Astroberry and OpenVPN troubles

[wuthton]

I hope someone can help, I generally get these things working through perseverance rather than knowledge but the problem seems very specific to the Astroberry setup, the Google has failed me.

I have OpenVPN running and to all appearances working as it should on the Astroberry Pi. It's connected to my server and I can SSH into the Astroberry over the VPN but I'm unable to load the Astroberry desktop either through a browser or VNC (10.8.0.16) I'm assuming the configuration of Nginx needs tweaking but I'm out of my depth now.

astroberry@astroberry:~ $ route -n
Kernel IP routing table
Destination            Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0                    10.8.0.1           128.0.0.0         UG    0      0        0 tun0
0.0.0.0                    192.168.1.1     0.0.0.0            UG    202    0        0 eth0
0.0.0.0                    192.168.1.1     0.0.0.0             UG    303    0        0 wlan0
10.8.0.0                  0.0.0.0             255.255.255.0   U     0      0        0 tun0
128.0.0.0                10.8.0.1           128.0.0.0          UG    0      0        0 tun0
*VPN SERVER IP*  192.168.1.1   255.255.255.255 UGH   0      0        0 eth0
192.168.1.0            0.0.0.0             255.255.255.0   U     202    0        0 eth0
192.168.1.0            0.0.0.0             255.255.255.0   U     303    0        0 wlan0

Many thanks in advance,

Edited October 20, 2020 by wuthton

[gilesco]

From what system are you SSH ing to the Astroberry from?

[wuthton]

Just now, gilesco said:

From what system are you SSH ing to the Astroberry from?

Thanks for the reply, Secure Shell App for Chrome (Chromebook and Windows10), I have putty but I haven't tried it as the former does the job from a browser window.

[gilesco]

Try with putty, but do this:

Add source port 80
Destination localhost:8080 and click Add

Then SSH into the astroberry, then just connect on your system to http://localhost:8080, and or try http://localhost:8080/panels.html

It might get round any issues, and also possibly obliviate the need to run OpenVPN at all.

By the way, your routing table looks fine, and I can't find anything that might cause a problem, the output of:

sudo iptables -L -n

On the Astroberry might give further details (e.g. If OpenVPN initiates a firewall ruleset on connecting).

Edited October 20, 2020 by gilesco

[wuthton]

3 minutes ago, gilesco said:

Try with putty, but do this:

Add source port 80
Destination localhost:8080 and click Add

Then SSH into the astroberry, then just connect on your system to http://localhost:8080, and or try http://localhost:8080/panels.html

It might get round any issues, and also possibly obliviate the need to run OpenVPN at all.

By the way, your routing table looks fine, and I can't find anything that might cause a problem, the output of:

sudo iptables -L -n

On the Astroberry might give further details (e.g. If OpenVPN initiates a firewall ruleset on connecting).

Many thanks for the suggestion but I'm hoping to swap out my windows 10 obsy PC for a raspberry pi but to access it from outside my network I need to use a VPN. My home broadband is over the mobile network (CGNAT) so my home ip address is private, as I understand it. The obsy can be used completely remotely over a VPN.

I can SSH into the Pi without problems, the Astroberry Desktop is what's unavailable over the VPN.

astroberry@astroberry:~ $ sudo iptables -L -n
[sudo] password for astroberry: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Thank you again for your imput.

[gilesco]

So, let's get this right.

• Your OpenVPN server sits on a external IP - this is on your home network or remotely somewhere?
• Your OpenVPN client is the Astroberry - you are connecting this to the OpenVPN server?
• Is the client that you can SSH into the Astroberry on your home network, or is it also remote and also running an OpenVPN client to the same OpenVPN server?

[gilesco]

I do notice you have both wlan0 and eth0 connected to what appears the same network, I would disable one of these interfaces - either use the ethernet (preferred), or use the wifi, but not both. The metric should take care of this, and OpenVPN is preferred, Ethernet is second then Wifi, but I would start something simple before adding complexity.

 

[wuthton]

5 minutes ago, gilesco said:

So, let's get this right.

• Your OpenVPN server sits on a external IP - this is on your home network or remotely somewhere?
• Your OpenVPN client is the Astroberry - you are connecting this to the OpenVPN server?
• Is the client that you can SSH into the Astroberry on your home network, or is it also remote and also running an OpenVPN client to the same OpenVPN server?

• Your OpenVPN server sits on a external IP - this is on your home network or remotely somewhere?  - Remote Server (VPS)
• Your OpenVPN client is the Astroberry - you are connecting this to the OpenVPN server? - Yes, exactly
• Is the client that you can SSH into the Astroberry on your home network, or is it also remote and also running an OpenVPN client to the same OpenVPN server? - I can SSH both ways without trouble.

I'm reasonably certain my problem is with Nginx but I only have experience with Apache.

