Mobile client and VPN

Hello,

I’ve installed Passbolt on a VPS Ubuntu 22.04 system. I wanted to add an extra security layer to my system, so I’ve configured WireGuard VPN. Let’s say my configuration looks like this:

Passbolt url: passbolt.domain.com
Wireguard private subnet: 192.168.97.0/24
Serwer private IP Address 192.168.97.1/24
DNS “A” record for passbolt domain points to 192.168.97.1

Browser application works as expected. When i’m not connected to the VPN, the browser cannot resolve the address (no surprise here). As soon as I connect to wireguard, I can login to passbolt and manage my passwords.

I’ve installed the WireGuard client on my iOS device, add configuration and connected to the VPN. I can open browser and display login page passbolt.domain.com proving that everything works properly.

the problem occurs while connecting freshly installed passbolt mobile client to API. When I touch the “Connect to an existing account” button and start to scan the QR code the “Server was not reachable!” dialog appears.

I can think of two reasons:

1. Application “ignores” VPN , but I’dont know if this is even possible.
2. Application is doing some operations via proxy, and this proxy tries to reach my server “from the outside” which is ofcourse imposible because this is private network.

How can I resolve this issue?

Best Regards,
Aleksander

Just to be sure you have HTTPS enabled and have imported the cert to your phone, correct?

Thanks for your answer. The certificate i’m using is not self signed. it was issued by “widely recognizable” certificate authority.

Mobile application log:

Passbolt:
Device: iPhone iPhone
OS: 15.7.1
App: 1.13.0

[2023-04-05 10:21:37] Initializing the app…
[2023-04-05 10:21:37] …app initialization completed!
[2023-04-05 10:21:37] Verifying data integrity…
[2023-04-05 10:21:37] …data integrity verification finished
[2023-04-05 10:21:37] Fetching server configuration…
[2023-04-05 10:21:37] …server configuration fetching skipped!
[2023-04-05 10:21:38] [7A792A87-A04C-4D11-A5A7-F11E57B732C4] HTTP GET /lookup
[2023-04-05 10:21:38] [7A792A87-A04C-4D11-A5A7-F11E57B732C4] HTTP 200 /lookup
[2023-04-05 10:22:12] Beginning new account transfer…
[2023-04-05 10:22:13] Processing QR code payload…
[2023-04-05 10:22:13] …processing succeeded, continuing transfer…
[2023-04-05 10:22:13] [04E251D9-8504-4077-B7F2-5ED59709A169] HTTP POST /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d/7ea12599-6e24-43ae-a0a5-43f989d4e851.json
[2023-04-05 10:22:24] [04E251D9-8504-4077-B7F2-5ED59709A169] HTTP request timed out
[2023-04-05 10:22:24] [04E251D9-8504-4077-B7F2-5ED59709A169] Network call failed.
[2023-04-05 10:22:24] HTTP request timed out
[2023-04-05 10:22:26] Processing QR code payload…
[2023-04-05 10:22:26] …processing succeeded, continuing transfer…
[2023-04-05 10:22:26] [82886692-4099-4DE9-A0BC-7447F4E8E7BB] HTTP POST /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d/7ea12599-6e24-43ae-a0a5-43f989d4e851.json

I need to mention that I also tested configuration in which the passbolt application is hosted “publicly” (public ip), and in that case everything was warking perfectly.

Do you see anything regarding this on the nginx or passbolt logs on the server?

Unfortunately not. In the nginx I see bunch of request to the /mobile/transfers url, but only GET method and only from the 192.168.97.11 IP which is privte IP of my computer:

192.168.79.11 - - [05/Apr/2023:12:22:09 +0200] “GET /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d.json?api-version=v2 HTTP/2.0” 200 729 “-” "Mozilla/5.0 (Windows NT 10.0; Win64;
192.168.79.11 - - [05/Apr/2023:12:22:10 +0200] “GET /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d.json?api-version=v2 HTTP/2.0” 200 729 “-” "Mozilla/5.0 (Windows NT 10.0; Win64;
192.168.79.11 - - [05/Apr/2023:12:22:10 +0200] “GET /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d.json?api-version=v2 HTTP/2.0” 200 729 “-” "Mozilla/5.0 (Windows NT 10.0; Win64;
192.168.79.11 - - [05/Apr/2023:12:22:10 +0200] “GET /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d.json?api-version=v2 HTTP/2.0” 200 729 “-” "Mozilla/5.0 (Windows NT 10.0; Win64;
192.168.79.11 - - [05/Apr/2023:12:22:11 +0200] “GET /mobile/transfers/b069c1fd-ed2f-41a4-b97f-b2060dc45e0d.json?api-version=v2 HTTP/2.0” 200 729 “-” "Mozilla/5.0 (Windows NT 10.0; Win64;

