https://netmaker.org logo
Join Discord
Powered by
Starting at https://discord.com/channels/825071750...
# netmaker
m
b
what were you doing at the time? can you paste logs?
m
Didn'
Didn't realize it was here
Sorry
b
np
can you paste the output of wg show (remove private/public keys) or just 
wg show all listen-port
and can you paste the output of netclient pull -vvv -n 
journalctl -u netclient
m
Just a lot of checkins and a few peer updates. On startup I see a few iptables bad rule errors due to a rule missing, I assume it is because of the missing wg interfaces
Yep, it matches that interface
had a few timeouts but I assume it was during the time of a restart or a docker reload
b
how many networks on this node?
how many are working?
m
5
4
b
and you did the pull on the one that was not working?
m
yes
Hmm.... I see a note in here about a local port change
let me see what it is supposed to be
b
run journalctl -fu netclient in one terminal and run the pull command in another terminal ..... are there any errors in the journalctl output
m
Just one of these
b
I think you need to leave and rejoin that network
m
Looks like from the down interface
I am having the same issue on another network
on another node
I've manually started interfaces using wg-quick and I get address in use error
b
you should not manually start interfaces
m
I know, but this is for testing
netclient shows the same thing
b
where .... you have not shown me a log with the error from netclient yet... only the wg-quick command
m
The information I showed you was from netclient
b
the error is from wg-quick
m
but the output was from netclient
b
no, the output was from wg-quick
m
the output was from the execution of netclient
just netclient pull
all networks
b
i need more of the logs to know what was happening at the time and what listen ports are already in use and the network cidr of all wireguard networks
m
Okay, lets see..
Without dumping pages worth of content, netclient flags either one of these interfaces depending on when it comes up and manually does the same thing...
I'll pull the current configs.. sec..
That one will start by itself
This one will start by itself as well
However, if one is up, the other will show address in use
Sorry for the formatting, I'm viewing it through a web vnc
b
Will have to get back to you, busy with something
m
Okay, no worries. I need to get ready for work myself. I have to run for about 2 hours and I'll be back after 11:30 Pacific
b
Can you provide the network range and listen ports for all of your networks. Ie net1. 10.10.10.0/24 port 51820
m
Okay, it varies a little bit for each node as not all networks are on each node and I simply went with the next port in the range, so ports between all peers don't match.
However, I can give you this specific one for now.
b
Just want info for one node
m
It's in the screenshot 10.0.10.0/24 port 51823 and 10.0.15.0/24 port 51822
b
But you said 5 netwo8
m
Yes, but the rest work without issue. These two seem to conflict somehow
b
All the info is required
m
okay
Okay, that's the 4 on this node
gtg for now, be back at 11:30 PDT
Back
Actually, been here a while, was on the phone
b
np
m
See anything that screams "I'm Broken!"?
b
what I would like you to do is run systemctl stop netclient
m
Okay, I did that when I was testing the nodes manually using wg-quick
b
and then run ip link del for each wireguard interface
m
i was doing wg-quck down /etc/netclient/config/interface.config
b
and then run systemctl start netclient and show the output of journalctl -fu netclient
that works too
before you start netclient could you also paste the output of 
ip a
m
okay
gimme a few minutes, I have a resource leak on this desktop somewhere. I need to clean up the registry real quick and reboot anyways, so I'll kill two birds with one stone.
b
k
m
Okay, got everything ready. I'm just dumping a txt log, sec..
I'll be around, just drop a message whenever you get a moment to look it over. No rush, if nothing else, I'll wipe the whole thing out and start over, it won't be the first time and it won't be the last.....lol
b
pretty sure there is a bug that is causing your issue ... should have a bugfix in next couple of days.
m
The port issue?
b
fix is being tested by QA right now
m
Cool, have another issue. I tried to reduce the subnet size for the networks from /24 to /28 and I get a error when trying to edit them from the dashboard.
b
hmmm. I will have to look at the code and get back to you
m
I'll look into the logs as well, but I need to trim the fat a bit. I have another node that's still running a netclient version that is a few releases old
It just never connected so I haven't been able to login to it and updated. I think it was a certificate problem back when I exhausted letsencrypt's threshold.
b
cannot duplicate
m
Okay, I just updated everything. I have to jump on a call for now, but I'll be back in a bit to revisit it
I see a new update in docker
any changes to netclient?
b
yes, hotfix which should fix your issue
m
Okay, apt-get update didn't show any new versions
b
should be there 0.14.5-1
m
nevermind, just found it
b
ok, you had me concerned there for a sec
m
yay! seems to be working better now, I haven't tested each network between each node yet, but it seems all of the nodes are working at least, and what wasn't working before is now.
I updated docker and updated netclient and performed a netclient pull and everything came up after a few seconds.
I also updated traefik and mq
no issues there
traefik is now running 2.8 and mq is 2.0.14-openssl
still having issues reconfiguring subnets
dumping logs to a txt file now
b
the only time i have seen an error in the UI when updating the netmask of a network is when there are more nodes in the network than the netmask supports
m
I just created a new network and attempted to resize it and it worked fine
b
i have a network with 2 nodes ---- netmaker server and one other node and I can change the netmask to a /30
m
I have a network at /24 and 5 nodes and I tried to change it to /27 and got an error
Even trying to change it to /24 gives an error
b
what is network name .... if it was created awhile ago and has CAPS or a . (period) ... that could be the issue
m
Admin-VPN
b
you probably can't change anything with that network name
and there is no way to change the network name unless you directly modify the database
m
I see I just tried creating Test-VPN and got a validation error
b
we missed putting in a migration when we added the restrictions on network names
m
All of my networks are formatted the same way 😦
b
sorry bout that
uppercase names cause problems with dns
m
Hmm.... I have DNS disabled and I am managing it using PiHole
b
you can keep using them as is --- especially if you are not using DNS, but you will not be able to make any changes to the network
m
Can I rename them and make the compliant and them start working?
b
there is no way to rename them except by manually changing them in the database
m
if I do that, then will it break anything else?
netclient interface names, etc..?
b
actually, I am not sure
m
if altering the database will update everything across the deployment then I am fine with that, but I don't want to alter it and turn it into a dumpster fire as a result.
I'll have to update my firewall rules, but that's not the end of the world.
b
i have never tried it
uncharted territory
m
Second thought, can I simply reset the subnet via the database?
b
yes, but not sure what the side effects will be
it you change the subnet in the UI all the nodes get new IPs --- not sure how that would work with changing the database directly
m
Hmm....
I suppose I could just leave it as is..
I know that this isn't a critical flaw, but it does provide a higher level of security than current. I've used this feature from day one in my manual deployments, what is the overall consensus on this topic? Is it something being considered? https://github.com/gravitl/netmaker/issues/1231
b
doubt it will happen any time soon; my personal opinion only .... pre-shared keys are protection against potential quantum computer brute force attacks on recorded traffic. given there are no quantum computers available yet and even if they were, the threat vector is still only hypothetical
m
Okay, just figured it would be somewhat simple to implement and a lot of people use it already, it would be popular. Seems it could be handled the same way that the public key exchange is now.
b
it is more complicated than you think... a preshared key should only be used with two nodes. so you are going to have a huge number of keys to manage
that's probably not how most people use preshared keys (they probably just use the same preshared key for an entire network) but that is not the way they are supposed to be used
m
No, I agree. It is a p2p relationship
However, a simplified option would be the latter
However some people are already being critical over the existing private key generation for ext clients.
So......
Anyways, thanks for the help. Everything seems to be running smoothly now. There is peace in the world again, my parent's DNS is working and my mom stopped calling me every hour asking when the internet will be back up.....lol
Would be awesome if Pi-Hole and netmaker could be integrated
b
I have never experimented with Pi -Hole so I don't really have an opinion
m
I think what makes pihole most appealing is it's blocklists, I have 34 million hosts blocked using it.
It's also very light on resources.
has a fully functional console with theming and more, based off of AdminLTE
I think that would be nice for the dashboard if it were ever to be changed.
PreviousNext
Powered by