KVM/QEMU

Troubleshooting Streisand inside Proxmox (KVM/QEMU)

Last Updated: 15th Aug 2015

Here are some of the hurdles I came across while setting up Streisand inside a Proxmox (KVM/QEMU) virtual machine using private IP (NAT).

Different SSH Port

Edit the file inventory file:

[streisand-host]
1.2.3.4 ansible_ssh_port=55321 ansible_ssh_user=root

Where 1.2.3.4 is external IP

Solution found at Github.

Redirecting IP using iptables and SSH host error

Althought the streisand is meant to be executed on client's system, to execute it on server directly one may encounter this:

When ansible is executed inside guest, the NATed IP is not able to access itself through the external IP even when ports are configured, though outside everything works as expected. The error:

# ssh 1.2.3.4 -p 55321
ssh: connect to host 1.2.3.4 port 55321: Connection refused

The fix:

iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to-destination 10.10.10.201

Where 1.2.3.4 is external IP and 10.10.10.201 is local (NATed). (explanation)

This makes 'ssh 1.2.3.4 -p 55321' possible for ansible inside the KVM.

Also, make sure you can login without password or else streisand script won't run:

# ssh 1.2.3.4 -p 55321
Fatal: [1.2.3.4] => SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh
Fatal: no hosts matched or all hosts have already failed -- aborting

The fix:

# ssh-keygen
# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
# ssh 1.2.3.4 -p 55321 #testing password-less login
# ansible-playbook /root/streisand/playbooks/streisand.yml

Solution found at LinuxProblem.org.

Forward Ports in KVM (NATed)

The port list file is generated by Streisand is at ~/streisand/generated-docs/hostname-firewall-information.html file name, for example:

• L2TP/IPsec
• UDP - 500
• UDP - 1701
• UDP - 4500
• Nginx (Streisand Gateway)
• TCP - 443
• OpenSSH
• TCP - 55321
• OpenVPN
• UDP - 53 to/from 10.8.0.1
• TCP - 636
• Shadowsocks
• TCP - 8530
• stunnel
• TCP - 993
• Tor
• TCP - 8443 - Bridge
• TCP - 54018 - obfs3 pluggable transport
• TCP - 36652 - ScrambleSuit pluggable transport

You can use socat or iptables on the Proxmox host to forward required ports to the Streisand VM:

### My Setup

• The vmbr0 is the default interface created by the proxmox.
• The vmbr1 is the bridge created by us, more at Proxmox With Bridged Networking (NATed).
• Open /etc/network/interfaces and add them under vmbr1.

  ## VM-201 - TCP 55321 - SSH
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 55321 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 55321 -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP 443  - NGINX
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443  -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 443  -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP 8530 - Shadowsocks
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8530 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 8530 -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP - 993 - stunnel
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 993  -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 993  -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP - 8443 - Bridge
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP - 54018 - obfs3 pluggable transport
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 54018 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 54018 -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP - 36652 - ScrambleSuit pluggable transport
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 36652 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 36652 -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - UDP - 500 | UDP - 1701 | UDP - 4500 - L2TP/IPsec
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p udp -m udp --dport 500  -j DNAT --to-destination 10.10.10.201
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p udp -m udp --dport 1701 -j DNAT --to-destination 10.10.10.201
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p udp -m udp --dport 4500 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m udp --dport 500  -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m udp --dport 1701 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m udp --dport 4500 -j DNAT --to-destination 10.10.10.201
  
  ## VM-201 - TCP - 636 - OpenVPN
  post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 636 -j DNAT --to-destination 10.10.10.201
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 636 -j DNAT --to-destination 10.10.10.201
  

References

• Streisand at Github

• KVM/Networking - Ubuntu Community Help Wiki

• QEMU/Networking - Wikibooks