chisel icon indicating copy to clipboard operation
chisel copied to clipboard

Published 20 hours ago verified publisher icon jpillora

Exposing a port behind a carrier-grade NAT

Open codeinabox opened this issue 1 year ago • 6 comments

Am I able to use this tool to expose a port / service running behind a carrier-grade NAT?

For context, I am running Navidrome on my home server, however I am unable to use regular port forwarding due to my internet connection using CGNAT. So I've been trying to set up a Chisel server on Digital Ocean and a client on my home server, so that I can access Navidrome via Digital Ocean, but I am not having much luck.

codeinabox avatar Oct 06 '23 15:10 codeinabox

If CGNAT (aka double nat) is your problem, and only you need to access it, I’d give Tailscale a try

Otherwise chisel might be needed, and it will let you

Internet -> DO vm -> home server

You want to run a chisel server in DO, with reverse enabled

Then you want to connect to it from home server, with remote “R:8080:8080” (one port is the DO listening port, and the other is the home server target port, see docs)

On Sat, 7 Oct 2023 at 2:36 AM Mathew Attlee @.***> wrote:

Am I able to use this tool to expose a port / service running behind a carrier-grade NAT?

For context, I am running Navidrome on my home server, however I am unable to use regular port forwarding due to my internet connection using CGNAT. So I've been trying to set up a Chisel server on Digital Ocean and a client on my home server, so that I can access Navidrome via Digital Ocean, but I am not having much luck.

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/455, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X42OUEOIBPZK2HK2JP3X6AQOLAVCNFSM6AAAAAA5WABPS2VHI2DSMVQWIX3LMV43ASLTON2WKOZRHEZTANBVGU2TOOI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

jpillora avatar Oct 06 '23 20:10 jpillora

Thank you for the quick reply! I've got the server running on Digital Ocean with this command chisel server --reverse -v --port 80, and the client running on my home server with client -v http://XXX.XXX.XXX.XXX R:4533:80 (I've redacted the IP address and my Navidrome server runs on port 4533). However, when I try accessing the server URL in my browser, it just displays "Not found".

Looking at the logs, everything seems fine, so I am not sure what I've missed:

2023/10/07 13:01:21 client: Connecting to ws://XXX.XXX.XXX.XXX:80 2023/10/07 13:01:21 client: Handshaking... 2023/10/07 13:01:21 client: Sending config 2023/10/07 13:01:21 client: Connected (Latency 5.334518ms) 2023/10/07 13:01:21 client: tun: SSH connected

2023/10/07 13:00:27 server: Reverse tunnelling enabled 2023/10/07 13:00:27 server: Fingerprint XXXXXXXX 2023/10/07 13:00:27 server: Listening on http://0.0.0.0:80 2023/10/07 13:01:21 server: session#1: Handshaking with XXX.XXX.XXX.XXX:41588... 2023/10/07 13:01:21 server: session#1: Verifying configuration 2023/10/07 13:01:21 server: session#1: tun: Created 2023/10/07 13:01:21 server: session#1: tun: proxy#R:4533=>80: Listening 2023/10/07 13:01:21 server: session#1: tun: SSH connected 2023/10/07 13:01:21 server: session#1: tun: Bound proxies

codeinabox avatar Oct 07 '23 13:10 codeinabox

Not found suggests it’s with this navidrome server

Maybe it’s doing a host header check?

Try again replacing it with nginx/python file server and see if it works

On Sun, 8 Oct 2023 at 12:11 AM Mathew Attlee @.***> wrote:

Thank you for the quick reply! I've got the server running on Digital Ocean with this command chisel server --reverse -v --port 80, and the client running on my home server with client -v http://XXX.XXX.XXX.XXX R:4533:80 (I've redacted the IP address and my Navidrome server runs on port 4533). However, when I try accessing the server URL in my browser, it just displays "Not found".

Looking at the logs, everything seems fine, so I am not sure what I've missed:

2023/10/07 13:01:21 client: Connecting to ws://XXX.XXX.XXX.XXX:80 2023/10/07 13:01:21 client: Handshaking... 2023/10/07 13:01:21 client: Sending config 2023/10/07 13:01:21 client: Connected (Latency 5.334518ms) 2023/10/07 13:01:21 client: tun: SSH connected

2023/10/07 13:00:27 server: Reverse tunnelling enabled 2023/10/07 13:00:27 server: Fingerprint XXXXXXXX 2023/10/07 13:00:27 server: Listening on http://0.0.0.0:80 2023/10/07 13:01:21 server: session#1: Handshaking with XXX.XXX.XXX.XXX:41588... 2023/10/07 13:01:21 server: session#1: Verifying configuration 2023/10/07 13:01:21 server: session#1: tun: Created 2023/10/07 13:01:21 server: session#1: tun: proxy#R:4533=>80: Listening 2023/10/07 13:01:21 server: session#1: tun: SSH connected 2023/10/07 13:01:21 server: session#1: tun: Bound proxies

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/455#issuecomment-1751709434, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X4564YNKIHGALTJWFYDX6FIGVAVCNFSM6AAAAAA5WABPS2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONJRG4YDSNBTGQ . You are receiving this because you commented.Message ID: @.***>

jpillora avatar Oct 08 '23 07:10 jpillora

I tried running python3 -m http.server 8000 on my laptop, then spinning up a client using chisel client -v http://XXX.XXX.XXX.XXX R:8000:80, and when I visit http://XXX.XXX.XXX.XXX in a browser I still get "Not found"

codeinabox avatar Oct 08 '23 14:10 codeinabox

I do run chisel behind some pretty ugly CG-NAT (inside a network which even tends to break VPNs such as Wireguard, OpenVPN or IPSec based solutions). Chisel has done a well job at bridging over it. So in general, yes chisel should work behind CG-NAT.

Am I able to use this tool to expose a port / service running behind a carrier-grade NAT?

For context, I am running Navidrome on my home server, however I am unable to use regular port forwarding due to my internet connection using CGNAT. So I've been trying to set up a Chisel server on Digital Ocean and a client on my home server, so that I can access Navidrome via Digital Ocean, but I am not having much luck.

Servostar avatar Oct 18 '23 15:10 Servostar

I tried running python3 -m http.server 8000 on my laptop, then spinning up a client using chisel client -v http://XXX.XXX.XXX.XXX R:8000:80, and when I visit http://XXX.XXX.XXX.XXX in a browser I still get "Not found"

The message "not found" is not from navidrome neither is it related to navidrome not being reachable. The returned request probably has a status code of 404 and is the default message send by the chisel server. I think the problem is that you forward navidromes port 4533 to the chisel servers port 80. That port 80 is already used for communicating with chisel clients and vice versa. Why there is no port already used error is mysterious to me, but forwarding navidrome from 4533 to a different port such as 8533 an exposing that port at the server publicly should work, since then you are actually reaching out to navidrome and not just the chisel server.

TL;DR

Try changing the port navidrome is reverse forwarded to. chisel client -v http://xxx.xxx.xxx.xxx:80 R:4533:8533 Then try to reach navidrome at: http://xxx.xxx.xxx.xxx:8533

I would highly recommend to hide chisel (and navidromes public http connection) behind a reverse proxy such as nginx or caddy additionally adding TLS certificates for https. This would also allow you to reverse proxy any service through a single 443 port with TLS.

Servostar avatar Oct 18 '23 15:10 Servostar