My mobile private IP is 192.168.97.12 and this IP does not appear in the access.log or error.log

By the way the log timestamps from the mobile application are two hours behind (apparently in UTC time) and I’m in Europe/Warsaw (UTC +2)

Is this a typo or do you have the device in a different subnet? 97 vs 79

Sorry it is a typo, my private network address is 192.168.97.0/24.

Did you change the domain name of the app when you changed from it being publicly accessible to being internal only?

When you made it internal only, did you also take down the public resolution of the domain? Or did you just firewall it?

App → fullBaseUrl is set to https://passbolt.domain.com

My domain provider allows to set private addreses on his DNS, so the domain’s passbolt.domain.com (record A) points to the 192.168.97.1 address whether i’m connected to the VPN or not. Firewall is temporarily down.

As soon as I start to scan the QR Code, the dialog below appears. I suspect that the mobile applications tries to reach my server via “outside” proxy and for that proxy the address 192.168.97.1 is naturally not reachable. Is the IOS application open source?

passbolt-error750×1334 107 KB

When you configured wg, did you also include dns settings pointing to your provider that has the private address on record?

It is open source! You can find it here

I did not configure DNS for wire guard. Without this setting machine connected to the VPN uses it’s own DNS settings. The fact that I can open the address passbolt.domain.com in the browser while connected to the VPN proves it.

We need someone else with an iPhone to test over wireguard.

Same problem with Android. Here is the log: Dropbox - passbolt-android-error.txt - Simplify your life I’m not the ios developer but I will try to browse the ios app source code.

And again even though, in the android client, there are lines like:

20:43:26 ← 200 https://passbolt.domain.com/mobile/transfers/216be15a-a190-4d61-a287-6d8c06e03cc5/e624113f-57e2-4db5-aeb8-3b03aa629b4e.json (117ms, unknown-length body)

suggesting that the response from the server was successful, there are no corresponding lines in the nginx access log.

So it’s specifically wireguard and not vpn in general, either the setup of it or the app’s handling of it, which is the problem.

Can you post your wireguard setup params on both ends and replace the sensitive parts but so it still makes sense?

wg0.conf
[Interface]
Address = 192.168.97.1
SaveConfig = true
ListenPort = 41194
PrivateKey = SERVER_PRIVATE_KEY

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.97.0/24

client.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 192.168.97.12

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 192.168.97.0/24
Endpoint = XX.XX.XX.XXX:41194
PersistentKeepalive = 15

I also installed bunch of applications which are using http protocol, like: opera mini, duckduckgo, etc. and all of them resolves passbolt.domain.com address without any troubles while connected via WG VPN

I installed application called REST - HTTP API Client and made a POST to https://passbolt.domain.com/auth/login.json. The response code was 200 and I could see the error message “There is no user associated with this key. No key id set” which is understandable because the request was empty.

On the server side I see corresponding entry in the nginx access log file:

192.168.97.12 - - [11/Apr/2023:22:52:51 +0200] “POST /auth/login.json HTTP/2.0” 200 265 “-” “restclient/154 CFNetwork/1335.0.3 Darwin/21.6.0”

It looks like the communication works in this case.

Have you set net.ipv4.ip_forward=1?

What address does passbolt think it has? When you ping you passbolt domain from your Ubuntu server, what ip address is it?

The ip_forward is set to 1, however it is even unnecessary in this case because both, the wireguard and the passbolt (nginx) are installed on the same machine, so no packets need to be forwarded.

When I ping the passbolt.domain.com while on the server, I get expected result which is private ip of the WG interfeace (192.168.97.1).

The one thing that seems odd to me is the shared ip address for passbolt and also the wg server. I have never configured it like this but instead would make the passbolt ip address in the same subnet like 192.168.97.2.

If you change passbolt to its own ip address and change DNS accordingly, what happens then?

Maybe I didn’t make myself clear. The Wire Guard service and the NGINX service are installed on the same machine. In this sense the ip address is shared, but the ports and even protocols are different for both services. I’m not even sure if I can add another ip address to the wireguard interface. I need to think about it.