iPad nextcloud app in UK seems to route login via the USA? (android app is OK)

Hi, I have nextcloud 23 running on on a RaspPi4b, primarily as im degoogling my services/apps/life! and using nextcloud primarily for hosting my own calendar/contacts, which it is doing a stellar job at!
i have a domain/ssl cert & for a bit of additional security, i have enabled geoblocking in my hardware firewall to allow ONLY connections inbound to 443 from the UK. (I can add additonal countries if im going on holiday) but I just want to prevent any inbound connections from a country I am not in.

Now all good here, on my desktop if I VPN to any random country i cant get in to nextcloud, page timeout. but inside the UK and its fine. (perfect!!!)

So on the web or android app, all is fine, BUT with the iPad app, it appears that its secretly routing traffic through the USA, is this nextcloud or apples doing?!
iPad on my wifi (in uk) cannot login, just times out (unless i add the USA!)

**on ipad if i VPN to UK (protonVPN) then I can login to nextcloud OK
**without the VPN if i allow USA & UK inbound 443 in the hardware firewall… then ipad works…

Just wondering if this is apples doing, or something Nextcloud deem to think is necessary on their ipad app?
Why with the iPad do my credentials need to travel across the Atlantic to come back to my pi in the UK?

I suppose that with a computer on your wifi, it is working? Is the ip address when you access through your ipad different?
Are you sure the problem is linked to the ip address not not something else?

For me the question is, if it was the Nextcloud app, why should it route through the US? And why shouldn’t it when it is connected to a VPN? But that would be the same question for iOS, why should it pass traffic through the US? Did you install a system proxy or something?

Do you have ipv6 on your wifi network, do you have it on VPN? Perhaps iOS uses ipv6 per default and your other clients not (for some other strange reason), and ipv6 is always considered to be US…

Not related to your case, I don’t know how up to date these country lists are. In recent years, the remaining ipv4-blocks have been divided in smaller part and handled throughout the world. Don’t expect your list to be perfectly up to date.

Hi thanks for the reply…
everything works fine for my andoid device or windows laptop when im on wifi or even externally when out of my home on 4g so dns resolution/portforwarding is fine.
image

the country restriction is done in the firewall rules, and works just as I want it to.
e.g to test on my PC or Android… if i vpn to random countries I cannot get to the forwarded port which is what id expect, it only listens to the “UK”

the ipad is pretty stock, no proxy or other tunneling apps (i do have proton VPN but thats disabled apart from for testing)
No ipv6

apart from the ipad (on the same wifi) - launching the nextcloud app gets as far as the login screen, i enter credentials, then it just hangs and spins, knowing nextcloud/apple is likely USA based, I added USA to my “Allow inbound” firewall rule, and the ipad now logs in fine, when doing a privacy report on the Apple App, it shows 2 domains, “nextcloud.mydomain.co.uk” & “https://push-notifications.nextcloud.com/

I can resolve and browse (outbound) to the https://push-notifications.nextcloud.com/ and get “404 page not found”
so either push-notifications is trying to get (Inbound) to me and being blocked by the USA rule… or APPLE are doing something in the background

So currently I can either be more secure and dont use the ipad for nextcloud or I allow USA inbound. (or on the ipad if i VPN to the UK with proton VPN that seems to bypass whatever Apple/Nextcloud app is blocking)

Im suspecting the ipad is just doing something sneaky trying to talk with apple or check apple…

I understand geoblocking lists may not be 100% accurate, but i dont see the point in allowing the whole world to connect inbound to my device, when i only need remote access to it from within the UK. the amount of portscans and threat detection’s logged has dropped significantly!
Cheers

What kind of IP does show up when you go on whatismyip.com, is it different on your iPad?
If you get a 404 error, you have perhaps a trace of this ip in your logs as well.

Hi thanks, yes same WAN ip for all devices, but I have managed to track down the culprit!

I have multiple networks/vlans trusted devices/iOT devices/wfh devices/guests etc… and as a test i put the iPad onto the trusted network and it worked, put back onto the guest and it failed to connect again, after reviewing rules I found it something related to “Hairpin NAT”, and i just needed to add a rule allowing it on the guest network where the iPad is.
So it wasnt related to apple or the nextcloud apps!
Cheers!

1 Like