Outline server pinging, but doesn't work

[sollosollo4]

Just yesterday, VPN server stopped working. Connection and control are fine. ReInstallation - hangs on Starting Shadowbox. The connection line is not present in access.txt /opt/outline.
my uninstall: I removed all docker containers, run docker builder prune command and rm -rf /opt/outline remove this folder.
After I stop docker-daemon by sudo systemctl stop docker.service
After I use manager helper command:
sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-apps/master/server_manager/install_scripts/install_server.sh)"
And hang up on Starting Shadowbox..........
Re run install command hang up on Verifying that Docker daemon is running ..... line
I don’t know which logs I can provide, tell me - I’ll do it.

[sollosollo4]

I was able to install outline server by running all commands as administrator. but it still just doesn't work. Internet disappears as soon as I connect to the Outline server

[sbruens]

Can you check your firewall and also check the firewall settings from your cloud provider.

[sollosollo4]

@sbruens
Debian GNU/Linux 11 (bullseye) Release: 11
At the time of the answer, ufw or another firewall are not installed on my VPS. There are no special settings on the cloud provider, everything is by default

[sbruens]

Many VPS providers block most inbound traffic by default to enhance security. This can sometimes be the source of these issues.

Some more troubleshooting steps:

1. Check iptables:

   • If you haven't already, install iptables: sudo apt install iptables (or the equivalent command for your Linux distribution).
   • Then, run sudo iptables -L to view the current firewall rules.

2. Check server logs:

   • Run docker logs shadowbox to view the server logs.
   • Look for any error messages or clues about what might be causing the problem.

3. Try another VPS (if possible):

   • Try running the installation on a different VPS to see if you get different results. This can help determine if the problem is specific to your current VPS environment.

[sollosollo4]

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (4 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

[sbruens]

Thanks. Are you able to establish a TCP connection at all? Try curl <IP> -v to see if a TCP connection can be established.

[sollosollo4]

Thanks. Are you able to establish a TCP connection at all? Try curl <IP> -v to see if a TCP connection can be established.

curl 142.251.39.110 -v

*   Trying 142.251.39.110:80...
* Connected to 142.251.39.110 (142.251.39.110) port 80 (#0)
> GET / HTTP/1.1
> Host: 142.251.39.110
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-LCgLvFa2RDNSC6FnClFV6w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< Date: Wed, 11 Sep 2024 11:55:41 GMT
< Expires: Fri, 11 Oct 2024 11:55:41 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host 142.251.39.110 left intact

[sbruens]

It looks like the IP is redirecting traffic to google.com. Are you serving a web server at this IP?

[sollosollo4]

No, I just ping'ed 142.251.39.110, this is google.com IP
I'm not using web server

[sbruens]

My apologies for the confusion; I meant establishing a connection from client->server, not from server->target.

So send a curl request from your client device to the ip:port that is in your key (you can find it after the @ sign). This will tell us if you are able to establish any TCP connection with your Outline server. It should look something like this:

$ curl 123.456.789.1:1111 -v
*   Trying 123.456.789.1:1111...                                                                      
* Connected to 123.456.789.1 (123.456.789.1) port 1111                                                
> GET / HTTP/1.1                                                                                       
> Host: 123.456.789.1:1111                                                                            
> User-Agent: curl/8.8.0                                                                               
> Accept: */*                                                                                          
>                                                                                                      
* Request completely sent off   

Note the "Connected to 123.456.789.1 (123.456.789.1) port 1111"

[sbruens]

Another way you could check is with netcat:

# TCP
nc -v -z -w 3 123.456.789.1 1111

# UDP
nc -v -u -z -w 3 123.456.789.1 1111

[thirstyone]

sorry for hijacking this thread (but it could at least be of use)
curl: (56) Recv failure: Connection reset by peer red@red-MacBookPro:~$ nc -v -z -w 3 142.251.39.110 1111 Connection to 142.251.39.110 1111 port [tcp/*] succeeded! red@red-MacBookPro:~$ nc -v -u -z -w 3 142.251.39.110 1111 Connection to 142.251.39.110 1111 port [udp/*] succeeded!
but:
`curl 142.251.39.110 -v

• Trying 142.251.39.110:80...
• Connected to 142.251.39.110 (142.251.39.110) port 80

GET / HTTP/1.1
Host: 142.251.39.110
User-Agent: curl/8.5.0
Accept: /

• Recv failure: Connection reset by peer
• Closing connection
  curl: (56) Recv failure: Connection reset by peerandnslookup ya.ru
  ;; Got bad packet: unexpected end of input
  23 bytes
  79 25 83 00 00 01 00 01 00 00 00 00 02 79 61 02 y%...........ya.
  72 75 00 00 01 00 01 ru.....
  or dig ya.ru
  ;; Warning: Message parser reports malformed message packet.
  ;; Truncated, retrying in TCP mode.
  ;; communications error to 8.8.8.8#53: connection reset
  ;; communications error to 8.8.8.8#53: connection reset
  ;; communications error to 8.8.8.8#53: connection reset

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> ya.ru
;; global options: +cmd
;; no servers could be reached
`
(i had to change 9.9.9.9 in /etc/resolv.conf to 8.8.8.8, and at least with my previous setup it resolved domain names, unlike the 9.9.9.9 server)
these are using the Russian cellular networks, right now I can't try it with other providers.