apper.charles/EC2toTailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
EC2toTailscale/TroubleshootingCCTVCameraAccessviaTailscaleonEC2.md

150 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Troubleshooting CCTV Camera Access via Tailscale on EC2
This document summarizes the steps taken to troubleshoot and attempt to resolve connectivity issues from an AWS EC2 instance (Ubuntu, private IP 10.0.1.138, VPC 10.0.0.0/16) to CCTV cameras on a remote network (192.168.8.0/24, e.g., 192.168.8.241). The goal was to connect the EC2 instance to Tailscale, enable routing to the remote subnet, and diagnose any VPC-related issues.
## Problem Description
- **Objective**: Access CCTV cameras (e.g., 192.168.8.241) from EC2 via Tailscale for HTTP (port 80) or RTSP (port 554).
- **Initial Issue**: No route to 192.168.8.0/24 from EC2, resulting in errors like "Destination Host Unreachable," "No route to host," and "Destination address required."
- **Constraints**: No access to the remote networks Tailscale device (e.g., gl-mt3000, gl-mt6000-1) or admin console to fix subnet routing.
- **Progress**: Eventually achieved ping success, indicating Layer 3 connectivity via Tailscale.
## Steps Taken
### 1. Verified Tailscale Setup on EC2
- **Command**:
```
tailscale status
```
- **Output**: Showed peers (gl-mt3000, gl-mt6000-1, some offline), EC2 IP (100.105.150.53), and health warning: "Some peers are advertising routes but --accept-routes is false."
- **Issue**: EC2 not accepting routes from remote peers; Tailscale later stopped.
- **Attempted Fix**:
```
sudo tailscale up --accept-routes
```
- Failed due to non-default flags (--advertise-routes=192.168.8.0/24 from prior config).
- Suggested: sudo tailscale down; sudo tailscale up --reset --accept-routes.
- **Outcome**: Tailscale remained stopped; route 192.168.8.0/24 dev wg0 scope link was stale (non-functional).
### 2. Enabled IP Forwarding
- **Command**:
```
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
```
- **Purpose**: Enable EC2 to forward traffic (needed if acting as a router, though not required here since EC2 is a client).
- **Outcome**: Successfully enabled, but didnt resolve routing since EC2 shouldnt advertise 192.168.8.0/24.
### 3. Tested Basic Connectivity
- **Commands**:
```
ping -c 4 192.168.8.241
telnet 192.168.8.241 80
traceroute 192.168.8.241
```
- **Initial Output**:
- Ping: "From 10.0.0.1 Destination Host Unreachable" (VPC gateway rejecting).
- Telnet: "No route to host" or "Server lookup failure" (malformed syntax).
- Traceroute: "Destination address required."
- **Later Progress**: Ping succeeded (indicating Tailscale route fixed), but telnet failed (port 80 blocked or disabled).
- **Issue**: Layer 3 worked, but TCP ports blocked (camera, remote firewall, or Tailscale ACLs).
### 4. Attempted Incorrect Subnet Advertising
- **Command**:
```
sudo tailscale up --advertise-routes=192.168.8.0/24
```
- **Issue**: EC2 (in VPC 10.0.0.0/16) cant advertise remote subnet 192.168.8.0/24 (cameras LAN); this should be done by a device on that LAN (e.g., gl-mt3000).
- **Outcome**: Caused health warnings and invalid route (192.168.8.0/24 dev wg0 scope link); no connectivity.
### 5. Tried SSH Tunneling
- **Command**:
```
ssh -L 8080:192.168.8.241:80 ubuntu@34.243.156.239
```
- **Purpose**: Tunnel from a local machine (assumed on 192.168.8.0/24) to EC2, then access via lynx http://localhost:8080.
- **Outcome**: Failed with "Permission denied (publickey)" due to missing SSH key. Also, no local machine access to 192.168.8.0/24.
### 6. Diagnosed VPC Issues
- **Route Table Check**:
- Command: ip route show
- Output: Default via 10.0.1.1, local 10.0.1.0/24, stale 192.168.8.0/24 dev wg0.
- Conclusion: VPC routes fine for local traffic; 192.168.8.0/24 handled by Tailscale (not VPC).
- **Security Groups/NACLs**:
- Suggested: Check AWS Console for outbound TCP/80, 554, ICMP to 0.0.0.0/0 or 192.168.8.0/24.
- Local firewall: sudo ufw status (no blocks reported).
- Outcome: No clear VPC blocks identified; issue was Tailscale routing.
- **Reachability Analyzer**: Suggested to test path from EC2 to 192.168.8.241:80 (not run).
- **Other Checks**: Confirmed no IP overlap; source/dest check irrelevant (EC2 not forwarding).
## Final Steps to Resolve
- **Restart Tailscale Correctly**:
```
sudo tailscale down
sudo tailscale up --reset --accept-routes
tailscale status
ip route show | grep 192.168.8
```
- **Test Ping Access to CCTV Cameras IP**:
```
ping -c 4 192.168.8.241
ping -c 4 192.168.8.116
ping -c 4 192.168.8.232
ping -c 4 192.168.8.122
ping -c 4 192.168.8.149
```
- **VPC Check**: In AWS Console, verify Security Groups/NACLs allow outbound TCP/80, 554 to 192.168.8.0/24.
Reference in New Issue View Git Blame Copy Permalink