Details
-
Type: extRequest
-
Status: Closed
-
Priority: Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-LAB-HELP
-
Labels:None
-
Sender Email:
-
HD-Node:Spain
Description
Hello Fiware Lab help.
We are setting up a VPN between our resources in Trento node and Spain node
using OpenVPN.
We have a OpenVPN server running on Spain node and a OpenVPN client on
Trento node connected to Spain server.
Everything works fine between client and server: they can ping each other
through VPN tunnel (interface TUN0).
When we want to ping machines between the two subnets the packets are
dropped as they leave the client/server connected through TUN0.
We have set up static routes consistent to the VPN:
Spain LAN --> Trento Lan use the OpenVPN Server on Spain lan as a gateway
Trento Lan --> Spain Lan use the OpenVPN Client on Trento lan as a gateway.
It seems that there is a firewall rule on nodes that blocks trafic coming
from a different private network than the one set up in the node itself. So
when we ping a machine on Spain from Trento LAN. the ping reaches the
SpainOPENVPN server and drops immediately after, probably because SPAIN
node firewall it sees trafic coming from our Trento LAN which has a
different network addres than our Spain LAN.
The same if we do the contrary.
A strong evidence that a node firewall rule could be the cause is found if
we use IP Masquerading on SpainOPENVPN Server on trafic coming from Trento
Lan, faking as if they come from SpainOPENVPN Server.
With masquerading they aren't dropped anymore on Spain, but they get lost
on the way back, when Trento see answers coming from Spain node, dropping
as they leave the Trento OPENVPN client.
Double masquerading (Spain and Trento OPENVPN tunnel endopints) isn't a
solution, cause it violates the Same Origin Policy and consequently the
answering packets are dropped cause they are seen as if they come from a
Man In The Middle (TRENTO01 ping request --> SPAIN Server Masquerading -->
SPAIN01 ping reply ---> SPAIN Server UNMasquerading – > Trento Client
MASQUERADING --> SOP policy on TRENTO01 --> drop.)
We are clueless.
Can you give us some insights to elaborate a workaround? Is it possible to
accept packets from a different private network on a node?
My FWLa account is:
luca.silvestri@ecogriddy.com <luca.silvestri@ecogriddy.com>
Many thanks,
–
Luca Silvestri - Founder & CEO @ Ecogriddy
_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help
[Created via e-mail received from: Luca Silvestri - Ecogriddy <luca.silvestri@ecogriddy.com>]
Dear Luca
We forwarded your issue to Trento & Spain node helpdesk teams in order to
provide help.
Kind regards
IWAVE team, on behalf of helpdesk team
_______________________________________________
Fiware-lab-help mailing list
Fiware-lab-help@lists.fi-ware.org
https://lists.fi-ware.org/listinfo/fiware-lab-help