[gilesco]

Strange, you can ssh so that does indicate connectivity. I have a rather complicated home network, which allows me to access Astroberry from a remote subnet without any issues, so I don't think it is Nginx.

On your OpenVPN server can you try, in its config:

fragment 1200
mssfix 1200

And on the clients, put in:

mssfix 1200

Reasoning is ssh uses small push packets, VNC uses large bitmap packets, which might be being dropped by exceeding the MTU of your tunnel.

You will need to restart the OpenVPN server after this change.

[randomic]

I just looked at the default nginx config for astroberry and it listens on all port 80, so it shouldn't matter at all from where you're connecting. There is some other problem.

Are you able to load the astroberry webpage? Is it just the desktop (VNC) bit which isn't working?

[wuthton]

9 minutes ago, gilesco said:

Strange, you can ssh so that does indicate connectivity. I have a rather complicated home network, which allows me to access Astroberry from a remote subnet without any issues, so I don't think it is Nginx.

On your OpenVPN server can you try, in its config:

fragment 1200
mssfix 1200

And on the clients, put in:

mssfix 1200

Reasoning is ssh uses small push packets, VNC uses large bitmap packets, which might be being dropped by exceeding the MTU of your tunnel.

You will need to restart the OpenVPN server after this change.

I think you may be onto something here, I've disconnected WIFI as suggested and it appears to be trying to connect. On a browser window after 30s or so I'm getting a blank grey page but no error and VNC is asking for a password but then hangs on "preparing desktop". I'll try the above and report back, I've got to do some proper work for an hour or two.

[wuthton]

13 minutes ago, randomic said:

I just looked at the default nginx config for astroberry and it listens on all port 80, so it shouldn't matter at all from where you're connecting. There is some other problem.

Are you able to load the astroberry webpage? Is it just the desktop (VNC) bit which isn't working?

To all appearance the Pi has connected to OpenVPN as it should but it will not render the Astroberry Desktop through either VNC or a browser.

[stash_old]

You do realise the OPENVPN will slow down any VNC connection (once its working) due to encryption!

Assuming you have done  something like this https://www.ovpn.com/en/guides/raspberry-pi-raspbian

1. I presume you have tested your Openvpn from outside your home network to a "non RPi" PC to make sure your router is allowing the port forwarding to be used.

2. Try using Realvnc (I noted you said it didnt work via VNC (which?) over the Openvpn link - does that open the std RPI screen. If this works you can also start Chrome on the RPI and use the Astroberry Panels by using an address of 127.0.0.1. If this works then you do have a problem with the Web server  or NOVNC and/or the ports. https://github.com/novnc/noVNC

If (2) fails then open a error report on Radeks Github page. https://github.com/rkaczorek/astroberry-server

[gilesco]

30 minutes ago, stash_old said:

You do realise the OPENVPN will slow down any VNC connection (once its working) due to encryption!

Assuming you have done  something like this https://www.ovpn.com/en/guides/raspberry-pi-raspbian

1. I presume you have tested your Openvpn from outside your home network to a "non RPi" PC to make sure your router is allowing the port forwarding to be used.

2. Try using Realvnc (I noted you said it didnt work via VNC (which?) over the Openvpn link - does that open the std RPI screen. If this works you can also start Chrome on the RPI and use the Astroberry Panels by using an address of 127.0.0.1. If this works then you do have a problem with the Web server  or NOVNC and/or the ports. https://github.com/novnc/noVNC

If (2) fails then open a error report on Radeks Github page. https://github.com/rkaczorek/astroberry-server

Yes, it will be slower, almost painfully slow, but if it is just to kick off the ekos scheduler while you are away from your observatory on your travels then it might be just about bearable. I have actually found xrdp to be much quicker and responsive than vnc, but it is another thing.

[wuthton]

2 hours ago, gilesco said:

Strange, you can ssh so that does indicate connectivity. I have a rather complicated home network, which allows me to access Astroberry from a remote subnet without any issues, so I don't think it is Nginx.

On your OpenVPN server can you try, in its config:

fragment 1200
mssfix 1200

And on the clients, put in:

mssfix 1200

Reasoning is ssh uses small push packets, VNC uses large bitmap packets, which might be being dropped by exceeding the MTU of your tunnel.

You will need to restart the OpenVPN server after this change.

Many thanks for the suggestion but this unfortunately broke data transmission to/from all clients. I do think you were on the right track though.

[wuthton]

2 hours ago, stash_old said:

You do realise the OPENVPN will slow down any VNC connection (once its working) due to encryption!

Assuming you have done  something like this https://www.ovpn.com/en/guides/raspberry-pi-raspbian

1. I presume you have tested your Openvpn from outside your home network to a "non RPi" PC to make sure your router is allowing the port forwarding to be used.

