How to access chat server with private IP over the internet?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to access chat server with private IP over the internet?
Hello everybody,
This is a tough one for me, let me try to explain myself:
I have a chat server accessible through port 5222, which works great on my LAN, but I can't access it over the internet because my router doesn't have a Public IP assigned to its external interface, it has a Private IP assigned to it, just as its internal interface but in another network, so I can't make a port forward to any computer inside my LAN, including my server, the router doesn't even have the port forward option.
Ok now, I know I can use Hamachi, Teamviewer VPN, or any other VPN service out there, BUT, that solution is not all that great, because I would have to use VPN software in tablets, phones, macs, etc, virtually in every device I want it to connect to my chat server...
So... I was wondering if there is some kind of VPN service, but with the ability to assign me a VPN IP, and also a Public IP address assign to my VPN, so I can then make a port forward????...
Something like this:
(LAN IP eth0 and VPN IP tun0) Chat Server --- Router --- INTERNET --- VPN Server (with VPN IP and PUBLIC IP [assigned to my VPN])
So, now, I can access my chat through a Public IP, which port forwards to my servers VPN IP (tun0)
Am I crazy?, or is this really possible?...
Do you have any other ideas?, I'm open to more ideas...
You really do need port-forwarding on your public facing router. If it doesn't have that, then it's time to buy a new one that does.
You can then set up routing between the outside world and your chat server.
Now, if it were me, I would (as I have so often preached here ... ) set up an OpenVPN tunnel such that anyone who wishes to reach your chat server must first be passing through the tunnel. Authorized chat users bearing the crypto certificates that you issued to them can connect and chat away. No one else can see that anything even exists at this public IP-address: there are no "open ports."
Notice that I'm speaking of an OpenVPN server running on your local network, accessible to the outside but being the only service accessible to the outside. (And, hidden from view with tls-auth.) Wanna chat? First you gotta connect. Then you can see the (internal) IP-address of the chat server and connect to it using port 5222. No one can eavesdrop on your chats, nor "barge in."
Last edited by sundialsvcs; 12-16-2016 at 10:25 AM.
You really do need port-forwarding on your public facing router. If it doesn't have that, then it's time to buy a new one that does.
Not all that do allow port forwarding are on an ISP that has an accessible network. When using a mobile modem, you can easily go through 7 or 8 layers of private networks before getting to any external address. In such a case it's not possible to do anything about those additional layers, only the top layer and that's not enough.
As far as I know there are two ways around that situation, both relying on SSH.
One method would be to have an external machine and create a reverse tunnel to it. Then outside clients can connect via that reverse tunnel. It's a two-step connection but can be automated with keys and some lines in ssh_config.
Another method is to set the chat server up as an onion service over Tor. Set it to listen on localhost only, then set up a tor client to forward to that port with the HiddenService directive. Then you need to tunnel the client over Tor, but that can be set up fairly easily.
And, I guess, the third option that is being avoided here is shelling out for a VPS and hosting the chat server on the VPS. That would kind of be half of the first method proposed but without the privacy or control.
One method would be to have an external machine and create a reverse tunnel to it. Then outside clients can connect via that reverse tunnel. It's a two-step connection but can be automated with keys and some lines in ssh_config.
I like this option (number one)... can you elaborate a little bit more please?...
I like this option (number one)... can you elaborate a little bit more please?...
Thanks in advance...
It's not complicated, just hard to explain.
If you have a network with machines A, B, and C such that A is unreachable from outside but B is, then you 1) connect from A to B building a reverse tunnel. Then 2) connect from C to B and then via the reverse tunnel to A.
So connecting from the inside to the outside, make a reverse tunnel:
Code:
ssh -R 9999:localhost:22 machineB.example.com
Leave that connection open (it can be automated with keys, see -N and -f for ssh as well as keys)
Then as long as that connection stays open, you can use B as a jump host (aka bastion) to reach A from C.
So on machine C connect to A via the reverse tunnel on B:
If that works, a shortcut can be made in C's ~/.ssh/config. Then the reverse tunnel from A to B can be automated using keys. MachineA and MachineB need OpenSSH server running, the latter needs to be accessible from anywhere.
Edit: if you have a very recent version of OpenSSH, the -J option is much easier to use for step 2.
Last edited by Turbocapitalist; 12-17-2016 at 09:23 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.