Forum / NoMachine for Mac / Can’t connect to Mac host when it’s connected to a VPN
Tagged: vpn
- This topic has 23 replies, 3 voices, and was last updated 1 year, 11 months ago by Britgirl.
-
AuthorPosts
-
January 17, 2023 at 16:09 #42534BriBriParticipant
Can you try connect using NoMachine to the server (with VPN enabled) using Public IP not whatever.xxx.net domain?
I’ve tried, and it doesn’t work. I can confirm that my hostname is correctly resolving to my network’s public IP address, though.
Can you, with VPN enabled, ping whatever.xxx.net?
Yes.
Are you connecting to the server via SSH using the domain with the VPN enabled? For example, ssh user@whatever.xxx.net?
No, this system is not set up to be accessible via SSH from the internet, though I can connect to it via SSH from another system on my local network while the VPN is enabled.
January 17, 2023 at 19:24 #42546TomParticipantI’m not sure if this is a Nomachine problem.
If you can, try one more time, but it would require opening an SSH port on your router for a while and redirecting it to this server.
If you do this, try connecting to that host via ssh with VPN turned on and off.
Disable port forwarding for SSH immediately after tests.“No, this system is not set up to be accessible via SSH from the internet, though I can connect to it via SSH from another system on my local network while the VPN is enabled”
This is not a test that can rule anything out, from what I understood both computers are on the local network
They are computer 1 and computer 2 in the last diagram I attached. Is it true?
Just to be sure, you run VPN on computer 3 from the diagram?Regards,
TomJanuary 18, 2023 at 16:29 #42564BriBriParticipantAh, I missed that computer 3 in the diagram is labeled as being connected to the VPN. It is not. The only computer that connects to the VPN is computer 1.
Yes, computer 1 and 2 are on the same LAN, and I can connect from computer 2 to computer 1 using both SSH and NoMachine’s NX protocol, even when computer 1 is connected to the VPN.
I think this issue must have something to do with NoMachine specifically, perhaps the way NoMachine hosts its service on computer 1. This is because NoMachine is the only service that I cannot connect to from the internet (i.e. from computer 3) when computer 1 is connected to the VPN. All other services work properly, provided I have set up port forwarding correctly.
It doesn’t make sense to me, though, because presumably NoMachine is binding to address 0.0.0.0 so that clients can connect to it from any network interface. And I even used the “NXdListenAddress” setting to force it to bind to the local 192.168 LAN address. Furthermore, my router will forward outside connection attempts on port 4000 to computer 1’s LAN address specifically, meaning the VPN’s virtual network interface and its assigned IP on the VPN’s subnet should never be used. And yet for some reason I cannot connect when the VPN is connected.
Could there be something I need to change about my router configuration so that it forwards packets correctly? I have it set to forward both TCP and UDP packets. Perhaps there’s another port that needs to be opened up?
Or, could it be that there’s a handshake that happens at connection time, something like TUN/TAP, that is not binding to the same network interface as NoMachine’s NX service, and therefore the handshake fails when the VPN’s network interface and gateway is the system’s default?
Or, do I need to add a specific static route to computer 1’s routing table in order for NoMachine to work properly over a non-default network interface?
January 18, 2023 at 20:45 #42581TomParticipantHi,
I made a copy of your environment in my lab.
My settings
Public IP aaa.aaa.aaa.aaa
On router I forward port 4000 to internal IP iii.iii.iii.iii (computer 1 IP) and port 4000From computer 1 I connect to the VPN.
With these VPN settings, I only send traffic through it to the network behind the VPN server.
My public address is aaa.aaa.aaa.aaa. I checked it on https://whatismyipaddress.com
From computer 3 I can connect to computer 1 by connecting to port 4000 and ip address aaa.aaa.aaa.aaa.I change the VPN configuration so that all outgoing traffic goes through it.
My public IP address changes to bbb.bbb.bbb.bbb, I checked it on https://whatismyipaddress.com/
I’m trying to connect to computer 3 to the IP address aaa.aaa.aaa.aaa and port 4000, the connection doesn’t work.Therefore, I believe that the VPN configuration matters, and this is not related to a bug in NoMachine.
Regards,
TomJanuary 19, 2023 at 15:33 #42585BriBriParticipantTom, thanks for taking the time to look into this and duplicate this situation in your lab.
If it’s an issue with the VPN configuration, then I need advice on how to fix it.
