My Allstar node used VPN and the central server got it wrong IP

HC1LNM · October 25, 2023, 11:19am

The last Sep 20 I sent to helpdesk this message and never receive the answer, I hope somebody here can help me:

I have a VPN with port forwarding service and I have a problem with my dedicated IP address, the central server used nslookp 59201.ip.hamvoip.org to discover the ip, and got sometimes my dedicated ip and sometime my provider ip, example

root@REPDOM46818:/home/repeater# cat /var/lib/asterisk/rpt_extnodes | grep 59201
59201=[radio@186.101.135.9:4569/59201,186.101.135.9]
root@REPDOM46818:/home/repeater# cat /var/lib/asterisk/rpt_extnodes | grep 59201
59201=[radio@45.74.23.180:4569/59201,45.74.23.180]

I the ip got it by central server is 186… I cannot connect to any node with this reason:

WARNING[3886]: app_rpt.c:23293 rpt_exec: Node 59201 IP 186.101.135.9 does not match link IP 45.74.23.180!!

How can I do to solve this problem? How can I tell central serve that my ip It is that of the tunnel and not that of the supplier

My dedicated IP is (tun0) 45.74.23.180 and my provider IP is 186.101.135.9

This is my ifconfig

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 45.74.23.180 netmask 255.255.255.0 destination 45.74.23.180
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 7324 bytes 3274077 (3.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9256 bytes 1038941 (1014.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wd6awp · October 25, 2023, 11:14pm

Isn’t the whole reason to use a VPN to hide your IP address?

HC1LNM · October 26, 2023, 12:22am

Unfortunately my provider cannot permit access to router so I have all ports closed,and the only way to open ports is using a vpn with port forwarding, i use a dedicated ip at the end of the tunnel, but the nslookup got it the provider ip instead the tunnel, sorry my bad english

jim · October 26, 2023, 8:51am

From a quick read of this, I think your outbound traffic (from the allstar system) is going over your ISP and not the VPN.

You need to check your routing, you can use tools like telnet to see the path taken.

HC1LNM · October 26, 2023, 6:38pm

Hey good afternoon

Ok how can I do to routing over tunnel ?

jim · October 26, 2023, 8:43pm

Are you able to provide the output of ip a and ip r here? Please sanitize any private data.

HC1LNM · October 29, 2023, 11:56pm

Sorry I know understand what you means

jim · October 30, 2023, 3:41pm

No problem, you need to run the command ip r and send the output here.

HC1LNM · November 3, 2023, 12:45am

root@pi-asl:/home/repeater# ip r
0.0.0.0/1 via 45.74.23.1 dev tun0
default via 45.74.23.1 dev tun0
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.157 metric 202
default via 192.168.1.1 dev wlan0 proto dhcp src 192.168.1.155 metric 303
45.74.23.0/24 dev tun0 proto kernel scope link src 45.74.23.180
128.0.0.0/1 via 45.74.23.1 dev tun0
139.28.216.230 via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.157 metric 202
192.168.1.0/24 dev wlan0 proto dhcp scope link src 192.168.1.155 metric 303

jim · November 4, 2023, 11:41pm

Hey, okay that looks good. You are routing your default traffic over the tunnel.

Does your VPN tunnel port forward UDP 4569?

HC1LNM · November 5, 2023, 1:21am

yes, but sometimes the Allstar server got my provider ip instead my tunnel ip, so when the distribution will do, the wrong ip are stored in all nodes database

Mike · November 5, 2023, 3:41am

It looks on the surface that when you are registering, your native IP is being used, thereby making all the nodelists incorrect when you try to connect using the VPN IP and they will not allow the connect.

Somehow, you need to force the use of VPN IP during registration. Then the nodelist data will be correct for inbound and allow the outbound connects you make.
Or don’t use the VPN on the server. Perhaps DDNS.

If the outbound connection attempt does not match the ip data in the targets nodeslist file,
it will be refused.(security)

You can look at that yourself for testing /var/lib/asterisk/rpt_extnodes
and know when you have it correct.

jim · November 6, 2023, 8:53am

To add to Mikes detailed response.

You might want to delay the start of Asterisk. This should allow time for the VPN to establish before you start to send packets out. If this works you may want to write a script that checks the default gateway is correct before Asterisk starts.

HC1LNM · November 6, 2023, 10:25am

OK thanks for the answer and I know all that you guys explain to me and that’s what I need so

how can I do that? is my question from beginning

Mike · November 6, 2023, 12:35pm

I don’t use VPN, so I can only guess at what might be a remedy.

And one method to try is to wait long enough for the vpn to settle after boot,
then go to asterisk cli>
asterisk -rvvv

And then reload the node
reload

where it will re-register in the process of that reload.

Outside of that, you would need to halt loading asterisk until the network has fully settled with your vpn.
You might need to wait up to 10 more minutes to test and the vpn ip to propagate the nodeslist.

So, I can only present a work-around for the issue. And the above can be done with a startup macro and script if you were trying to make it more permanent.

It is worth a test to see if it gets you there and then try better methods.

HC1LNM · November 6, 2023, 5:46pm

OK thanks for the help