Desktop/Mobile Clients to use public ip from lan

fab · January 23, 2017, 12:57pm

Hi

Please guide me over an issue I have where devices (desktop and mobile clients) cannot sync with the Nextcloud Server when on the same lan of the server, but do sync when on different network using the server’s public static ip address.

My home configuration is a follows:

Dell PowerEdge 1950 Gen II running Ubuntu 16.04 and NextCloud 11.0.1
Router with fixed public IP made to forward https (443) traffic to the static internal private IP of the server hosting Nextcloud.
Lan Users reside on the same subnet as that of the server.

Nextcloud desktop and mobile app set to use the public ip e.g. https://xxx.xxx.xxx.xxx/nextcloud. They do sync the server from outside the lan, but within the lan, the app cannot sync.

For desktop clients I can hack around the hosts file, but cannot do such with the mobile devices.

Any suggestions please

tflidd · January 23, 2017, 8:53pm

It’s nicer to use a hostname. This way you could also manipulate your local dns resolver that your NC-host name is resolved to the local ip instead of the public ip.

fab · January 23, 2017, 8:59pm

@tflidd apart from setting up the hostname, would you be be able to guide me how to accomplish such as I am missing something.

I have no domain name for the home set-up and the ISP router is very limited so I basically make use of port forwarding.

tflidd · January 23, 2017, 9:08pm

The problem is, some routers “know” that the public ip belongs to them and route properly. You can use free dyndns-providers for a hostname. However, it would require to have your own dns resolver in your network. Some routers allow you to make changes manually. If your router can’t do it, you could set up a raspberry pi to do this job for your (or your NC server if it runs all the time). Unbound could be such a dns resolver.

A nice side effect is that you can use it to filter adds.

fab · January 23, 2017, 9:23pm

@tflidd will try but its hard to accomplish such on a B3000. Besides the ISP is not exactly that helpful neither. Just to put you in the picture, they implemented over three weeks to allocate me a public IP.

Any other alternatives, maybe altering the config.php. I did add both the Public and Private IP as trusted domains, managed to alter the hosts files on the laptops to use the external IP, but cannot do such on mobile devices.

I also tried to subnet the server from the user lan but the router failed to route.

tflidd · January 23, 2017, 9:31pm

We don’t have special knowledge on the vast number of different router models. You may consult the customer forums of your ISP, they know these devices and can perhaps tell you if this is possible. Other ways, I would know: buy your own router that you use behind your isp router which allows you to make all configurations. Always use a local ip on your phone and use a vpn connection to your local network.

fab · January 23, 2017, 9:39pm

@tflidd many thanks.

Just an idea, would reverse proxy do the trick?

tflidd · January 23, 2017, 11:03pm

I don’t see how. A reverse proxy on an external network but that isn’t what you want to do. A proxy server in general could do it, but you would have to set up a proxy server and then on your mobile only activate the proxy within your local network.

joseph.henry · February 7, 2017, 10:53pm

Hello Fabian,

Did you find a solution? I ask because I’m searching the help forums specifically for questions like yours. We at ZeroTier offer an open source P2P VPN that will make connecting to your nextcloud server inside (and outside) of your LAN much easier. It’ll handle dynamic IP changes as well. Let me know if you have any questions.

fab · February 8, 2017, 8:29am

@joseph.henry interesting concept, but need to learn more on such especially from an information security perspective. Having over two decades of infosec experience, my instant line of thought for such solutions flags possible MiM attacks from the VPN hosting service provider (third party controller) or is the VPN created in between the machines directly.

dieselfreak · February 8, 2017, 10:39pm

Register a free domain name at freenom.com

Create a free subdomain at duckdns. I.e. example.duckdns.org

Create a CN record on your DNS config on freenom to point your nextcloud.yourfreedomain.xx to example.duckdns.org

dieselfreak · February 8, 2017, 10:43pm

There is a simple script on duckdns to update your public ip with a cron job as often as u see fit… then your clients inside or outside will resolve to the public ip and you router will forward that traffic to the nextcloud server.,

dieselfreak · February 8, 2017, 10:49pm

As you have a static public ip you can skip the duckdns part and simply create an A record on Freenom. Sorry re read your question.

fab · February 9, 2017, 11:15am

@dieselfreak I did try the A record on a sub domain I have hosted with godaddy but still the WLAN users were redirected to the router instead of the NextCloud Server.

