

As I thought, the incoming packets are showing the source IP address as being 193.56.242.106, rather than being “masqueraded” in the router.

You need to try to change this. I have no idea where this might be set on your router but it might possibly be in the firewall settings. Once you see the router’s IP address incoming on tcpdump, you should then be able to SSH when the VPN is running.

We can also perform a small experiment. Try these commands:

sudo ip route add default via 192.168.1.1 dev eth0 table 22
sudo ip rule add from 193.56.242.106 dev eth0 table 22
sudo ip route flush cache

and see if you can SSH from IP address 193.56.242.106.

I try these commands but i still can’t connect by ssh

My router (livebox 3) has functionality very limited and don’t offer masquerading…
https://www.sheldon.fr/2014/10/la-livebox-et-son-loopback-go-■■■■/

There is another possibility to “masquerade” for exemple on the Pi ?

sheldon.fr speek about Dnsmasq - network services for small networks.
do you think is it possible with this ?

Sorry for the late reply. I’ve been busy all day.

Just one other thought. Have you enabled DMZ on your router? (You shouldn’t use it for this situation.)

If you can, please reboot the Pi and try these commands:

sudo ip route add default via 192.168.1.1 dev eth0 table 22
sudo ip route add 192.168.1.0/24 dev eth0 src 192.168.1.17 table 22
sudo ip rule add from 192.168.1.17 table 22
sudo ip rule add from all to 192.168.1.17 dev eth0 table 22
sudo ip route flush cache

(It’s trying to ensure that traffic that comes in through eth0 also returns through eth0.)

Then try to SSH from outside with (and without) the VPN.

1 Like

Hi the best of the best dillthedog !

it works !!! :heart_eyes::star_struck::muscle::ok_hand::+1:

osmc@osmc:~$ sudo ip route add default via 192.168.1.1 dev eth0 table 22
osmc@osmc:~$ sudo ip route add 192.168.1.0/24 dev eth0 src 192.168.1.17 table 22
osmc@osmc:~$ sudo ip rule add from 192.168.1.17 table 22
osmc@osmc:~$ sudo ip rule add from all to 192.168.1.17 dev eth0 table 22
osmc@osmc:~$ sudo ip route flush cache
osmc@osmc:~$ route -n
Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         10.10.0.21      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.10.0.1       10.10.0.21      255.255.255.255 UGH   0      0        0 tun0
10.10.0.21      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.10.0.21      128.0.0.0       UG    0      0        0 tun0
151.80.10.10    192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
osmc@osmc:~$ sudo tcpdump -i eth0 port 22 and not host 192.168.1.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:35:43.162173 IP 193.57.121.73.54180 > osmc.ssh: Flags [S], seq 1488102332, win 64240, options [mss 1400,sackOK,TS val 10989508 ecr 0,nop,wscale 8], length 0
23:35:43.162847 IP osmc.ssh > 193.57.121.73.54180: Flags [S.], seq 398836362, ack 1488102333, win 28960, options [mss 1460,sackOK,TS val 1789 ecr 10989508,nop,wscale 7], length 0
23:35:44.082550 IP 193.57.121.73.54180 > osmc.ssh: Flags [.], ack 1, win 251, options [nop,nop,TS val 10990454 ecr 1789], length 0
23:35:44.165203 IP osmc.ssh > 193.57.121.73.54180: Flags [P.], seq 1:40, ack 1, win 227, options [nop,nop,TS val 1889 ecr 10990454], length 39
23:35:44.853977 IP 193.57.121.73.54180 > osmc.ssh: Flags [P.], seq 1:21, ack 1, win 251, options [nop,nop,TS val 10990455 ecr 1789], length 20
23:35:44.854478 IP osmc.ssh > 193.57.121.73.54180: Flags [.], ack 21, win 227, options [nop,nop,TS val 1958 ecr 10990455], length 0
23:35:44.855430 IP 193.57.121.73.54180 > osmc.ssh: Flags [.], ack 40, win 251, options [nop,nop,TS val 10990539 ecr 1889], length 0
23:36:01.678263 IP 193.57.121.73.54180 > osmc.ssh: Flags [P.], seq 861:877, ack 1032, win 269, options [nop,nop,TS val 10991572 ecr 2059], length 16
23:36:01.719736 IP osmc.ssh > 193.57.121.73.54180: Flags [.], ack 877, win 239, options [nop,nop,TS val 3645 ecr 10991572], length 0
23:36:01.720167 IP 193.57.121.73.54180 > osmc.ssh: Flags [P.], seq 877:921, ack 1032, win 269, options [nop,nop,TS val 10991574 ecr 2059], length 44
23:36:01.720706 IP osmc.ssh > 193.57.121.73.54180: Flags [.], ack 921, win 239, options [nop,nop,TS val 3645 ecr 10991574], length 0
23:36:01.721474 IP osmc.ssh > 193.57.121.73.54180: Flags [P.], seq 1032:1076, ack 921, win 239, options [nop,nop,TS val 3645 ecr 10991574], length 44
23:36:03.090905 IP 193.57.121.73.54180 > osmc.ssh: Flags [.], ack 1076, win 269, options [nop,nop,TS val 10992280 ecr 3645], length 0

now I’d like that works with every ports…
Do I have only to delete the end of line (table 22) and put it on a script lauched at boot (/etc/rc.local) ?

I’m so happy !!!

Long life to OSMC and its forum and support and you of course ! :slight_smile:

Thanks a lot

Maxime

Although I called the table “22” it should also work with transmission.

The rules will disappear after a system reboot. You need to place them somewhere so they get run at startup. You can try /etc/rc.local but it might run too early in the sequence. Give it a try and let us know if it works.

1 Like

sorry, I did not even try…

yes it works also with transmission ! Perfect !!!

I’m going to put it in rc.local with a 30s sleep first :wink:

I let you know very soon

Now, ssh and transmission work like a charme from inside and outside my network thanks to you Dillthedog !

To sum up my /etc/rc.local look like :

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sh /home/osmc/vpn/routes4vpn.sh &

exit 0

And /home/osmc/vpn/routes4vpn.sh :

#!/bin/bash
sleep 30
ip route add default via 192.168.1.1 dev eth0 table 22
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.17 table 22
ip rule add from 192.168.1.17 table 22
ip rule add from all to 192.168.1.17 dev eth0 table 22
ip route flush cache

You can put a big SOLVED to this ticket :slight_smile: :tada:

I would recommend you and OSMC support !

Thanks a lot

Best regards,

Maxime

Excellent news. And I hope you’ve also tested that the VPN still works. :wink:

Just to wrap things up, I would suggest that you move your external SSH port to a high value - a number between 50,000 and 65,000 will do. This will reduce - though not eliminate - the number of people trying to break into your system through SSH. For completeness, you might also want to change the external port for Transmission from 9091.

In case anyone wants to try the same on a Vero4K, right now (kernel 3.14.29-55) this multi routing table capability is not in the kernel. Perhaps @sam_nazarko will include it in the next build. :wink:

Of course the vpn still works ! :wink:

I’ve changed all external ports !

Now, I just have to enjoy my awesome OSMC server :sunglasses:

bye :beers:

1 Like