iptables – OpenVPN – Accessing docker containers on the host machine

I’m having some issues accessing docker containers over my remote OpenVPN connection to my home Ubuntu Server 20.04 LTS.

My setup; I have a few docker containers (bridge mode) running on the same machine as the OpenVPN Access Server that I would like to access remotely without exposing access over the internet. I’ve successfully proved that the docker services can be accessed from outside the local network by temporarily exposing and forwarding those ports.

I am also able to successfully connect to other machines on the local subnet via the OpenVPN connection and access native service running on the OpenVPN host.

When attempting to access docker services running on the host machine, the request times out with no response.

My hunch is that IP tables on the host machine created by docker may be filtering out traffic from anything other than the local subnet (192.168.1.0/24 range), where VPN connections are assigned to a different subnet. This is the point I get a bit out of my depth!

I’ve listed below the OpenVPN config file (hopefully removing anything sensitive!), the relevant docker IP table rules and the results of the tests I have run so far. Hope you can help!

Timeout when attempting to access docker services on the host:

curl -sv http://192.168.1.x:8002 1> /dev/null
*   Trying 192.168.1.x:8002...
* TCP_NODELAY set
* connect to 192.168.1.x port 8002 failed: Connection timed out
* Failed to connect to 192.168.1.x port 8002: Connection timed out
* Closing connection 0

Successful response conecting to a native service on the same host:

curl -sv http://{host IP}:{native service port} 1> /dev/null
*   Trying 192.168.1.x:xxxx...
* TCP_NODELAY set
* Connected to 192.168.1.x (192.168.1.x) port xxxx (#0)
> GET / HTTP/1.1
> Host: 192.168.1.x:xxxx
> User-Agent: curl/7.65.3
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Content-Length: 193
< Content-Type: text/html
< Connection: close
< Cache-Control: no-cache
< Date: Wed, 13 Jan 2021 01:39:12 GMT
<
{ (193 bytes data)
* Closing connection 0

Successful request to the docker service from the local subnet (no OpenVPN connection) :

curl -sv http://192.168.1.x:8002 1> /dev/null
*   Trying 192.168.1.x:8002...
* TCP_NODELAY set
* Connected to 192.168.1.x (192.168.1.x) port 8002 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.x:8002
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
***
<
{ (6324 bytes data)
* Connection #0 to host 192.168.1.x left intact

OpenVPN Config:

# OpenVPN AS 1.1 configuration file

# enable AS Connect functionality
AS_CONNECT=true

# temporary directory
tmp_dir=~/tmp

lic.dir=**REMOVED**

# run_start retries
run_start_retry.give_up=60
run_start_retry.resample=10

# enable client gateway
sa.show_c2s_routes=true

# certificates database
certs_db=**REMOVED**

# user properties DB
user_prop_db=**REMOVED**

# configuration DB
config_db=sqlite:**REMOVED**

# configuration DB Local
config_db_local=sqlite:**REMOVED**

# cluster DB
cluster_db=sqlite:**REMOVED**

# notification DB
notification_db=sqlite:**REMOVED**

# log DB
log_db=sqlite:**REMOVED**

# wait this many seconds between failed retries
db_retry.interval=1

# how many retries to attempt before failing
db_retry.n_attempts=6

# bootstrap authentication via PAM -- allows
# admin to log into web UI before authentication
# system has been configured.  Configure PAM users
# allowed to access via the bootstrap auth mechanism.
boot_pam_service=openvpnas
boot_pam_users.0=openvpn
# boot_pam_users.1=
# boot_pam_users.2=
# boot_pam_users.3=
# boot_pam_users.4=

# System users that are allowed to access the server agent XML API.
# The user that the web server will run as should be in this list.
system_users_local.0=root
system_users_local.1=openvpn_as

# The user/group that the web server will run as
cs.user=openvpn_as
cs.group=openvpn_as

# socket directory
general.sock_dir=~/sock

# path to linux openvpn executable
# if undefined, find openvpn on the PATH
#general.openvpn_exe_path=

# source directory for OpenVPN Windows executable
# (Must have been built with MultiFileExtract)
sa.win_exe_dir=~/exe

# The company name will be shown in the UI
# sa.company_name=Access Server

# server agent socket
sa.sock=~/sock/sagent

# If enabled, automatically generate a client configuration
# when a client logs into the site and successfully authenticates
cs.auto_generate=true

# files for web server (PEM format)
cs.ca_bundle=~/web-ssl/ca.crt
cs.priv_key=~/web-ssl/server.key
cs.cert=~/web-ssl/server.crt

# web server will use three consecutive ports starting at this
# address, for use with the OpenVPN port share feature
cs.dynamic_port_base=870

# which service groups should be started during
# server agent initialization
sa.initial_run_groups.0=web_group
#sa.initial_run_groups.1=openvpn_group

# use this twisted reactor
sa.reactor=epoll

# The unit number of this particular AS configuration.
# Normally set to 0.  If you have multiple, independent AS instances
# running on the same machine, each should have a unique unit number.
sa.unit=0

# If true, open up web ports on the firewall using iptables
iptables.web=true

vpn.server.user=openvpn_as
vpn.server.group=openvpn_as

IPTables Relevant Docker rules:

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.5           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             172.18.0.6           tcp dpt:http
()

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Accessing Animal not belonging to User: 400, 401, 403, 404, other?

Consider animals being some REST resources. User has animals assigned to him.

The endpoint /api/animals/{animalId}/feed is used to feed a given animal by the authenticated user.

User should not be able to feed animals he does not own. What HTTP status code should be emitted in such a scenario?

400, 401, 403, 404, something else?


