help with vpn access to PVE:SOLVED

J

jmanko16

New Member
Jun 29, 2024
11
0
1
I have a new unifi router, and I setup a wire guard server and it assigned ip range to 192.168.9.0/24. My proxmox PVE host is on 10.5.1.10. When I connect to my vpn I can't access my proxmox host. I have no issues accessing all other ip address on 10.5.1.0/24 range (including VMs and LXCs running from my PVE host), I just can't access the PVE interface. I only have one NIC, and just one vmbr0 currently. I do not think this is a router issue since I have no issues pinging everything else on the same subnet, it just seems that proxmox host may want my ip to come from same subnet? This isn't an option unfortunately with the unifi vpn servers.

I have been trying to figure out how to get access, which I thought may need to edit the /etc/network/interfaces? Appreciate any help. Thanks.
 
Hi,

You could try tcpdump -i vmbr0 host 192.168.9.X (replace X with your VPN client IP) and ping your host (10.5.1.10) from your VPN client to see if any traffic shows up. If packets arrive but no replies are sent back, it could be a host-side filtering issue (as is common in asymmetric routing). You can also try ip route X.Y.Z.V on the host and client to see if you can spot anything.

A quick fix for this could be to try setting the rp_filter to loose mode:

Code: 
sudo sysctl -w net.ipv4.conf.all.rp_filter=2
sudo sysctl -w net.ipv4.conf.vmbr0.rp_filter=2

if you want to make it permanent, edit /etc/sysctl.conf to contain:


Code: 
net.ipv4.conf.all.rp_filter=2
net.ipv4.conf.vmbr0.rp_filter=2

If all of this does not fix your issue, it could also be firewall related.
 
I did "tcp dump -I vmbr0 host 192.168.9.x" and got back "
tcpdump: vmbr0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)"

This is all above my knowledge base, but obviously I don't have access. I can ping all other devices on the 10.5.1.0 subnet, so I don't think this is a router/firewall issue. From some research it seems like proxmox wants the vpn server to be on the same subnet (and the unifi cloud gateway puts the vpn server on the subnet that you defined aka in this case 192.168.9.1 presumably).

What does ip route x.y.z.v mean?
And should I try the loose mode? Or does my error mean there is something else I need to do?

I can access the proxmox host fine when I install a new wire guard server on my proxmox as an lxc. I am just trying to migrate away from this to have all my vpn devices together in unifi as its so easy to manage and add family members.

TIA
 
_gabriel said:
Only if you have enabled Proxmox side firewall, then you need to add rules to only incoming from another subnet.
Click to expand...
I have not turned on the firewall on proxmox. I only questioned it because I saw a post with someone else with a unifi wireguard server who couldn't reach proxmox host.

I did change the network file to change the ip address when I got the unifi cloud gateway fiber since it is a new subnet. Would there be settings to check with network config to clarify this?
 
fstrankowski said:
You really want to fix routing instead if disabling spoof protection.
Click to expand...
Could you help me out with this, I think this is a bit over my head.
With regards to routing my vpn subnet is accessible to everything on my proxmox subnet, so my inter subnet routing seems to be working fine router side.
I can't ping the proxmox host only from the vpn subnet, but can from local subnet. What else should I be looking for on the routing? Is there something from the proxmox host I should be adjusting? I did change my proxmox ip so I am wondering if when I made that change I didn't correctly change everything (also don't know where all to look).
 
_gabriel said:
is PVE has unifi router as gateway ?
Click to expand...
good question. What would be the way to confirm this?

I have my /etc/network/interfaces showing gateway is 10.5.1.1 which is the gateway from unifi for this subnet. Is there somewhere else I would need to change it?
 
_gabriel said:
posting wireguard configs (without keys) will help.
Click to expand...
[Interface]
PrivateKey = #####
Address = 192.168.9.2/32
DNS = 192.168.9.1

[Peer]
PublicKey = #####
AllowedIPs = 192.168.9.1/32,192.168.9.2/32,0.0.0.0/0
Endpoint = my public ip:port
 
Blonov said:
Can you at least ping your PVE host (10.5.1.10) ?

Phil
Click to expand...
No. I can't ping the proxmox PVE host, but I can ping my VM's, LXC from the host as well as all other devices on the host. I have a router rule to allow all traffic between vpn and pve host subnet, so that doesn't seem to be the issue. But not sure why I can't ping it.

My proxmox host from shell is able to ping my device on the vpn as well.

I thought possibly my gateway was an issue as it was set to 1.1.1.1 so changed to to my 10.5.1.1 and no changes.
 
Last edited:
jmanko16 said:
[Interface]
PrivateKey = #####
Address = 192.168.9.2/32
DNS = 192.168.9.1

[Peer]
PublicKey = #####
AllowedIPs = 192.168.9.1/32,192.168.9.2/32,0.0.0.0/0
Endpoint = my public ip:port
Click to expand...
Here's a typical client config for a split tunnel (target network 10.10.10.0/24) :

Code: 
[Interface]
PrivateKey =
Address = 172.30.200.10/32
DNS = 10.10.10.10, 10.10.10.11 (the target network DNS in this example)

[Peer]
PublicKey =
AllowedIPs = 172.30.200.0/24, 10.10.10.0/24
Endpoint = PublicIp:51194

Phil
 
Last edited:
  • Like
Reactions: jmanko16
In a not surprising turn of events I went back to check and apparently my firewall was on. I don't remember ever enabling it on the host, but none the less it somehow was turned on (I did update to 9.0 recently). Of course its all now working.

Dumb move on my part, but thank you all for the help.
 
Blonov said:
Here's a typical client config for a split tunnel (target network 10.10.10.0/24) :

Code: 
[Interface]
PrivateKey =
Address = 172.30.200.10/32
DNS = 10.10.10.10, 10.10.10.11 (the target network DNS in this example)

[Peer]
PublicKey =
AllowedIPs = 172.30.200.0/24, 10.10.10.0/24
Endpoint = PublicIp:51194

Phil
Click to expand...
Thank you! I have a split and full tunnel profile setup, just uploaded one for review. But I found my dumb mistake with the proxmox firewall! All fixed!
 
You must log in or register to reply here.
Top Bottom