From then on, I got myself a Linksys WRT1900ACS v2 router to create a url redirection for the WLAN users. Trust my luck, I wasn’t been able to test the redirection as yet as I had to switch the router’s firmware to OpenWRT then to LEDE (17.01.0-rc1) and currently doing a sysupdate to LEDE (17.01.0-rc2).

Will inform is successful

Grimeton · February 9, 2017, 11:49am

Hello,

the problem you’re experiencing is called “NAT reflection”.

What happens?

Let’s say your internal subnet is 10.1.1.0/24 and the host that tries to access your NC via the outside ip address is 10.1.1.100. The internal ip address of the the NC box is 10.1.1.11.

The host checks the external IP address of the external hostname, e.g. nextcloud.dyndns.com points to 1.2.3.4, and then connects there.

So a packet goes out from: 10.1.1.100 to 1.2.3.4.

As your host is not part of the 1.2.3.4 subnet it forwards the packet to the router.

The router gets the packet, sees that it holds the ip address 1.2.3.4 and applies it’s NAT rules. As reverse NAT just alters the DESTINATION address the router rewrites the packet and:

from 10.1.1.100 to 1.2.3.4

becomes

from 10.1.1.100 to 10.1.1.11

Now the router forwards the packet to 10.1.1.11.

The NC box (10.1.1.11) picks up the packet, opens the connection and sends the SYN-ACK back. The packet gets generated in the box’ kernel and then hits the kernel’s routing table. And now … that’s where the problem kicks in…

The NC box’ routing table knows that 10.1.1.100 belongs to its own subnet. So instead of sending the answer back to the router so that the router can apply the rewriting of the packet and send it back to your client, it sends it DIRECTLY to your client looking like this:

from 10.1.1.11 to 10.1.1.100

Now your client on the other hand doesn’t have a connection to 10.1.1.11. It’s waiting for a response from 1.2.3.4 and that never arrives. So it ditches the packet from 10.1.1.11 and continues to wait for the answer from 1.2.3.4.

What can you do?

Well… You can either enable source nating for incoming connections that would change the source ip address to the router’s address and the answer would flow back in the right direction BUT in your access logs of your webserver all you will see is access from 10.1.1.1 … And as there is not HTTP header inserted, because packet filters don’t do that, you have no chance of recovering the original host that tried to access your box.

Or you assign your NC box an ip address in another subnet. Let’s say 10.1.2.0/24. Also add the subnet to the router and then forward the requests to 10.1.2.11 instead of 10.1.1.11. That way 10.1.2.11 needs to reply to 10.1.1.100 and as a direct connection between 10.1.2.11 and 10.1.1.100 is not possible in two different /24 it needs to send the packet back to the router. And tada. NAT reflection problem solved and you can see the external ip address that tries to access your NC box in the logs again.

Give it a shot. I’m pretty certain it works

Cu

joseph.henry · February 9, 2017, 5:25pm

Good question, we actually do everything we can to establish an encrypted direct connection only between your machines since it’s not in our interest to pay for relaying your traffic. We have a distributed network of VPN controllers which orchestrate the discovery of your machines, and they only handle your traffic in the event that a direct path cannot be established. In that case we do label the connection as “relayed”. So in ~97% of cases you get a raw direct connection that is only really limited by your underlying network architecture.

On top of that we use a combination of C25519 elliptic curve encryption, salsa20, and poly1305 for your traffic and various identity generation procedures.

Our protocol is entirely open source and we welcome any security questions, suggestions or audits: https://github.com/zerotier/ZeroTierOne

fab · February 13, 2017, 11:36am

@Grimeton that is precisely what I am trying to do with a Linksys WRT1900ACS as the Vodafone B3000 has no such function (NAT reflection or loop back). Hopefully I will have an answer by this evening if such has worked out and will let you know.

JasonBayton · February 13, 2017, 11:41am

The Voda routers are terribly locked down, so you’ve made a good choice by switching. Yours isn’t a complicated issue but it can be frustrating when it doesn’t do what you want

fab · February 14, 2017, 8:26am

@JasonBayton yeap I am playing around with the WRT1900ACS have shifted from OpenWRT -> LEDE 17.01.0-rc1 -> LEDE 17.01.0-rc2 but I still cannot get to juice out a decent WiFi signal from this monster of a dual band router. Actually tempted to try DD-WRT but I am somewhat doubtful.