netmaker icon indicating copy to clipboard operation
netmaker copied to clipboard

Published 20 hours ago verified publisher icon gravitl

[Bug]: Cannot get host network mode to work

Open tiguchi opened this issue 2 years ago • 5 comments

What happened?

My use case is a business VPN that gives access to several internal services (e.g. ticket planning, CI server etc.). Everything works OK so far, except for external client IP address forwarding. The company intranet services see all incoming requests come from the netmaker server's internal IP address, instead of the actual client IP addresses. This poses a bit of a problem with auditing user actions. At the moment it appears as if all requests came from the same client.

I updated the netmaker node's PostUp and PostDown settings in order to remove the iptables masquerade configuration (as suggested by @afeiszli on Discord). Unfortunately that does not resolve the problem.

The underlying problem appears to be a limitation in Docker's networking implementation. A very similar problem is outlined in the following Issue: https://github.com/Place1/wg-access-server/issues/26

Quote:

By default docker places containers (including wg-access-server) in it's own network like 172.28.0.0/16 and then uses NAT and masquerading to route the traffic into the internal network.

The workaround would be to switch the container to network_mode: "host", since that would utilize wireguard on the host system, and update the iptables rules directly on the host.

Unfortunately I cannot make those configuration changes work right. It seems with version 0.14.5 a bunch of Docker compose templates were removed from the compose directory of this project. I tried to apply whatever made sense from the now deleted template file compose/docker-compose.hostnetwork.yml.

It only works partially:

  1. wireguard sets up the network on the host machine
  2. I see registered peers in sudo wg output, so I guess the netmaker (core) container is running and working
  3. The dashboard still loads but cannot load any data. Everything appears empty
  4. The nodes of the network cannot see each other

The issue I linked to above also mentions a problem with traefik, which also seems to be in use by netmaker. Traefik does not work in host network mode by default, and needs to be adjusted so it can proxy requests between Docker containers.

Those adjustment tweaks and "host mode" configuration steps are currently missing in the Netmaker documentation. I believe the missing piece is getting the traefik configuration, right. Unfortunately that is a bit over my head at the moment and some help and clarification would be greatly appreciated.

Version

v0.14.5

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

  • [X] Yes, I did.

tiguchi avatar Jul 12 '22 01:07 tiguchi

I would recommend instead to deploy a separate netclient to the host machine and give it a different port: "netclient join -t (token) --port=51831". Then you can use this as the egress.

afeiszli avatar Jul 12 '22 11:07 afeiszli

I would recommend instead to deploy a separate netclient to the host machine and give it a different port: "netclient join -t (token) --port=51831". Then you can use this as the egress.

Thanks for the recommendation. That's definitely a much simpler setup than before. However, I'm still running into routing issues.

I applied the following changes:

  • Removed all intranet servers from wireguard Netmaker network
  • Set Netmaker server as ingress
  • Added a new egress netclient node to the same server, that gives access to the internal network range of our cloud servers (10.138.0.0/16) via eth1
  • The Netmaker network IP range is 10.2.0.0/16, so it should not overlap
  • Created new external client that has updated AllowedIps setting with egress range

I applied those changes, but I still cannot ping any of those intranet servers from my workstation. I'm getting "destination host unreachable". I can ping those servers from the netmaker server, though.

tiguchi avatar Jul 12 '22 22:07 tiguchi

One more update. The problem still persists, but I found a workaround using the dashboard, which seems to be hinting at a bug in Netmaker.

When I edit the egress node and set "Allowed IPs" to 10.138.0.0/16, reconnect my workstation (external client), and try to ping then I do not get the "unreachable host" error. It just times out.

When I remove the "Allowed IPs" setting again, save, reconnect my workstation and try to ping again, then it works. I can even SSH into the server on the private network.

tiguchi avatar Jul 13 '22 00:07 tiguchi

I had a similar issue and was wondering whether deploying an additional netclient was a plausible solution. I'll try that.

On a sidenote, the existence of the docker-compose.hostnetwork.yml file is mentioned in the last version documentation, but the file no longer exists (right?). If that is no longer supported / recommended, then it might be good to remove that from there. The documentation is outstanding, but I stumbled upon that specific inconsistence and was thrown off, just my luck haha.

alexbarcelo avatar Aug 13 '22 07:08 alexbarcelo