Cannot connect externally when server is connected to a VPN

[meltham]

Hi all, I am having a rather peculiar issue.

I have a Jellyfin server running on my network at address x.x.x.13. I can access the webpage for it fine via this address when connected to the same local network. I have a port forward enabled so that I can access the server externally, and I can confirm that works.
However, I also have a VPN installed on the server so that it accesses the internet with a touch of privacy. When I enable the VPN service, I can still access the Jellyfin webpage via x.x.x.13 when connected to the same local network, however I am no longer able to access it externally, despite the port forward still being in place and me still being able to access it via x.x.x.13 when on the same local network.

Whether the server is connected to the VPN or not, the command 'netstat -tunlp' shows that Jellyfin is listening on the local address "0.0.0.0:8096 (TCP)", with the foreign address set to "0.0.0.0:*" - to my understanding that is saying that Jellyfin is listening on all instances, accepting connections from all addresses.

Seeing as I can access the server locally no matter what, I see no reason for it to be inaccessible when it is connected to it's VPN.

I have tried forcing Jellyfin to use the x.x.x.13 address in the network settings page but that made no difference.

Hopefully there are some ideas out there regarding this issue.

Thank you

[TheDreadPirate]

Are you able to exclude Jellyfin from your VPN?

[mildlyjelly]

When you enable a privacy VPN, it will enable firewall rules to block incoming traffic from other interfaces, with the exception of local network traffic to the router which is necessary for things like DHCP. But these rules can often be configured to allow other local network traffic as well (like what appears to be happening in your case).

What I suspect is happening is that your VPN rules are seeing an external IP on the port forwarded traffic and blocking it.

As TheDreadPirate mentioned, the easiest thing to do would likely be to exclude port 8096 from your privacy VPN.
If that isn't an option, it might be possible to create a custom firewall rule to allow external traffic through 8096 (overriding the VPN's rule [this is what I do, but I'm on linux]). Or you could create a reverse proxy elsewhere on your network to accept the port forwarded traffic which your Jellyfin server would then see that as internal traffic.

[meltham]

Are you able to exclude Jellyfin from your VPN?

When you enable a privacy VPN, it will enable firewall rules to block incoming traffic from other interfaces, with the exception of local network traffic to the router which is necessary for things like DHCP. But these rules can often be configured to allow other local network traffic as well (like what appears to be happening in your case).

What I suspect is happening is that your VPN rules are seeing an external IP on the port forwarded traffic and blocking it.

As TheDreadPirate mentioned, the easiest thing to do would likely be to exclude port 8096 from your privacy VPN.
If that isn't an option, it might be possible to create a custom firewall rule to allow external traffic through 8096 (overriding the VPN's rule [this is what I do, but I'm on linux]). Or you could create a reverse proxy elsewhere on your network to accept the port forwarded traffic which your Jellyfin server would then see that as internal traffic.

Thank you both for your assistance and explanations. I have managed to get around this using a reverse proxy on another device in the network, just like the way mildlyjelly suggested.

mildlyjelly - how have you managed to create a custom firewall rule to override the VPN's rule? I am also running on Linux, and would be interested in seeing what you did there, as Jellyfin isn't the only thing I intend to host from the same device.

Thanks again.

[mildlyjelly]

Thank you both for your assistance and explanations. I have managed to get around this using a reverse proxy on another device in the network, just like the way mildlyjelly suggested.

mildlyjelly - how have you managed to create a custom firewall rule to override the VPN's rule? I am also running on Linux, and would be interested in seeing what you did there, as Jellyfin isn't the only thing I intend to host from the same device.

Thanks again.

The specifics will depend on how your VPN works and what distribution you are using. My VPN creates a new network device called "ext0" and creates firewall rules to restrict all traffic through other interfaces. It also creates an IP route to send all non local network traffic to "ext0".

On ubuntu, you can see your network interfaces using the command: 

Code:

ip a

I use iptables to control the firewall, but there are other tools that might be easier to use such as UFW (Uncomplicated Firewall).
You can use this command to see your firewall rules:

Code:

iptables -vnL

In my case, my input chain policy gets set to DROP all traffic, and rules are created to allow traffic to local machines and through "ext0".
I am able to add new rules in front of the existing ones (they are checked from top to bottom) to accept port 8096 traffic from anywhere using a command similar to this one:

Code:

iptables -I INPUT 1 -i eth0 -p tcp --dport 8096 -j ACCEPT

Similarly, I need to add a rule to allow traffic in output chain using a command like this:

Code:

iptables -I OUTPUT 1 -o eth0 -p tcp --sport 8096 -j ACCEPT

Depending on what you want to do and how your VPN configures the ip routes, you may need to add new rules here too. These are handled by the kernel and the only thing they do is decide which network interface to send traffic to.
You can see your ip routes using this command:

Code:

ip route show

In my case, I needed to add an IP route like this to route local traffic to eth0 instead of ext0, like this:

Code:

ip route add 192.168.1.0/24 via 192.168.1.1 dev eth0 onlink table 0

https://www.digitalocean.com/community/t...wall-works
https://www.digitalocean.com/community/t...d-commands
https://www.baeldung.com/linux/route-tra...-interface

[meltham]

Thank you both for your assistance and explanations. I have managed to get around this using a reverse proxy on another device in the network, just like the way mildlyjelly suggested.

mildlyjelly - how have you managed to create a custom firewall rule to override the VPN's rule? I am also running on Linux, and would be interested in seeing what you did there, as Jellyfin isn't the only thing I intend to host from the same device.

Thanks again.

The specifics will depend on how your VPN works and what distribution you are using. My VPN creates a new network device called "ext0" and creates firewall rules to restrict all traffic through other interfaces. It also creates an IP route to send all non local network traffic to "ext0".

On ubuntu, you can see your network interfaces using the command: 

Code:

ip a

I use iptables to control the firewall, but there are other tools that might be easier to use such as UFW (Uncomplicated Firewall).
You can use this command to see your firewall rules:

Code:

iptables -vnL

In my case, my input chain policy gets set to DROP all traffic, and rules are created to allow traffic to local machines and through "ext0".
I am able to add new rules in front of the existing ones (they are checked from top to bottom) to accept port 8096 traffic from anywhere using a command similar to this one:

Code:

iptables -I INPUT 1 -i eth0 -p tcp --dport 8096 -j ACCEPT

Similarly, I need to add a rule to allow traffic in output chain using a command like this:

Code:

iptables -I OUTPUT 1 -o eth0 -p tcp --sport 8096 -j ACCEPT

Depending on what you want to do and how your VPN configures the ip routes, you may need to add new rules here too. These are handled by the kernel and the only thing they do is decide which network interface to send traffic to.
You can see your ip routes using this command:

Code:

ip route show

In my case, I needed to add an IP route like this to route local traffic to eth0 instead of ext0, like this:

Code:

ip route add 192.168.1.0/24 via 192.168.1.1 dev eth0 onlink table 0

https://www.digitalocean.com/community/t...wall-works
https://www.digitalocean.com/community/t...d-commands
https://www.baeldung.com/linux/route-tra...-interface

Thank you for this, I shall keep it noted. In my case, apparently I have no rules in iptables. The iptables -vnL command returns the INPUT, FORWARD and OUTPUT chains, but there are no rules listed under any of them. I did add these rules, however it didn't seem to change anything. Regarding the route for the local network, I have managed to insert that into my VPN config file so that it gets added when the VPN is activated (the route also exists without the VPN in ip route show), however that also didn't make a difference. If it is any help, the VPN is run on OpenVPN, and I use the openvpn CLI client to activate the connection - my config file is also a .ovpn file.

Thank you for your help.

[mildlyjelly]

Unfortunately, without knowing the specifics of your system, I would not be able to give you anything more than some general direction and some reading resources. For example, the rules I provided are not specific to your system and would not work without being adjusted to the specifics of your system. The iptable rules, for example, can't do anything if your firewall is already wide open, which it sounds like is the case for you

That third link I gave you, Route Traffic for a Specific IP, does a pretty good job of explaining how ip routes work and how you would create one specific to your system. I can't promise this is the solution in your case, but I believe it is. More than likely you have multiple virtual interfaces (one of which is for the VPN) all communicating over a single physical interface (ethernet or wifi). All web traffic gets sent through one of these virtual interfaces. It is the ip routes table that determine which interface to send the traffic through based on the ip address of the traffic.

What you want to do is create an ip route that will rout traffic from the ip address of your external jellyfin user to the virtual interface that is not used by your VPN.
The command to create that rule should look like this:

Code:

ip route add [JELLYFIN_USER_IP] via [GATEWAY_IP] dev [THE_NON-VPN_DEVICE_NAME]