outline-server
outline-server copied to clipboard
Jigsaw-Code
Checking host firewall: OK but Client complains about ports
Hi,
I installed Outline Server on my VPS about a month ago and I fired up the manager, created a few keys, and shared them. Everything went well and was great.
A few days ago I opened the manager again, and to my surprise it wouldn't connect to the server. I tried re-installing the server and trying with a new apiUrl and certSha256, but I keep getting
Your Outline Server was installed correctly, but we are not able to connect to it. Most likely this is because your server's firewall rules are blocking incoming connections. Please review them and make sure to allow incoming TCP connections on ports ranging from 1024 to 65535.
Meanwhile, re-instaling the server passes the Checking host firewall, and it might help to note that my previously shared keys still work well, it's just I can't connect the manager to add new keys.
Manager version: 1.1.4
Installed using this script:
https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh
By the way, I am using DigitalOcean droplets (but I used the advanced setup because I am using an already-setup VPS), and I checked the firewall settings in the panel and the external firewall is not enabled.
Edit: ufw is also disabled and here are my iptables rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports 1024:65535
ACCEPT tcp -- anywhere anywhere multiport dports 57615
ACCEPT tcp -- anywhere anywhere multiport dports 33757
ACCEPT udp -- anywhere anywhere multiport dports 33757
ACCEPT udp -- anywhere anywhere multiport dports 57615
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
@mdibaiee Thanks for trying Outline. Apologies for the slow reply.
In your iptables output I see several input rules. I'm no ufw expert but if ufw were disabled I would expect to see fewer rules. Can you double-check that you ran?:
ufw disable
@trevj Hey, I think I mentioned it, but I have ufw disabled as well.
So
$ sudo ufw status
Status: inactive
@mdibaiee Yes but there's more rules in the INPUT table than I would expect, given ufw is disabled. Have you tried:
- in the Outline server manager, "forget" the server
- on your VPS, re-run the install script
- re-add your server to the Outline server manager, by pasting the output of the script
?
@trevj
- The Outline Manager has already forgot my server, so when I open it up it asks me to set up the server and input the API credentials
- I have re-run the install script tens of times, using different methods:
- Simply re-running on a past installation
- Deleting all docker images and active containers and re-running the script
- Clearing the iptable, deleting docker images and running the installation again
- Afterward, I would paste the new credentials, but still the same output, the install script reports firewall as being "OK" but the manager complains about something being wrong with it.
All the while, a client using a key generated using an old installation on the same server works fine (Android Outline Client)
Same issue. New server, can't connect. Another Outline Server(installed 4 months ago works fine).
I'm having a similar problem. I accidentally deleted my server on google compute, tried to reinstall today using the command line tools. I found I had to install docker and add it to my user group manually before I ran the script. I opened the firewall ports as instructed, firewall check says "OK", but outline manager says "Your Outline Server was installed correctly, but we are not able to connect to it. " I rolled back to a previous version of the outline manager (downloaded 7/23) and it worked.
I'm having a similar issue, as well. I am currently running UFW, but I've tried with and without. I've done ufw allow 1024:65535/tcp and ufw allow 1024:65535/udp as well as disabling UFW and even going as far as just setting my iptables completely open and accepting on all ports.
I am able to telnet into the server management port, but I cannot connect to any other port used by any of my keys. This is running on a dedicated server (not VPS) through Online.net in the Netherlands with Ubuntu 18.04 installed.
if anyone has the firewall issue, just flush the rules sudo iptables -F and try again. Make sure docker restart or better server restart sudo reboot. In my case reinstalled the outline-server, deleting docker stop $(docker ps -aq) and docker rm $(docker ps -aq) and docker rmi $(docker images -q).
Flush rules sudo iptables -F
List rules sudo iptables -L
@7urkm3n Thank you, I just went through all of the commands you mentioned and it seems to have solved the issue, or maybe it's the new manager that's working.
@7urkm3n Thank you, I just went through all of the commands you mentioned and it seems to have solved the issue, or maybe it's the new manager that's working.
Glad it helped. I was installing it last night on VPS and Dedicated servers, both had an issue with firewall. Just flushing the rules helped me more than overriding some rules. Later, you can update rules for other services also.
Hi,
I installed Outline Server on my VPS about a month ago and I fired up the manager, created a few keys, and shared them. Everything went well and was great.
