From 48a52633a10003c12cc45cd1fecb165900b1c90a Mon Sep 17 00:00:00 2001 From: "apper.charles" Date: Mon, 22 Sep 2025 15:00:04 +0000 Subject: [PATCH] Add TroubleshootingCCTVCameraAccessviaTailscaleonEC2 Signed-off-by: apper.charles --- ...eshootingCCTVCameraAccessviaTailscaleonEC2 | 150 ++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 TroubleshootingCCTVCameraAccessviaTailscaleonEC2 diff --git a/TroubleshootingCCTVCameraAccessviaTailscaleonEC2 b/TroubleshootingCCTVCameraAccessviaTailscaleonEC2 new file mode 100644 index 0000000..55a652e --- /dev/null +++ b/TroubleshootingCCTVCameraAccessviaTailscaleonEC2 @@ -0,0 +1,150 @@ +# Troubleshooting CCTV Camera Access via Tailscale on EC2 + +This document summarizes the steps taken to troubleshoot and attempt to resolve connectivity issues from an AWS EC2 instance (Ubuntu, private IP 10.0.1.138, VPC 10.0.0.0/16) to CCTV cameras on a remote network (192.168.8.0/24, e.g., 192.168.8.241). The goal was to connect the EC2 instance to Tailscale, enable routing to the remote subnet, and diagnose any VPC-related issues. + +## Problem Description + +- **Objective**: Access CCTV cameras (e.g., 192.168.8.241) from EC2 via Tailscale for HTTP (port 80) or RTSP (port 554). + +- **Initial Issue**: No route to 192.168.8.0/24 from EC2, resulting in errors like "Destination Host Unreachable," "No route to host," and "Destination address required." + +- **Constraints**: No access to the remote network’s Tailscale device (e.g., gl-mt3000, gl-mt6000-1) or admin console to fix subnet routing. + +- **Progress**: Eventually achieved ping success, indicating Layer 3 connectivity via Tailscale. + + +## Steps Taken + +### 1. Verified Tailscale Setup on EC2 + +- **Command**: + + ``` + tailscale status + ``` + +- **Output**: Showed peers (gl-mt3000, gl-mt6000-1, some offline), EC2 IP (100.105.150.53), and health warning: "Some peers are advertising routes but --accept-routes is false." + +- **Issue**: EC2 not accepting routes from remote peers; Tailscale later stopped. + +- **Attempted Fix**: + + ``` + sudo tailscale up --accept-routes + ``` + + - Failed due to non-default flags (--advertise-routes=192.168.8.0/24 from prior config). + + - Suggested: sudo tailscale down; sudo tailscale up --reset --accept-routes. + +- **Outcome**: Tailscale remained stopped; route 192.168.8.0/24 dev wg0 scope link was stale (non-functional). + + +### 2. Enabled IP Forwarding + +- **Command**: + + ``` + echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf + sudo sysctl -p + ``` + +- **Purpose**: Enable EC2 to forward traffic (needed if acting as a router, though not required here since EC2 is a client). + +- **Outcome**: Successfully enabled, but didn’t resolve routing since EC2 shouldn’t advertise 192.168.8.0/24. + + +### 3. Tested Basic Connectivity + +- **Commands**: + + ``` + ping -c 4 192.168.8.241 + telnet 192.168.8.241 80 + traceroute 192.168.8.241 + ``` + +- **Initial Output**: + + - Ping: "From 10.0.0.1 Destination Host Unreachable" (VPC gateway rejecting). + + - Telnet: "No route to host" or "Server lookup failure" (malformed syntax). + + - Traceroute: "Destination address required." + +- **Later Progress**: Ping succeeded (indicating Tailscale route fixed), but telnet failed (port 80 blocked or disabled). + +- **Issue**: Layer 3 worked, but TCP ports blocked (camera, remote firewall, or Tailscale ACLs). + + +### 4. Attempted Incorrect Subnet Advertising + +- **Command**: + + ``` + sudo tailscale up --advertise-routes=192.168.8.0/24 + ``` + +- **Issue**: EC2 (in VPC 10.0.0.0/16) can’t advertise remote subnet 192.168.8.0/24 (camera’s LAN); this should be done by a device on that LAN (e.g., gl-mt3000). + +- **Outcome**: Caused health warnings and invalid route (192.168.8.0/24 dev wg0 scope link); no connectivity. + + +### 5. Tried SSH Tunneling + +- **Command**: + + ``` + ssh -L 8080:192.168.8.241:80 ubuntu@34.243.156.239 + ``` + +- **Purpose**: Tunnel from a local machine (assumed on 192.168.8.0/24) to EC2, then access via lynx http://localhost:8080. + +- **Outcome**: Failed with "Permission denied (publickey)" due to missing SSH key. Also, no local machine access to 192.168.8.0/24. + + +### 6. Diagnosed VPC Issues + +- **Route Table Check**: + + - Command: ip route show + + - Output: Default via 10.0.1.1, local 10.0.1.0/24, stale 192.168.8.0/24 dev wg0. + + - Conclusion: VPC routes fine for local traffic; 192.168.8.0/24 handled by Tailscale (not VPC). + +- **Security Groups/NACLs**: + + - Suggested: Check AWS Console for outbound TCP/80, 554, ICMP to 0.0.0.0/0 or 192.168.8.0/24. + + - Local firewall: sudo ufw status (no blocks reported). + + - Outcome: No clear VPC blocks identified; issue was Tailscale routing. + +- **Reachability Analyzer**: Suggested to test path from EC2 to 192.168.8.241:80 (not run). + +- **Other Checks**: Confirmed no IP overlap; source/dest check irrelevant (EC2 not forwarding). + + +## Final Steps to Resolve + +- **Restart Tailscale Correctly**: + + ``` + sudo tailscale down + sudo tailscale up --reset --accept-routes + tailscale status + ip route show | grep 192.168.8 + ``` + +- **Test Ping Access to CCTV Cameras IP**: + + ``` + ping -c 4 192.168.8.241 + ping -c 4 192.168.8.116 + ping -c 4 192.168.8.232 + ping -c 4 192.168.8.122 + ping -c 4 192.168.8.149 + ``` + +- **VPC Check**: In AWS Console, verify Security Groups/NACLs allow outbound TCP/80, 554 to 192.168.8.0/24. \ No newline at end of file