netmaker icon indicating copy to clipboard operation
netmaker copied to clipboard

Published 20 hours ago verified publisher icon gravitl

[Bug]: External Client routing problems

Open Riyooo opened this issue 1 year ago • 0 comments

What happened?

Hi, I tried experimenting with Netmaker but I had several issues, specially when trying to use it as a VPN server. I currently have two nodes (the third one is offline):

  • i) the server acting as an ingress gateway,
  • ii) a second node (behind CGNAT) set up as an egress gateway with 0.0.0.0/0 as the range with the public interface.

image

I then created multiple external clients (android and windows), and this configuration seemed to work on all of them (connecting and accessing internet), except these two problems:

1. Data not routed through egress gateway

I noted that the internet traffic of these clients was not going through the egress node, as the public IP of these clients was the IP of the ingress gateway, not the egress gateway.

2. No connection if gateway range include this particular subnet " 32.0.0.0/3"

Then I wanted to exclude the ranges of my local network (10.0.0.0/8) from the egress gateway range so that I can have access to my LAN while still connected to the Netmaker server (still using Wireguard on my external clients). I used this tool to calculate the correct address blocks.

https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

I obtained the following :

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1

I modified the egress gateway with that range, but then clients could not connect anymore. I initially thought that there may be a limit to the number of blocks / routes that I can enter, but after multiple attempts, I noted that the problem came only from the block "32.0.0.0/3", as these settings worked:

AllowedIPs = 0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2

and even this one which is far longer (0.0.0.0/0 excluding both 10.0.0.0/8 and 192.168.0.0/16)

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 64.0.0.0/2, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3

I also confirmed that setting 32.0.0.0/3 as the only block in the egress gateway range prevents the clients from connecting.

This is what was in the logs of Wireguard :

[TUN] [Netmaker] Sending handshake initiation to peer 1 [TUN] [Netmaker] Handshake for peer 1 did not complete after 5 seconds, retrying (try 2)

Version

v0.17.1

What OS are you using?

Linux, Windows, Unlisted

Relevant log output

No response

Contributing guidelines

  • [X] Yes, I did.

Riyooo avatar Mar 25 '23 04:03 Riyooo