Well happy new years everyone! I’ve got some new years nerd needs in getting this to work!
At the end of the day , I think i’ve spent over 75 hours, with weeks of trial and error trying to get this to work, and i think its time that I ask for some serious baby step walkthroughs or even a readymade config file from someone. The trial and error (with some minor successes, but temporary), has seemed so patternless, that I am starting to think that I might have a hardware problem.
As it is, I am barely getting any luck or consistency, just starting at the bare setup of connecting my instance to incontrol2, let alone the glitchiness of trying to get it to connect to PepVPN. Those two things alone literally took me an entire all-nighter… but something tells me it really shouldn’t be this difficult.
Now, So far, the only real consistent (partial) success that I am getting, is setting the pepvpn option to route all traffic through pepVPN to the instance. THAT, is literally the only thing that makes me feel sane, because it always works. When I hit the button, it always changes my ip address to the vultr ip address. WONDERFUL! Except… I don’t want it to route ALL my traffic. As we discussed, I just need it to route a single IP, or even VLan (so i cloud just hardwire my server to a Lan Eth port), and getting this to actually work, has proven to be one of the most difficult computer challenges I have faced. The amount of times I have gotten locked out of either my instance or surf soho because either a glitch breaking something, or a misconfigured setting would keep your head spinning for months!
So, lets assume that I have my pepvpn working (i don’t know what mode the vpn is in) with my instance and surf soho (because it actually is working right now, WOW!), how in the heck do I configure the following:
-
The Firewall on the instance & the firewall on the Surf Soho
-
An outbound policy to forward traffic from my server IP to the instance, without using the “Route all traffic to pepvpn” button.
3)Forward ports properly and open the firewall for those ports properly.
My trial and errors have consisted of using the VNC client on my phone, over and over and over again, to attempt connections to my mac, after every minor change has been made to a configuration on either the surf, or the vultr instance. Starting with the loosest security settings (no firwalls, all ports forwarded, etc. etc.), to then slowly tightening them up inch by inch, until the VNC client can no longer connect, and then trying to trace the most recent setting change back to the cause of why my VNC can’t connect with seeming normal firewall rules or forwarded ports. This has proven quite tedious. However, through this process, there are a few things that I think I have discovered in which I require an explanation, and/or elaboration on.
After a lot of trial and error, A few things that I “Thought” i had an understanding with,are now causing me to second guess the solidity of my knowledge. The First thing one of these things is:
1a) It was my understanding that not only do i forward ports from the Instance WAN IP address, directly to the local Mac IP, but I also wanted to open up the same ports from the same WAN IP in my firewall, so it allows external traffic into my network. However, the interesting part that I figured out, is that while it is true my ports need to be forwarded from my instance WAN IP, in order for the VNC client to work, I have learning that it is NOT True, that the firewall open ports also from the instance WAN IP. Instead, I have learned, that with the firewall on my instance completely open on all fronts, external traffic is still being blocked from accessing my instance, and thus, the forwarded ports on my Vultr WAN IP. Interestingly enough, I figured out that the only way to allow access from my phone’s vnc client to my surf soho, through my instance via pepvpn, is to track down my PHONES WAN ip (by going to whatsmyip.org), and entering the ip address of my phone into my incoming firewalls allow settings.
1b) Can someone please verify that this is normal, and if so, please explain why? It seems odd that with my firewall wide open, i still need to enter custom entries for external IP’s in order to allow devices into my network. Isn’t the whole idea of an external firewall to block or allow any ip’s on specified ports, but only for the WAN ip address? Why must I create a custom entry specifying each external devices WAN ip address? With all firewalls down, should that by default, let any traffic into my network regardless of weather or not it’s ip is specifically entered in the the “Allow” settings of the firewall? Any explanation would be greatly appreciated!
- I have barely. narrowed down my firewall rules to anything close to minimizing all attack vectors, but never the less, I have narrowed it down a little bit. In doing so, there are also a few odd quirks that made me question my understanding of the firewall.
a)It seems that with my vnc, the only way to get it working is to allow it to enter any port once it passes the Wan firewall. For some reason, the VNC is obfuscating its port path upon entering the router. In other words, I can’t forward port 5900 directly from the wan IP, to the mac’s LAN Ip. I can’t go from 5900 to -p 5900. Once the vnc reaches the inside of the router, it seems to constantly change ports, at which it enters the Lan VNC. So there is really no understood way for me to narrow down what internal ports it is actually using in order to close off all the ports it isn’t using. Instead, I just have this wide gap of open internal ports just to allow a vnc to use a single port that it randomly selects for some reason. Is there a way to identify what ports it is using, and a way to instruct it to not obfuscate its internal path?
b)Furthermore, it also seems as though the VNC Does not use the same port (5900) when exiting from the server to the client. Once again, it’s port path is unpredictable, and thus, I must “Allow all” ports going from the lan IP back out to the vultr instance IP. Why in the world is this acting this way, and how do i identify and tackle this problem?
This isn’t really an intact or polished post, as I have left quite a bit out, because well, I’m just exhausted and too tired to keep my head in this game today. But I wanted to get something out there in hopes that I might get some helpful responses, or even a gold mine of some professional config files that are already set up to utilize the illustrated configuration properly.
Any guidance and help is highly appreciated, and once again, sorry for the delay in my posts. Theres just only so much of this debugging that I can take in large doses.
Also, Sorry if i sound a little bitchy or irritated. I’m just very frustrated and my bloodshot eyes are encouraging me to give up! So if i came off negatively at all, I appologize!
Thanks everyone!