Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Overwriting wireguard configuration bypasses netmaker's eagress configuration #1762

Closed
1 task done
marcbenedi opened this issue Nov 24, 2022 · 4 comments
Closed
1 task done

[Bug]: Overwriting wireguard configuration bypasses netmaker's eagress configuration #1762

marcbenedi opened this issue Nov 24, 2022 · 4 comments
Assignees
@afeiszli @mattkasun @0xdcarns
Labels
bug Something isn't working

Comments

@marcbenedi
Copy link

marcbenedi commented Nov 24, 2022
edited
Loading

Contact Details

marc@marcb.pro

What happened?

Summary

Modifying the external client configuration gives me access to the whole network.
It seems that it ignores the egress configuration of the netmaker node.

Configuration of the network

The egress node (netmaker-1) gives access to two nodes of the network: 192.168.1.206 and 192.168.1.151. netmaker-1 is also the ingress node of the network.

image

The external client (nm-media) gets the following configuration (with line (1), not (2)).

[Interface]
Address = 10.109.93.1/32
PrivateKey = [Removed]
MTU = 1280
DNS = 192.168.1.206

[Peer]
PublicKey = [Removed]
(1) AllowedIPs = 10.109.93.0/24,192.168.1.206/32,192.168.1.151/32 -> Original configuration generated by Netmaker (same as egress configuration)
(2) AllowedIPs = 10.109.93.0/24,192.168.1.0/24 -> Manually modified configuration
Endpoint = [Removed]
PersistentKeepalive = 20

However, if I change (1) for (2), the external client has access to the entire network.

Expected behaviour

The external client cannot access the entire network when (1) is replaced by (2). In other words, the Netmaker's network configuration has more priority than the external client configuration, which can be overwritten by the user.

Thank you for looking at this!

Best regards,
Marc.

Version

v0.16.0

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

  • Yes, I did.
@marcbenedi marcbenedi added the bug Something isn't working label Nov 24, 2022
@limitlessent
Copy link

I can confirm this happens as well. Any way to enforce the external client config generated by the server ?

@afeiszli
Copy link
Contributor

afeiszli commented Dec 5, 2022

The client is meant to have access to the whole network, so I don't think we can call this a bug. The Ingress gateway will forward any traffic from external clients to any address inside the netmaker network range.

@marcbenedi
Copy link
Author

Thanks for your reply.

I see, then the egress configuration "ignores" what network getaway ranges are specified as clients will have access to the whole network anyway?

@abhishek9686
Copy link
Member

Thanks for your reply.

I see, then the egress configuration "ignores" what network getaway ranges are specified as clients will have access to the whole network anyway?

egresss gateway doesn't ignore the cidr that's added, if you have added only /32 address then only that route will have allowed NAT rule

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afeiszli afeiszli

@mattkasun mattkasun

@0xdcarns 0xdcarns

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@limitlessent @marcbenedi @afeiszli @abhishek9686 @mattkasun @0xdcarns