Contact Details

[email protected]

What happened?

Upgrade from 0.20.0 to 0.20.1 reports:
Fatal: could not save netclient config failed to obtain lockfile
the upgrade fails
the remove fails
the purge fails
basically it is all broken and stuck on 0.20.1

example log

apt purge netclient -f
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  netclient*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
(Reading database ... 24260 files and directories currently installed.)
Removing netclient (0.20.0-0) ...
[netclient] 2023-06-08 19:30:55 setting OS 
[netclient] 2023-06-08 19:30:55 setting version 
[netclient] 2023-06-08 19:30:55 setting netclient hostid 
[netclient] 2023-06-08 19:30:55 setting name 
[netclient] 2023-06-08 19:30:55 setting macAddress 
[netclient] 2023-06-08 19:30:55 setting wireguard keys 
[netclient] 2023-06-08 19:30:55 setting wireguard interface 
[netclient] 2023-06-08 19:30:55 setting listenport 
[netclient] 2023-06-08 19:30:55 setting proxyListenPort 
[netclient] 2023-06-08 19:30:55 setting MTU 
[netclient] 2023-06-08 19:30:55 setting traffic keys 
[netclient] Fatal: could not save netclient config failed to obtain lockfile 
dpkg: error processing package netclient (--remove):
 installed netclient package pre-removal script subprocess returned error exit status 2
dpkg: too many errors, stopping
Errors were encountered while processing:
 netclient
Processing was halted because there were too many errors.
E: Sub-process /usr/bin/dpkg returned an error code (1)

Version

v0.20.1

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

• Yes, I did.

The netclient do not passes correctly the external routes of the egress nodes on my network.

The problem is on file wireguard_windows.go

 mask := net.IP(addr.Network.Mask)
 
slog.Info("adding route to interface", "route", fmt.Sprintf("%s -> %s", addr.IP.String(), addr.Network.String()))
cmd := fmt.Sprintf("route -p add %s MASK %v %s", addr.IP.String(),mask,addr.IP.String())
_, err := ncutils.RunCmd(cmd, false)
if err != nil { slog.Error("failed to apply", "egress range", addr.IP.String()) }

The command that is created above
route -p add %s MASK %v %s", addr.IP.String(),mask,addr.IP.String()

Passes two times the addr.IP.String() that is the windows netmaker interface address

it should be like following

route -p add %s MASK %v %s", addr.Network.String(),mask,addr.IP.String()

The wrong route that is produced it is indeed passing to the routing table of the windows machine

I want to run netclient as a normal user. If the netmaker server is compromised, the netclient should only be permitted to affect wireguard tunnels. This has several requirements:

• For a quick start the calls to the wg command should be run through sudo. Sudo can be configured to allow the netclient user to run wg with any parameters.
• Routes should not be allowed to be updated, since a compromised netmaker server could then redirect traffic from the clients to any network through a malicious intermediary. Assuming I'm not using Egress Gateways, netclient shouldn't need to update any routes, and "ip route" access should be disallowed. "ip addr" can be allowed (restricted to the specific subnet Netmaker controls).
• /etc/hosts can be made group-writable by the netclient user initially, but I'd prefer an option to have all hosts changes be reviewed manually myself. A compromise of netmaker server could hijack connections to any domain by say adding the IP of a malicious server to /etc/hosts. Presenting a list of hosts copy-pastable from the Netmaker Server Web UI would work. Netmaker should invoke a user-provided callback script (comand or HTTP URL) to notify of the need to change a hostname-IP mapping to allow methods other than "resolvectl" or /etc/hosts to be implemented by the user (for example integrating Netmaker management of WG networks into a configuration management system which may already manage /etc/hosts).

What else does netclient need root for?

In #307 we found missing packages can cause netclient to conclude there is no iptables/firewall support

Initially with versions v0.18.0/19.0 the error was triggered by the missing 'wg' binary for which package wireguard-tools is needed. (it's used in the endpoint startup script too on cleanup)

With v0.20.0 adding the wireguard-tools package was not enough anymore. Now it seems missing the ip6tables package causes netclient to conclude there is no iptables/firewall support.

For now it seems to work with this workaround in the docker compose file

entrypoint: bash -c "apk add wireguard-tools ip6tables; /bin/bash netclient.sh"

So two requests here:

• Add these packages in the docker image or remove the dependency if possible.
• Make netclient more verbose about the reason it concludes there is no iptables/firewall support

Please apply auto-build for 32bit netclient32.exe too!

Why?

1. Because theoretically it would be easy to set up inside a bash here to auto-build

2. It would not conflict with built in auto-upgrade .

   • Currently if auto-upgrade would happen, it would probably stop the windows service,
   • installing it's own latest 64bit version,
   • which can not start, because it's not for 32bit.
   • So basically it would kill itself, while locking out us, remote helpers from the system for good.