Remember, NoMachine is the only service that I cannot access on computer 1 when it is connected to the VPN. All other services on computer 1 are fully accessible from the internet with proper port forwarding, even when it’s connected to the VPN. This may not necessarily be a bug in NoMachine, but at the very least NoMachine is doing something differently from other services that prevents it from working when my system is connected to the VPN. It may also require a change to NoMachine’s configuration.
The issue must have something to do with how traffic is being routed.
Is there any way to force NoMachine to use a specific network interface for all of its network traffic? If I can configure it to always use the ethernet interface, then I think everything should start working.
Another possible issue: Does NoMachine make any outgoing connections to clients using the NX protocol on top of receiving an incoming connection? All incoming connections should happen over the local ethernet interface and not the VPN, as my router forwards to my system’s local IP address. However, if NoMachine also made a separate outgoing connection to the client as part of the NX protocol, then that would go through the VPN, and that could explain why the connection fails to work.
January 20, 2023 at 14:05 #42598BritgirlKeymasterHi, we seem to be going round in circles a little bit with this topic. Here’s what we know so far:
On your Mac host with NX Server installed, you have a VPN client running to connect to a VPN server and route all outgoing traffic via this VPN server. In this scenario it’s normal that it’s impossible to connect from outside to that host. It’s impossible because in that case that host cannot answer to incoming traffic. Data cannot be sent anywhere except to the VPN server.
But, you said earlier that you can add exceptions to this VPN configuration so that data to some IPs can be sent directly to the Mac host, without going through VPN server. If that’s the case, then NX should work as well. But this is the problem and the reason for this topic 🙂
You say that all services can connect to this Mac server except for NX. But this doesn’t include SSH because in another post you mentioned that SSH connections are disabled. You say that SSH works, but you tested this whilst on the same LAN, which is not quite the same thing. Additionally, you can also connect with NoMachine to the Mac server when connecting from LAN.
In a test Tom requested, he asked you to temporarily enable SSH connections from outside. We want you to do this test again. Enable SSH connections on your Mac host, enable the VPN there as well, and from an external computer, open a terminal and run
ssh user@whatever.xxx.net
. Can you connect? If not, then NoMachine won’t be able to connect either, our debug stops here, and you should check your VPN configuration carefully. If you can, then we need you to make a further test.Install Enterprise Desktop evaluation on your Mac (it supports SSH connections) reboot etc. Enable debug logs by executing
$ sudo /etc/NX/nxserver –debug –enable all
from a terminal on the Mac server, restart the server in Server settings. Make sure the VPN is enabled. On the Player machine, enable the checkbox “Don’t delete logs on exit”. From outside the LAN, start a NoMachine SSH connection to your NoMachine Mac server. Can you connect? If not, we need logs of that session, from both Player and Server sides (so two sets of logs). To gather the server side logs run
$ sudo /etc/NX/nxserver –debug –collect
Send server and player logs to forum[at]nomachine[dot]com and we will check them.
If you can connect via SSH move on to the next test. With NoMachine, try connecting with NX protocol again. We will need both sets of logs of that failed session. So to sum up please try:
1) pure ssh connection from outside the LAN. If it doesn’t work, we can’t proceed. If it works, go to point 2)
2) NoMachine SSH connection from outside. If it doesn’t work, send us the logs. If it works, go to point 3)
3) NoMachine NX connection from outside. If it fails, send us the logs.
January 20, 2023 at 14:07 #42599BritgirlKeymasterOn another note, you asked about NoMachine and how data travels between client and server. Please see our articles here for more about this:
Default ports used by NoMachine 4 or later – https://kb.nomachine.com/AR01L00770
NX and the use of UDP protocol https://kb.nomachine.com/AR10T01174January 20, 2023 at 19:05 #42611BriBriParticipantHello all,
Sorry for all of the back and forth and confusion this thread has caused. I just tried the test where I connect to my mac (i.e. system 1) from out of my local network while the VPN is connected, and that doesn’t work either. I could’ve sworn there was a point in time where it did work, but apparently no longer.
That at least gives me another avenue to pursue. If I can get that working then I will try to implement the same solution with NoMachine, and then report back as to how it works. Hopefully I’ll have a happy end to the story to tell!
January 23, 2023 at 10:22 #42642BritgirlKeymasterSo, in other words removing NoMachine from the picture you cannot make a pure ssh connection to the Mac host from outside the network.
When you’ve got your networking set-up sorted, carry out the simple tests I suggested again and if you can’t connect with NoMachine in test 2 or 3 come back to us with the logs as requested.
-
AuthorPosts
This topic was marked as solved, you can't post.