A few days ago I opened the manager again, and to my surprise it wouldn't connect to the server. I tried re-installing the server and trying with a new
apiUrlandcertSha256, but I keep gettingYour Outline Server was installed correctly, but we are not able to connect to it. Most likely this is because your server's firewall rules are blocking incoming connections. Please review them and make sure to allow incoming TCP connections on ports ranging from 1024 to 65535.
Meanwhile, re-instaling the server passes the
Checking host firewall, and it might help to note that my previously shared keys still work well, it's just I can't connect the manager to add new keys.Manager version:
1.1.4Installed using this script:https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh
Your Outline Server was installed correctly, but we are not able to connect to it. Most likely this is because your server's firewall rules are blocking incoming connections. Please review them and make sure to allow incoming TCP connections on ports ranging from 1024 to 65535.
----->I'm facing this issue that what I mentioned above. While I'm trying to setup the server using outline manager from the goole cloud platform.
----->So, please help me with this issue.And let me know what to do.
Thank You.
Had the same problem on Ubuntu. Output after the installation mentioned this:
Make sure to open the following ports on your firewall, router or cloud provider: -- Management port 111111, for TCP -- Access key port 222222, for TCP and UDP
Opened the missing ports via ufw
Commands & output
root@myserver:~# ufw allow proto tcp to any port 111111
Rule added
Rule added (v6)
root@myserver:~# ufw allow proto udp to any port 222222
Rule added
Rule added (v6)
root@myserver:~# ufw allow proto tcp to any port 222222
Rule added
Rule added (v6)
Check & expected result:
root@myserver:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
111111/tcp ALLOW Anywhere
222222/udp ALLOW Anywhere
222222/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
111111/tcp (v6) ALLOW Anywhere (v6)
222222/udp (v6) ALLOW Anywhere (v6)
222222/tcp (v6) ALLOW Anywhere (v6)
Hi
Today I tried to install the Outline server on Xubuntu v22.04.1 that I installed on my VMWare Workstation v16.2.4. My VMWare network setting is set on Bridge.../Replicate items.
I used this tutorial page to install Docker first: Install Docker Engine on Ubuntu (From the official 'docker.com' site)
Then used this command to install the Outline server:
sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)"
But Then I got firewall ...................... BLOCKED message. For hours start searching to find a solution. I used all combinations of these commands while executing the Outline server installation script again and over and over!:
1st:
sudo ufw allow 44885
sudo ufw allow 9735/tcp
2nd:
sudo ufw allow 1024:65535/tcp
sudo ufw allow 1024:65535/udp
3rd: First, disable UFW:
sudo ufw disable
Then, enable it again:
sudo ufw enable
4th: Disabling firewall and restart and try again:
sudo ufw disable
None of the above tries solved my problem! Then I went and downloaded the latest Xubuntu v22.04.2-desktop-amd64 then installed it on the VM of VMware Workstation. Update it completely. Installed Docker again (based on the above tutorial link) Leave the firewall deactivated as it was. Then there are my other commands results:
Executing the Outline script:
root@XyZ:~# sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)"
> Verifying that Docker is installed .......... OK
> Verifying that Docker daemon is running ..... OK
> Setting PUBLIC_HOSTNAME to external IP ...... OK
> Creating persistent state dir ............... OK
> Generating secret key ....................... OK
> Generating TLS certificate .................. OK
> Generating SHA-256 certificate fingerprint .. OK
> Writing config .............................. OK
> Starting Shadowbox .......................... OK
> Starting Watchtower ......................... OK
> Waiting for Outline server to be healthy .... OK
> Creating first user ......................... OK
> Adding API URL to config .................... OK
> Checking host firewall ...................... BLOCKED
OK
CONGRATULATIONS! Your Outline server is up and running.
To manage your Outline server, please copy the following line (including curly
brackets) into Step 2 of the Outline Manager interface:
{"apiUrl":"https://xxx.xxx.xxx.xxx:9735/YyYyYyYyYY_ZzZzZzZzZ","certSha256":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
You won’t be able to access it externally, despite your server being correctly
set up, because there's a firewall (in this machine, your router or cloud
provider) that is preventing incoming connections to ports 9735 and 44885.
Make sure to open the following ports on your firewall, router or cloud provider:
- Management port 9735, for TCP
- Access key port 44885, for TCP and UDP
And I get the same error message about the firewall on the new fresh Xubuntu again!!!😬🤦
Here is my firewall status:
root@XyZ:~# sudo ufw status
Status: inactive
Here is my iptables result:
root@XyZ:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@XyZ:~#
What am I missing over here!? ⁉️
Sorry! But do I have to post a new issue or will my earlier post be seen in the future!?
