[bug] Wireguard cannot establish iptables rules #1149
Labels
enhancement
New feature or request
Comments
berendt
added a commit
to osism/ansible-collection-services
that referenced
this issue
Sep 25, 2024
Related to osism/issues#1149 Signed-off-by: Christian Berendt <[email protected]>
berendt
added a commit
to osism/ansible-collection-services
that referenced
this issue
Sep 25, 2024
Related to osism/issues#1149 Signed-off-by: Christian Berendt <[email protected]>
berendt
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OSISM release version
8.0.0
What's the problem?
The Wireguard role provided by OSISM cannot execute the “iptables” commands defined via the PostUp and PostDown directives because “iptables” is probably not part of the node image or the bootstrap installation process (anymore?).
In my specific case, the defined rules would also not help either, because the nodes of the SCS Hardware Landscape do not know a route to the IP addresses in the Wireguard VPN and so the predefined ACCEPT rule would not be enough, because the return direction of the packets to the Wireguard server could not be identified because of non existing routes on the nodes.
My suggestion would be to use “nft” to create the rules specifically for the VPN client IP instead of “iptables” and to use a SNAT/masequerading rule instead of an ACCEPT for every destination network.
(see also)
Using NAT would have the advantage that network clients using the Wireguard server of a node would have the same access options as clients initiating a connection directly on the node.
You also do not need routes on the nodes and you can have multiple VPN gateways with the same VPN Client ip ranges.
However, this method has the disadvantage that the VPN IPs are masked and therefore network-connections are less easy to assign to a VPN user.
References to existing reports
No response
Severity
low
Urgency
low
The text was updated successfully, but these errors were encountered: