https://netmaker.org logo
Join Discord
Powered by
Windows Server 2019 - all updates applied - netmak...
# client
b
Windows Server 2019 - all updates applied - netmaker server setup on VPS and working - logged in OK and create a network - then added keys - RDP into Windows 2019 server and download and install wireguard - all fine, then download netclient as per the link on the docs and it installs - when i try and run it from the Start menu - i get a message re OpenGL - as per the attached - any ideas ?
b
Windows server does not have proper GUI drivers installed. An updated version of netclient is being worked on but is not ready yet. You can still run all the netclient commands (join, leave, daemon, disconnect, connect) from the command line.
b
Aah - thanks for that - i worked it out late last night as well.
I now have 3 devices setup and connected to a wireguard network using this - setup DNS entries and they can resolve them - i have changed the windows network type for each network to private and ensured they are not being blocked by the windows firewall - however whilst i can resolve each of the hosts by name - i can not ping any of them from each other - where would i start troubleshooting this ?
b
check if the nodes have handshakes
b
Through the console do you mean ? They are showing as healthy in there
I am running 16.2 on both of them - they are both windows 2019 server
The other is my laptop which is running windows 10 - just removed it all - restarted and about to go through and redo it to see if i can see what is going on.
b
Do wg show and check it tx and Rx have positive numbers
b
I also have Zerotier on these - could that conflict in some way (different network numbers )
b
Not sure about zerotier interfering, but unless it does some funky routing it shouldn't
b
Yes they show WG is alive and traffic has gone to the Netmaker VPS - the other connection to the other peer is there - but no packets transferred
b
Unless the peers have handshakes no traffic is flowing
are the peers behind Nat?
b
yep they are both behind OpnSense firewalls that are performing NAT
You can see the first peer is the VPS i have with the netmaker server on it
The 2nd peer is the one i am trying to ping - i get the same from it on its side
So they seem to communicate through the firewall OK to get to the server - is this affected differently for the peer to peer comms though ?
b
Without a handshake, pings will not work
Do the peers have the same endpoint IP and port that the server has for them
b
I would assume so - the server was installed as per the docs on the website and gave no issues. I then performed a stock install of WG from the WG download site, then did a netclient install as per the link on the Netmaker server - and then used the cut and paste option on the netmaker server that was presented for each of the nodes
b
Did you do a netclient join
b
yep - that was the command on the netmaker server that i used the cut and paste option to bring across to each machine after the installs were done
b
Check the ports and endpoints, udp hole punching may not be working properly because of the type of Nat involved
b
OK - so is the UDP hole punching different for client to server (netmaker) than it is for client to client comms ? So i would just open up the UDP ports that i have allowed at each firewall ?
b
Does your ISP do Nat as well? If so, then you may have double nat
b
I was hoping the we would not have to open more ports - but will do so now for testing
No the ISP does not do NAT - these are dedicated Corporate fibre links and they have dedicated IP addresses (and subnets)
b
If you are going to open ports you should turn on udp hole punching as the listen port will continually change with hole punching
b
We are investigating this to see if we can move away from Zerotier into your ecosystem for all of our clients who currently have a lot of Zerotier nodes out there for WFH. We are trialling this for a new offsite backup solution that we need.
I will open the ports and report back - thanks for the help and advice
OK so i have done the following 1) Allowed all traffic outbound from the hosts in question through the firewall 2) Turned off NAT hole punching in the network config on netmaker 3) Put an additional firewall rule to allow inbound UDP traffic from any port to 51821 through to 51830 4) issued a netclient pull on both the hosts in question
Still not joy on a basic response to pings
h
I also have a mixed network of Linux and Windows Servers and clients. The windows side is definitely less straight forward. The only suggestions I can offer in addition to what you've done already are 1) make sure to add the your full netmaker network range to the windows firewall, or multiple addresses if you need more control, and 2) reboot the windows boxes, especially the servers, preferably all of them, before checking handshakes with wg show, especially with port number changes. My experience is fairly anecdotal and I can't say exactly why this works or what the issue is, but eventually I have been able to get things to settle, a process that often has to be repeated with each server upgrade
b
@handsome-lifeguard-70799 Thanks for the hints i will schedule reboots of the servers and see if that improves it. Must say in comparison to getting Zerotier up and running the whole wireguard thing is very disappointing when it is being touted as the future of VPN. Netmaker was a pretty good install - but they seem to be working with a bit of a pig of a system with wireguard. !
b
@busy-answer-6280 wireguard works almost flawlessly on most OS with the notable exception of windows
b
@bored-island-21407 Drew - can you confirm the statement above where you said - UDP hole punching will open random listen ports ? Worse case what i want to do is have 4 or 5 networks defined with multiple clients on each network (or some clients on multiple networks) How can i minimize the firewall footprint for this to work ?
@bored-island-21407 Yeah and thats the big problem - there are not many larger networks that do not have windows involved somewhere - particularly if we are talking remote access with WFH etc
b
with udpholepunching on, each time the wireguard inteface goes down and up, a random port will be chosen as the listening port
IMHO the best solution for windows networks is to install a linux machine in the network and use it as an egress gateway to the windows machines
b
Hmm - whilst i could do that - for this trial project we were looking at a fast offsite backup solution - i can not see going through a gateway is going to help with that performance - but i might try and reconfigure and do a test with that
@handsome-lifeguard-70799 I have just done some reading around and it looks like there is also an issue with WG incrementing the network numbers each time it starts up - so the adapter continally get moved from being private to public - how you experienced this at all ?
I have witnessed it myself after doing the reboot of these machines and am trying some other things (one thing i read was to put a number on (such as 1) on the end of the network name to stop it happening - not sure if netmaker will be happy with that - so will have to put aside some more testing time
h
Ah, yes, definitely seeing that on the Wireguard network in Windows. Interesting, I will explore this later in the week
b
I was not getting anywhere using WG in windows - its just not ready for primetime yet i don't think. Rolled it all out and will try the project on top of Zerotier and see what the performance is like.
3 Views
PreviousNext
Powered by