Can't Access WebGui from remote VPN site/other subnet

I’ve checked my routes, I’ve sniffed the packets all the way to the server, and I’ve opened all the incoming routes on the IP tables. I’m out of ideas. Can anyone please help?

From an external host start with

nmap -v your.Server.s.ip

and from the server

netstat -antp

netstat -antp

[[email protected] ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:5038                0.0.0.0:*                   LISTEN      2209/asterisk
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      1577/vsftpd
tcp        0      0 0.0.0.0:53                  0.0.0.0:*                   LISTEN      1529/dnsmasq
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1541/sshd
tcp        0      0 0.0.0.0:8088                0.0.0.0:*                   LISTEN      2209/asterisk
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1813/master
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1721/mysqld
tcp        0     64 192.168.0.96:22             192.168.0.97:52922          ESTABLISHED 10778/sshd
tcp        0      0 127.0.0.1:42727             127.0.0.1:5038              TIME_WAIT   -
tcp        0      0 127.0.0.1:5038              127.0.0.1:42571             ESTABLISHED 2209/asterisk
tcp        0      0 :::50000                    :::*                        LISTEN      1947/java
tcp        0      0 :::80                       :::*                        LISTEN      1823/httpd
tcp        0      0 :::50001                    :::*                        LISTEN      1947/java
tcp        0      0 :::81                       :::*                        LISTEN      1823/httpd
tcp        0      0 :::50002                    :::*                        LISTEN      1947/java
tcp        0      0 :::82                       :::*                        LISTEN      1823/httpd
tcp        0      0 :::50003                    :::*                        LISTEN      1947/java
tcp        0      0 :::84                       :::*                        LISTEN      1823/httpd
tcp        0      0 :::53                       :::*                        LISTEN      1529/dnsmasq
tcp        0      0 :::22                       :::*                        LISTEN      1541/sshd
tcp        0      0 :::88                       :::*                        LISTEN      1823/httpd
tcp        0      0 ::1:25                      :::*                        LISTEN      1813/master
tcp        0      0 :::96                       :::*                        LISTEN      1823/httpd
tcp        0      0 ::ffff:127.0.0.1:42571      ::ffff:127.0.0.1:5038       ESTABLISHED 1947/java

nmap -v your.Server.s.ip (external Remote VPN Site)

MacBook-Pro:~$ nmap -v 192.168.x.x

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-04 21:48 EDT
Initiating Ping Scan at 21:48
Scanning 192.168.x.x [2 ports]
Completed Ping Scan at 21:48, 3.00s elapsed (1 total hosts)
Nmap scan report for 192.168.x.x [host down]
Read data files from: /usr/local/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds

MacBook-Pro:~$ nmap -v -Pn 192.168.x.x

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-04 21:49 EDT
Initiating Parallel DNS resolution of 1 host. at 21:49
Completed Parallel DNS resolution of 1 host. at 21:49, 0.04s elapsed
Initiating Connect Scan at 21:49
Scanning 192.168.x.x [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 21:52 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 21:52 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 21:52 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 21:52 (0:01:19 remaining)
Connect Scan Timing: About 75.50% done; ETC: 21:52 (0:00:49 remaining)
Completed Connect Scan at 21:52, 201.51s elapsed (1000 total ports)
Nmap scan report for 192.168.x.x
Host is up.
All 1000 scanned ports on 192.168.x.x are filtered

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 201.61 seconds

map -v your.Server.s.ip (Internal Network)

C:\Users\userl>nmap -v 192.168.x.x

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-04 22:00 Eastern Daylight Time

Initiating ARP Ping Scan at 22:00
Scanning 192.168.0.96 [1 port]
Completed ARP Ping Scan at 22:00, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:00
Completed Parallel DNS resolution of 1 host. at 22:00, 0.00s elapsed
Initiating SYN Stealth Scan at 22:00
Scanning 192.168.0.96 [1000 ports]
Discovered open port 22/tcp on 192.168.0.96
Discovered open port 80/tcp on 192.168.0.96
Discovered open port 21/tcp on 192.168.0.96
Discovered open port 3306/tcp on 192.168.0.96
Discovered open port 53/tcp on 192.168.0.96
Discovered open port 8088/tcp on 192.168.0.96
Discovered open port 82/tcp on 192.168.0.96
Discovered open port 50000/tcp on 192.168.0.96
Discovered open port 81/tcp on 192.168.0.96
Discovered open port 50003/tcp on 192.168.0.96
Discovered open port 50002/tcp on 192.168.0.96
Discovered open port 50001/tcp on 192.168.0.96
Discovered open port 88/tcp on 192.168.0.96
Discovered open port 84/tcp on 192.168.0.96
Completed SYN Stealth Scan at 22:00, 0.33s elapsed (1000 total ports)
Nmap scan report for 192.168.0.96
Host is up (0.00024s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
84/tcp    open  ctf
88/tcp    open  kerberos-sec
3306/tcp  open  mysql
8088/tcp  open  radan-http
50000/tcp open  ibm-db2
50001/tcp open  unknown
50002/tcp open  iiimsf
50003/tcp open  unknown
MAC Address: FC:4D:D4:F3:D2:24 (Universal Global Scientific Industrial Co.)

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.084KB)

Well at a guess you need to reconfigure your httpd/apache2 server port 80 (http) is listening but not visible from your far end.

/etc/services on the host should tell you what service is running on what ports, common web services will use 80 through 89 and you have some of those plus 8088 , investigate your httpd/apache2 config files for why port 80 is not apparent to your far end. My guess is that something changed, perhaps

might be it ?

I also notice M$ like services running on 192.168.0.96 in the 5000? land , is that so? and do you need them also? and are you sure that it won’t interfere with your normal asterisk voip traffic?

I access guis all day via VPN and through ssh tunnels. I often access guis through a VPN tunnel over ssh. My guess is you are simply missing a route

I agree with James, the OP mentioned

“VPN site/other subnet”

He does not need to add routes for his tunneled “VPN site” but he absolutely needs routes for his “other subnet”

1 Like

Dicko led you down a rabbit hole. Please list the remote subnets and send an output of the route command from Linux as root on FreePBX server.

I added the routes via the route command to the other subnets I needed to access the gui from, and well it worked! Thank you guys for the help. It never occurred to me about routing inside the PBX.