3. Also non-go programmers, like us would not have to deal with this on our own.
   (I've just installed GO on my PC, tried E:\netclient-develop\go build and it has downloaded 500+ MB to my C:\...!!! drive into various hidden directories without asking me ahead. )

I would like to donate if this problem gets resolved for good.
Thank you very much in forward!

Previously, when I added a DNS entry on Netmaker, it would add it as a new hostname in the /etc/hosts file even if there was already a hostname mapped to that IP. This allowed for e.g. pairing with an Nginx reverse proxy to map various hostnames to services on the same server.

Sometime between 0.20.0 and 0.21.2, this appears to have changed. Now, adding a new DNS entry on Netmaker will replace any existing for that same IP.

hey,

when i try to upgrade my packages with homebrew it can't uninstall version 0.17.1.

$ brew uninstall netclient
==> Uninstalling Cask netclient
==> Running uninstall script /opt/homebrew/Caskroom/netclient/0.17.1/blank.sh
Error: uninstall script /opt/homebrew/Caskroom/netclient/0.17.1/blank.sh does not exist.

I am trying to install netclient on a Ubuntu 22.04 VPS, the command crashed with the following error:

root@linux:~# netclient version
[netclient] 2023-04-23 07:53:01 setting OS
[netclient] 2023-04-23 07:53:01 setting version
[netclient] 2023-04-23 07:53:01 setting netclient hostid
[netclient] 2023-04-23 07:53:01 setting name
[netclient] 2023-04-23 07:53:01 setting macAddress
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/gravitl/netclient/config.CheckConfig()
	/home/runner/work/netclient/netclient/config/config.go:472 +0x12bf
github.com/gravitl/netclient/config.InitConfig(0xc0000c8340?)
	/home/runner/work/netclient/netclient/config/config.go:423 +0x70
github.com/gravitl/netclient/cmd.initConfig()
	/home/runner/work/netclient/netclient/cmd/root.go:53 +0x4f
github.com/spf13/cobra.(*Command).preRun(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:970
github.com/spf13/cobra.(*Command).execute(0x10f90e0, {0x1137e00, 0x0, 0x0})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:900 +0x563
github.com/spf13/cobra.(*Command).ExecuteC(0x10f8840)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/gravitl/netclient/cmd.Execute()
	/home/runner/work/netclient/netclient/cmd/root.go:31 +0x25
main.main()
	/home/runner/work/netclient/netclient/main.go:27 +0x85

Host env and installed package version:

root@linux:~# dpkg -l | grep netclient
ii  netclient                       0.18.6-0                                               amd64        netclient daemon - a platform for modern, blazing fast wireguard virtual networks
root@linux:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"

Netmaker and Netclient are v0.18.5.

I have a netmaker network 10.1.0.0/24 and two nodes: 10.1.0.1/24 (test1) and 10.1.0.2/24 (test2).
Both of the nodes are egress gateways with networks:

• 10.1.0.1/24 (test1) is egress gw for 10.1.5.0/24 network
• 10.1.0.2/24 (test2) is egress gw for 10.1.6.0/24 network

Netclient sets iptables rules for 10.1.0.1/24 (test1):

-A FORWARD -d 10.1.5.0/24 -i netmaker -m comment --comment NETMAKER -j netmakerfilter
-A netmakerfilter -s 10.1.0.2/32 -d 10.1.5.0/24 -j ACCEPT
-A netmakerfilter -j DROP
-A netmakerfilter -j RETURN

These rules reject all packets from 10.1.6.0/24 network. For example packet from 10.1.6.10 to 10.1.5.10 is forbidden.

1. How can I allow such packets between networks?
2. How can I disable netclient firewall?

The releases for v0.18.5 seem to have the FreeBSD version missing.

Problem

The Endpoint IP for all clients were not automatically getting set and even trying to manually set them via UI wasn't working.

I recreated my entire AWS VPN bastion network using 0.20.1. My guess is based on the image above, there's an issue communicating with turn? I'm not familiar enough.

Workaround

Downgrade the client to 0.20.0 via install script and endpointip works great again.

Both netmaker and netmaker-ui can remain 0.20.1. So far haven't noticed any issues.

Expected Result

v0.20.1 works the same as v0.20.0 - endpointip is automatically updated and/or be manually updated via UI.

gravitl/netmaker#2378 - Original issue that I opened thinking the problem was over there.

netclient version 0.20.1
the one downloaded and installed - not the brew install

osx 12.6.5

With each release a section "What's Fixed" is included on the release page.
In most cases I suppose something was fixed based on a reported issue.
Can I suggest to mention the issue numbers as a link for each item in that "What's Fixed" list?

