Cannot access Proxmox via Wireguard

E

Exio

Member
Mar 30, 2022
55
7
13
Good morning,

I have a problem which I detail here:

I have set up a point-to-point Wireguard tunnel but the only resource I cannot access from this tunnel is my Proxmox IP (192.168.1.116). The tunnel is well configured as well as its routing since I can access other resources such as HPE-iLO from the Wireguard tunnel.

I have tried to disable the Proxmox firewall with
Code: 
pve-firewall stop
but it still won't let me access.

I have configured the Wireguard tunnel with OpenWRT, in case that helps.

I'm somewhat new to this so I would appreciate some help.
 
Last edited:
I might have a similar problem, so I describe it below:

2 sites with Proxmox VE. Site A runs a VM as Wireguard server, Site B works as the Wireguard client. It is intented that all machines from any site can be accessed from all machines of the other site.

This seems to work so far. From site B the Proxmox-GUI on site A is accessable, but NOT the other way round.

nmap from site A to VE IP on site B shows only port 22 to be open. No firewalls are active on site B (datacenter, VE).

An nginx-server on LXC site B is accessible from site A as intented.

So it seems there is something special about the VE server at site B that refuses http access via port 8006.

Anyone having an idea?
 
Exio said:
Good morning,

I have a problem which I detail here:

I have set up a point-to-point Wireguard tunnel but the only resource I cannot access from this tunnel is my Proxmox IP (192.168.1.116). The tunnel is well configured as well as its routing since I can access other resources such as HPE-iLO from the Wireguard tunnel.

I have tried to disable the Proxmox firewall with
Code: 
pve-firewall stop
but it still won't let me access.

I have configured the Wireguard tunnel with OpenWRT, in case that helps.

I'm somewhat new to this so I would appreciate some help.
Click to expand...
I have the same exact issue and setup as you have described. Did you have any luck?

My current work around is to Remote Desktop to a VM on site B then access Site B’s management ui that way. Everything else on the same management ip subnet are accessible from Site A. This is less than ideal
 
Are you sure it's not a routing problem? Are you able to PING different IPs both ways?
In default PVE installation, pveproxy listens on tcp/8006 port on all interfaces, so it should not be a case.

To be honest, some diagram would be great here ;-)
 
kbechler said:
Are you sure it's not a routing problem? Are you able to PING different IPs both ways?
In default PVE installation, pveproxy listens on tcp/8006 port on all interfaces, so it should not be a case.

To be honest, some diagram would be great here ;-)
Click to expand...

Site A (York):
-Router 10.10.100.1 (OpenWRT)
-WG interface IP 10.10.120.1
-WG interface peer (for site b) allowed ips: 10.10.120.12/32, 10.10.125.0/2 0 + route allowed peers
-Proxmox Host 10.10.100.8
-Site A arbitrary machine 10.10.100.105
-vmbr0 bridged to wan
-vmbrSwitch configured with all vlans, including .100 - interfaced through openwrt

Site B (Union):
-Router 10.10.125.1 (OpenWRT)
-WG interface IP: 10.10.120.12
-WG Peer (Peer back to Site A) allowed ips: 0.0.0.0/0, ::/0 - route allowed ips
-Proxmox host 10.10.125.100
-VM on proxmox: 10.10.125.225
-vmbr0 bridged to ethernet going back to wan (Actually a TP Link Deco router - 51820 ports forwared, unpnp disabled, sip alg disabled)
-vmbrYork - dumb switch attached openwrt

Static Routes (Site A - OpenWRT)
- 10.10.125.0/24 (Target) -> 10.10.125.12 (Gateway)

Static Routes (Site B - OpenWRT)
-10.10.100.0/24 (Target) -> 10.10.120.1 (Gateway)
Static Routes (Site B - TP Link)
-10.10.125.0 -> 192.168.68.58 (Openwrt Site B on tp link lan)

Routes (Site B - Proxmox Host) - I had to add a couple routes to get back to 10.10.100.1/24 subnet from proxmox host:
-10.10.100.0/24 via 10.10.125.1 dev vmbrYork
-10.10.125.0/24 via vmbrYork proto kernel scope link src 10.10.125.100
-192.168.68.0/24 dev vmbr0 proto kernel scope link src 192.168.68.222


Working:
-Site A devices can ping Site B peer IP
-Site A devices can ping Site B VM (10.10.125.225)
-Site A devices can access Site B router via 10.10.125.1
-Site B devices/VMS can access proxmox host management on 10.10.125.100 and ping it
-Site B (proxmox host and VMs) can access ALL devices back on Site A
-Site B proxmox host tcpdump -i vmbrYork SEES pings attempting to reach 10.10.125.100 as they hit openwrt, but fail to reach it itself

Not Working:
-Cannot ping 10.10.125.100 from Site A (Immediate icmp request time out)
-Cannot reach it in browser

-I've tried messing with firewall rules, but it should all be set to allow traffic here.. plus all the rest of Site A <-> Site B is working.
-Tried disabling rp filter on vmbrYork

The only thing I can think of is that the proxmox host on site b is incorrectly on the subnet? (although it works from machines on Site B)
I followed suggestions of chat bots for a little and started messing with mss clamping and mtu, only before temporarily breaking the site to site Vpn

Site B etc/network/interfaces

auto vmbr0
iface vmbr0 inet static
address 192.168.68.222/24
gateway 192.168.68.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0

auto vmbrYork
iface vmbrYork inet static
address 10.10.125.100/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up ip route add 10.10.100.0/24 via 10.10.125.1


