Scenario: You just ordered a new root server on Hetzner. You manage to connect to the server remotely, but you notice that your server doesn’t have internet access. You might want to download something or notice that some services aren’t working. Whatever the case might be, you’re now wondering “Why can’t I access the internet on my Hetzner root server” can be a deal breaker.
In this article, we are going to explain how to fix your outgoing connection on your root (or dedicated) server.
How I fixed the internet on my Hetzner root server
Use the right DNS servers
There is no wrong or right order to perform these steps, but we like to start by setting up the correct DNS servers on your server. You might have been tempted to setup your preferred DNS server (E.G Google’s 220.127.116.11), but that migh not work out as planned.
What I’m about to say, isn’t documented by Hetzner but is only based on my recent experience. Do with that what you will.
It appears that Hetzner no longer allows you to use external DNS servers. Instead, they are prompting users to use their own DNS servers on root servers and dedicated servers. This might be a measure to prevent abuse from within their network, but this is speculation on my behalf.
The work-around is then, of course, to use the Hetzner DNS servers on your server. There are two methods to achieve this.
- Let Hetzner assign you an IP address and DNS servers
- Configure the DNS servers manually
The first option is by far the easiest. How you approach this, depends on your OS. If you are setting up your own server(s) I’m sure you are familiar with the fundamentals of configuring your network settings. This is PowerUserGuides.com, after all. We’re smart! We know things!
If, for some reason, you prefer to setup the DNS servers manually (E.G you are using them as forwarders in the Windows DNS service), then you can find their DNS server IP addresses in their documentation.
Configuring your Hetzner Firewall
The other step is configuring the Hetzner Firewall, which you can find in the Robot panel (https://robot.your-server.de).
If this firewall is disabled, you will not experience any problems with your outgoing internet connection. However, that also means your server is completely exposed on the internet. This might be a valid option for some that prefer to setup their firewall on the level of the server, but we often experienced that it’s better to properly configure this firewall.
If your firewall is enabled, make sure to allow incoming traffic on the ports that you need for your server first. Your needs might vary depending on the type of server you are trying to setup.
Now comes the part that confused me for a long time. Hetzner states that their firewall only monitors incoming traffic. Doesn’t that mean that you don’t need a rule for outgoing traffic?
Yes, but also no. While you can’t setup a rule for outgoing traffic, you will need to add a rule for your incoming traffic , for the responses to requests coming from your server. Turns out, the Hetzner Firewall will also block this traffic unless you specifically allow it.
That means that, in order to fix our internet connection, we will need to add a rule to our firewall. In case you forgot how to get there on your Hetzner server, here’s the steps:
- Login to https://robot.your-server.de
- Go to the “Servers” section
- Click on the server you want to work on
- Go to the “Firewall” tab
- Add a new rule
The new rule should look as follows (We’ve borrowed the name from a Hetzner template):
- Name: tcp established
- Source IP: (Leave blank)
- Destination IP: (Leave blank)
- Source port: (Leave blank)
- Destination Port: 32769-65535
- Protocol: TCP
- TCP Flags: ack
- Action: Accept
Don’t forget to save your new rule!
TIP: Haven’t setup any firewall rules yet? In that case, you can add the above rule by choosing and applying “SSH” in “Firewall Template”, which you find above the rules. You can delete the other rules and configure your own.
If you make these two changes, your internet connection on your Hetzner root server will likely be fixed.