Incoming connections work with Port Forwarding to ISP but fail with Port Forwarding to WireGuard VPN to a static public IP.
Outgoing ASL connections, incoming SSH connections, and incoming Dashboard/Allmon connections, all work fine. Just incoming Node and WT connections fail. The node shows registered on Allstarlink.org.
Is something missing in the Port Forwarding when using the VPN?
Local Public Protocol
9090 9090 TCP+UDP
4569 4569 UDP
22 22222 TCP
80 60632 TCP+UDP
For testing I now have two nodes running: 60632 on my public IP and 62426 running on a 44NET address via VPN. The registrations both show the correct public IP addresses.
Roger
WA1NVC
node60632CLI> rpt show registrations
Host Username Perceived Refresh State
162.248.92.131:443 60632 74.104.140.186:4569 179 Registered
1 HTTP registration.
node60632CLI>
node62426CLI> rpt show registrations
Host Username Perceived Refresh State
34.105.111.212:443 62426 44.32.91.9:4569 179 Registered
1 HTTP registration.
node62426CLI>
Just seeing if you are allowing and then routing/forwarding traffic from your 44-Net VPN server to your 62426 node IP? I had some challenges when first setting up my OpenVPN system to allowing forwarding from the VPN public facing IP and then routing it on to the 10.8.0.xx VPN IP. It took some reading of websites and tinkering with the settings to get it working eventually. You hopefully can use Netstat on your VPN server to see when your traffic makes it to the VPN and also watch the asterisk CLI to see when our traffic makes it to the Allstar node.
I am doing the same port forwards on the directly connected node as I am for the node on the VPN.
I have confirmed this problem on three ASL V3 nodes.
I have also confirmed the wired VPN and the cellular modem with VPN have the same problem.
The direct wired node and the VPN’d node are sitting on a table in the other room. They are going to remote sites so until this is fixed, no radios are connected. The developers are welcome to use them to try and figure out why this does not work.
I can see the attempt and the failure on both ends but cannot figure out what the problem.
There are lots of sites where we want to deploy ASL V3 but until this is fixed; we will have to wait.
I’m not using 44net, so I don’t know specifically what could be going on there.
However, I did just deploy three nodes behind a self-hosted Wireguard VPN. These nodes are on mobile connections.
The Wireguard server has the appropriate iptables forwarding to make inbound IAX2 connections work. All these nodes are running ASL3, and it works fine in both directions on all nodes. One of them is also hosting an Echolink node.
So, this is probably not an ASL issue directly, I would guess.
In this instance, I have installed individual Wireguard clients on the nodes themselves, so it isn’t dependent on any particular network hardware or environment to make the connection. The firewall (iptables) on the Wireguard server handles all the port forwarding.
Ports 80 and 22 aren’t forwarded from the node to the public internet, since I don’t need them to be there.
I can really only help with forwarding if the endpoint is going through iptables, since that’s all I know.
This is asterisk-speak for “node didn’t respond” as technically “not responding fast enough” is the same thing.
However your description of the problem and your setup is very confused. You talk about a router replacement and then jump to talking about two nodes, one of which is on a Wireguard tunnel. Can you clarify several points:
You have two different ASL servers each with their own node?
Are these servers on the same local IP subnet?
How many of the nodes are configured to use wireguard?
For each node configuration to use it, describe the wireguard configuration
I think the command is tcpdump - if you can run that on your VPN server, you can watch where the packets are coming and going to. You will see if they are making the VPN server and not being routed or maybe being routed incorrectly.
Let me see if I can clarify and also supply the solution!!!
I have built 3 nodes each on a RPi 4B 4 GB with an RA-42M. I have used each one on three different internet connections:
FIOS and a home router
FIOS and a VPN router
cellular modem and a VPN router
The VPN router contained a Wireguard VPN client to a 44net static public IP address
In each router ports 9090, 4569, 80, and 22 were port forwarded in the same manner.
80 and 22 were “translated?” to 5 digit ports numbers on the internet in the port forwarding.
Wireguard was NOT installed on the ASL node.
Everything worked on the home router and all but inbound connections worked on the VPN router.
The solution:
When Patrick suggested I put the Wireguard client directly on the node, I changed ASL ports 80 and 22 on each ASL node to the 5 digit port numbers.
I tested each ASL node with the changed port numbers with each internet connection before my planned install of Wireguard directly on the ASL nodes. The port forwarding in each router was also changed to NOT “translate?” the port numbers.
Interestingly all configurations now worked!!!
My conclusion is the port forwarding “translation?” in the VPN router was not always working correctly. The VPN router was running OpenWRT. The only router change was there is no longer a “translation?” for the Apache port.