Sorry to bring this post alive so much later. Thanks for any advice. I'd dump more information about site b host, but I have to manually type the output because of how I am connected to that machine (console on a browser through a rdp through an rdp)
 
Last edited:
Hi,

I think this is a problem with asymmetric routing.
Please try with
Code: 
tcpdump -ni any icmp and host 10.10.100.105
on ProxmoxB and run
Code: 
ping 10.10.125.100
from 10.10.100.105. I may be wrong, but there should be incoming packet on interface vmbrYork, and outgoing one on vmbr0

The solution would be to configure source routing, something like this (from memory, so pls double check it):
Code: 
echo "200 custom" >> /etc/iproute2/rt_tables
ip rule add from 10.10.125.100/24 lookup custom
ip route add default via 10.10.125.1 dev vmbrYork table custom
 
mtotho said:
Site A (York):
-Router 10.10.100.1 (OpenWRT)
-WG interface IP 10.10.120.1
-WG interface peer (for site b) allowed ips: 10.10.120.12/32, 10.10.125.0/2 0 + route allowed peers
-Proxmox Host 10.10.100.8
-Site A arbitrary machine 10.10.100.105
-vmbr0 bridged to wan
-vmbrSwitch configured with all vlans, including .100 - interfaced through openwrt

Site B (Union):
-Router 10.10.125.1 (OpenWRT)
-WG interface IP: 10.10.120.12
-WG Peer (Peer back to Site A) allowed ips: 0.0.0.0/0, ::/0 - route allowed ips
-Proxmox host 10.10.125.100
-VM on proxmox: 10.10.125.225
-vmbr0 bridged to ethernet going back to wan (Actually a TP Link Deco router - 51820 ports forwared, unpnp disabled, sip alg disabled)
-vmbrYork - dumb switch attached openwrt

Static Routes (Site A - OpenWRT)
- 10.10.125.0/24 (Target) -> 10.10.125.12 (Gateway)

Static Routes (Site B - OpenWRT)
-10.10.100.0/24 (Target) -> 10.10.120.1 (Gateway)
Static Routes (Site B - TP Link)
-10.10.125.0 -> 192.168.68.58 (Openwrt Site B on tp link lan)

Routes (Site B - Proxmox Host) - I had to add a couple routes to get back to 10.10.100.1/24 subnet from proxmox host:
-10.10.100.0/24 via 10.10.125.1 dev vmbrYork
-10.10.125.0/24 via vmbrYork proto kernel scope link src 10.10.125.100
-192.168.68.0/24 dev vmbr0 proto kernel scope link src 192.168.68.222


Working:
-Site A devices can ping Site B peer IP
-Site A devices can ping Site B VM (10.10.125.225)
-Site A devices can access Site B router via 10.10.125.1
-Site B devices/VMS can access proxmox host management on 10.10.125.100 and ping it
-Site B (proxmox host and VMs) can access ALL devices back on Site A
-Site B proxmox host tcpdump -i vmbrYork SEES pings attempting to reach 10.10.125.100 as they hit openwrt, but fail to reach it itself

Not Working:
-Cannot ping 10.10.125.100 from Site A (Immediate icmp request time out)
-Cannot reach it in browser

-I've tried messing with firewall rules, but it should all be set to allow traffic here.. plus all the rest of Site A <-> Site B is working.
-Tried disabling rp filter on vmbrYork

The only thing I can think of is that the proxmox host on site b is incorrectly on the subnet? (although it works from machines on Site B)
I followed suggestions of chat bots for a little and started messing with mss clamping and mtu, only before temporarily breaking the site to site Vpn

Site B etc/network/interfaces

auto vmbr0
iface vmbr0 inet static
address 192.168.68.222/24
gateway 192.168.68.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0

auto vmbrYork
iface vmbrYork inet static
address 10.10.125.100/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up ip route add 10.10.100.0/24 via 10.10.125.1


Sorry to bring this post alive so much later. Thanks for any advice. I'd dump more information about site b host, but I have to manually type the output because of how I am connected to that machine (console on a browser through a rdp through an rdp)
Click to expand...

Holy Crap - I have an acceptable work around working.

My original plan was only to Bridge Site A with Site B's proxmox network

But I just added the 192.168.68.1 to my allowed ips/static routes on Site A (this is the TP Link Router on Site B's lan)

Now I can access Site B Proxmox on its Site B Lan IP from Site A!
https://192.168.68.222:8006/#v1:0:18:4:::::::
 
  • Like
Reactions: kbechler
kbechler said:
Hi,

I think this is a problem with asymmetric routing.
Please try with
Code: 
tcpdump -ni any icmp and host 10.10.100.105
on ProxmoxB and run
Code: 
ping 10.10.125.100
from 10.10.100.105. I may be wrong, but there should be incoming packet on interface vmbrYork, and outgoing one on vmbr0

The solution would be to configure source routing, something like this (from memory, so pls double check it):
Code: 
echo "200 custom" >> /etc/iproute2/rt_tables
ip rule add from 10.10.125.100/24 lookup custom
ip route add default via 10.10.125.1 dev vmbrYork table custom
Click to expand...
Thanks for the suggestion and quick replies. All of this networking stuff is new to me in the last month.

I am not knowledgeable enough to know if I should have just done what I just did (routing to the Site B main router) from the beginning. Logically the step I just took routing to the 192 lan seems unnecessary as I already had everything else working on that 10.10.125.1/24 network - and I will still use that as my means of remote access for site B's vms

I would like to know why it wasnt working on 10.10.125.100, but i might take a break from breaking the site-site vpn after being at it for 8 hours. I'll circle back to these suggestions.

Mike
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back