2. Try using Realvnc (I noted you said it didnt work via VNC (which?) over the Openvpn link - does that open the std RPI screen. If this works you can also start Chrome on the RPI and use the Astroberry Panels by using an address of 127.0.0.1. If this works then you do have a problem with the Web server  or NOVNC and/or the ports. https://github.com/novnc/noVNC

If (2) fails then open a error report on Radeks Github page. https://github.com/rkaczorek/astroberry-server

After reading this, the adage "If it ain't broke, don't fix it" is ringing in my ears, so I've thrown in the towel.

Windows 10 / OpenVPN / RDP just works and always has worked for my Obsy. Astroberry looks absolutely ideal for a travel setup I'm putting together, no VPN required.

[gilesco]

4 minutes ago, wuthton said:

Many thanks for the suggestion but this unfortunately broke data transmission to/from all clients. I do think you were on the right track though.

I think this is a case of experimentation with those kind of settings, MTU and MSS, maximum path packet size. I'm 25 years a network engineer, now architect and this smells of that, especially when you elaborated on the path to where it hangs...

[wuthton]

1 minute ago, gilesco said:

I think this is a case of experimentation with those kind of settings, MTU and MSS, maximum path packet size. I'm 25 years a network engineer, now architect and this smells of that, especially when you elaborated on the path to where it hangs...

Thank you very much for your input but I fear that even if I do get it working it will be inferior to my current system, (Win10/OpenVPN/RDP with SGP and PHD2) so I've thrown in the towel. 

[gilesco]

2 minutes ago, wuthton said:

Thank you very much for your input but I fear that even if I do get it working it will be inferior to my current system, (Win10/OpenVPN/RDP with SGP and PHD2) so I've thrown in the towel. 

Yes - unless you have a pressing issue such as power consumption, there is no reason to downgrade a x64_86 system to raspberry pi arm32 / arm64.

I am coming from the other direction, eventually looking at upgrading to something a bit more powerful, but I think ARM will reach parity with Intel architectures in the near future.

[stash_old]

15 hours ago, wuthton said:

After reading this, the adage "If it ain't broke, don't fix it" is ringing in my ears, so I've thrown in the towel.

Windows 10 / OpenVPN / RDP just works and always has worked for my Obsy. Astroberry looks absolutely ideal for a travel setup I'm putting together, no VPN required.

Fair enough - make total sense to me - except for the last bit "Astroberry looks etc" - sorry but Astroberry works fine for any set up(travel, Obsys or remote Obsys) - you just had a problem with getting Openvpn working 😉.

The important thing is you can still do your Astro stuff the way you want too - when the skies clear LOL

[7170]

20 hours ago, wuthton said:

I think you may be onto something here, I've disconnected WIFI as suggested and it appears to be trying to connect. On a browser window after 30s or so I'm getting a blank grey page but no error and VNC is asking for a password but then hangs on "preparing desktop". I'll try the above and report back, I've got to do some proper work for an hour or two.

From the sounds of it I am too late to this conversation but I've had that happen when accessing through a weak wifi/slow connection.  I found having it connected to the home wifi via the internal adaptor, and the hotspot enabled on an external USB wifi adaptor worked well if you don't have a cabled connection. You get the benefit of performance when connected remotely via the hotspot (plus internet on your local machine going through it but slow) but also the benefits of it being on your lan/internet for updates etc which don't need such a fast or reliable connection. Cabled LAN if you can is still the best.

[wuthton]

On 20/10/2020 at 19:12, gilesco said:

Yes - unless you have a pressing issue such as power consumption, there is no reason to downgrade a x64_86 system to raspberry pi arm32 / arm64.

I am coming from the other direction, eventually looking at upgrading to something a bit more powerful, but I think ARM will reach parity with Intel architectures in the near future.

 

On 21/10/2020 at 10:30, stash_old said:

Fair enough - make total sense to me - except for the last bit "Astroberry looks etc" - sorry but Astroberry works fine for any set up(travel, Obsys or remote Obsys) - you just had a problem with getting Openvpn working 😉.

The important thing is you can still do your Astro stuff the way you want too - when the skies clear LOL

My resolve to drop it has faltered, I've had designs on using my obsy pc for something else and I've been hearing good things about Wireguard as less complex alternative to OpenVPN so two birds, one stone.

Wireguard server

I used a 1gb VPS and this excellent install script https://github.com/angristan/wireguard-install  and then allowed the randomly determined port through UFW. It could alternatively be served from a Rpi on a home network.

Wireguard Client

I used this guide to install the client on the Astroberry https://www.wundertech.net/how-to-connect-a-raspberry-pi-to-a-wireguard-vpn-server/ and the Wireguard Android app on a chromebook.

All in all it took about 20 minutes to get up and running, it works like a charm.

 

Edited November 5, 2020 by wuthton