Also, should the situation where passing animalId that does not exist, e.g. 123456789 be distinguished from the situation where animalId does not belong to the logged in user?

I personally feel like I should return 404 in all cases.


This seems like a typical REST design situation, so I am wondering how experienced devs would solve it.

problem in accessing other locations

I am using ubuntu 20.04 on thinkpad t460p. I have bookmarked other locations and renamed them according to their capacity.when ever i restart system and open first time other locations error message occur and says "unable to find requested file please check the spelling"

network – My neighbor hacked all my devices (phones and wifi) and I need to know how to stop this & what all she is capable of accessing

I wanted to ask some experts what to do in this situation..

I moved into a duplex house 3 months ago. My neighbor connected to my house seemed to be innocent and nice. I live in Memphis, Tennessee and she is a data analysist for FedEx.

A couple days ago, I overheard through the wall that she had videos of me doing sexual acts. I realized that the only way she can get this is through a camera in my side of the house. Our sides are not connected with any entrances just a wall, so I assumed she broke in to place these spy cameras.

Right after I heard that, I went to buy new door knobs (I know I need added safety). When I came home, she had been inside my house. My front door did not have my chain lock done and my glass door in front of my main front door is always locked as well. My door I entered from is my side door, which is next to my long driveway. She had to see I pulled up and panicked and went out the front door to not get caught. I live in Memphis, I always triple check my locks before I leave.

I did a random code to see if anyone was in my phone and there was someone, but not her number. I am assuming this can be for a cloning device she had made or her work number. I went into my xfinity account and it did not log in with my email, so I logged in with my phone number. I did reset password and it resent to a wesleyin.edu account. Right after it was changed back to my email. This is the college she went to in Macon, Georgia.

I keep hearing her talk about it, but not able to record it. I went to the police…but no evidence to file anything. I got a new modem from xfinity but I am scared to set it up. I will go by AT&T today to see if they can see anything.

I believe she is in my wifi and all my devices ever connected, as well as cameras in my house (maybe in outlets).

What is she capable of?

What does it sound like she has done?

Side note – We have never had problems or been close in any way. I set the tone for open communication if there were ever any instances. She has never addressed anything with me. We had plans to hang out one day in the beginning, but I had gone through something traumatic that day (my bf almost getting killed in an attempted robbery at that house) so I canceled and she seemed understanding about it. Everyone is saying she is obsessive, and I am slowly beginning to think this is the case.

Please, please help me.

Nginx experiencing 502 gateway errors when accessing my site

Debian 10
Nginx

nginx error log
I’m experiencing 502 gateway errors when accessing my site from time to time.

Ubuntu 20.04, Nginx, P… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1833669&goto=newpost

Accessing my new Samsung 970 EVO NVMe M.2 drive

I recently installed a Samsung 970 EVO NVMe M.2 drive on my Gigaybyte Z390 UD motherboard. My OS is Ubuntu 16.04.6. The drive is recognized by the BIOS and shows up (as nvme0n1) when I execute the lsblk command, but it has no mount point, and I can’t access it. I have spent too much time looking for an answer on the internet, but most proposed solutions don’t work. What can I do to correct this situation?

Which is faster using script properties or accessing google sheets

I have a google apps script web app that allows people to register for events. I want to speed up forming the events table I send when the app is accessed. Currently I read a google sheet (one read of all the data into an array), process it to form a table and return the web page.
When I am testing it works fairly quickly the second time I call the app, but its slow the first time. Presumably this is a caching thing. The problem is that the app does not, relatively speaking, get used very often, so the first time response is that usually experienced by the users. This also means I cannot use the caching service to save the events data. However it is fairly small so I could save it as script properties.
My question is: how fast would this be compared to reading the array from the sheet. Does it have to go and get the data from storage, or is it read in when the script executes?
Given the low transaction rate I can use the lock service to make sure users dont interact with each other.
If anyone has any detailed documentation or knowledge on how script properties work I would be very interested to know.

Thanks in advance

vpn – Using DAAS for accessing to banned websites

In my country, gambling websites are blocked. We, as company, want to detect which payment system bookmakers using in gambling websites. So we want to access and behave like bookmaker and get information about that kind websites.

We want to hide our info, like IP address, location etc. Of course we may use Proxy or VPN, actually they are good solution. But managers dont trust these solutions, they have hesitation that they are logging info.

Except VPN or Proxy, what can be used for accessing to gambling website? I will advice to use Desktop As A Service (DAAS). My plan is;

  1. Connecting to DAAS
  2. SetUp VPN or Proxy in DAAS (I assume that I will be admin in daas)
  3. Accessing to Gambling Website

This looks good solution. But when researching on internet, there is no advice about it. I mean no one says “connect to daas, go to gambling site from there”.

What is other solutions?

If I post this problem in wrong side, i am sorry.

How to prevent Apple and Google from accessing Telegram messages

Telegram is completely blocked in my country (entire IP range and domain of telegram). However, telegram notifications are being displayed on my android phone and iPad. This implies that in addition to me and Telegram Company, third parties (Google and Apple) also have access to my messages. If I am right and this is the case, how can I prevent those third parties from accessing my messages even with the cost of not showing telegram notification?

radio firmware – Accessing the antenna of an Android system

I am asking a similar question to this
Tap off raw RF data from antenna
but would like further explanation.

First off, I’m an electrical engineer, so I have no experience with android systems besides the average phone user experience.

What I am trying to do is use a mobile device that can read RFID data at 2.4 GHz. This is as low-level as you can get, but I know we don’t have access to raw RF data. Is there a way I can collect the RFID data without needing any external peripherals?