Not sure if automating it is feasible like mentioned here;

https://www.7pace.com/blog/how-to-link-github-issues-to-github-releases

But adding the issue numbers manually would already be very helpful

client and server version 0.20.1 + 0.20.2 in a privileged k8s container with public ip

no connectivity first,listen port 51800, then siwtching proxy off make connectivity work, logs:

net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy.go-53] Close(): ------> Closing Proxy for  jqCTwmCLFKM64cT+lRZQN8AFehS/XyVWcTPT2KnQxxk=                                                                                                   │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy_helper.go-46] toRemote(): error reading:  read udp 127.0.0.1:55295->127.0.0.1:51800: use of closed network connection                                                                     │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy.go-53] Close(): ------> Closing Proxy for  49E1m0W1RZL1tIjdrXfHbrDfEOmFFr4uy5Fbi7sDUHg=                                                                                                   │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy_helper.go-46] toRemote(): error reading:  read udp 127.0.0.1:40756->127.0.0.1:51800: use of closed network connection                                                                     │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [manager.go-351] processPayload(): --> processed peer update for proxy                                                                                                                           │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:46 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer jqCTwmCLFKM64cT+lRZQN8AFehS/XyVWcTPT2KnQxxk= dial tcp 192.168.1.103:7547: i/o timeout                        │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:47 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer IIKbQaL9RyKvyVjaNOtdmDeujkU6FI8mFGzX1Q0SV1w= dial tcp 10.1.0.189:51723: i/o timeout                          │

after some seconds this log appears and connectivity is lost:

│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [mqpublish.go-240] UpdateHostSettings(): checkin with server(s)                                                                                                                                  │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [mqpublish.go-349] UpdateHostSettings(): publishing global host update for endpoint changes                                                                                                      │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [mqhandlers.go-119] HostPeerUpdate(): received peer update for host from:  netmaker-broker.development-noffice-alt.conceptboard.com                                                              │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [peer.go-105] SetPeersEndpointToProxy(): Setting peers endpoints to proxy...                                                                                                                     │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:07 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer 49E1m0W1RZL1tIjdrXfHbrDfEOmFFr4uy5Fbi7sDUHg= dial tcp 172.17.0.2:40700: i/o timeout                          │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:08 [manager.go-56] Start(): -------> PROXY-MANAGER: {Action:NO_PROXY InterfaceName: Server:netmaker-broker.development-noffice-alt.conceptboard.com Peers:[] PeerMap:map[49E1m0W1RZL1tIjdrXfHbrDfEO │
│ net-k8s-development-noffice                                                                                                                                                                                                                                  │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:08 [manager.go-351] processPayload(): --> processed peer update for proxy                                                                                                                           │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:08 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer rsjgoBXAzsgT0lykatD268dw5giWZ1ADkZJvekrdrkU= dial tcp 10.1.0.2:51722: i/o timeout                            │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:09 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer jqCTwmCLFKM64cT+lRZQN8AFehS/XyVWcTPT2KnQxxk= dial tcp 192.168.1.103:7547: i/o timeout                        │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:10 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer IIKbQaL9RyKvyVjaNOtdmDeujkU6FI8mFGzX1Q0SV1w= dial tcp 10.1.0.189:51723: i/o timeout       

switching proxy back on brings connectivity back again until checking with server log appears.

The documentation states a localaddress flag can be provided when joining a network: https://docs.netmaker.io/advanced-client-install.html

The latest CLI (v0.20.6) doesn't seem to support this option anymore. Is it still possible to provide the local address when joining? If so how?

After stopping netclient, I still see 2 netmaker entries

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N netmakerfilter
-A FORWARD -i netmaker -j netmakerfilter

v0.20.2 is the last one available on https://apt.netmaker.org

After upgrading netclient on macOS to 18.1 from 17.1 I cannot join a network anymore via the auth token process.

Note that the token is still valid, but only for test/dummy deployment of netmaker, so no harm can be done with it I think.

How does netclient decode the token? Can I debug this?

sudo netclient join -t eyJhcGljb25uc3RyaW5nIjoiYXBpLm5ldG1ha2VyLmVycGYuZGU6NDQzIiwibmV0d29yayI6InRlc3QiLCJrZXkiOiI4MDI0MDRiNDNhYTBjMTIwIn0=              
[netclient] 2023-04-03 19:01:07 join failed Post "https:///api/v1/host/register/eyJhcGljb25uc3RyaW5nIjoiYXBpLm5ldG1ha2VyLmVycGYuZGU6NDQzIiwibmV0d29yayI6InRlc3QiLCJrZXkiOiI4MDI0MDRiNDNhYTBjMTIwIn0=": http: no Host in request URL 

I am a NixOS user, and one of the changes NixOS makes is that /etc/hosts is symlinked from the nix store, which is read only.
The issue this causes is when using the DNS integration, since /etc/hosts can't be modified, nothing is populated into there.

I was also thinking this might cause other conflicts with other programs that might also try to modify /etc/hosts. Is there a way to work around this, or would that require integrating a different solution for dns resolution into netclient?

Hi,

I noticed netmaker and netmaker-ui v0.20.0 docker images are available.
But no netclient v0.20.0 docker image.

https://hub.docker.com/r/gravitl/netclient/tags?page=1&name=20

Contact Details

No response

What happened?

In the current version of netclient it wil constantly try to connect to the Broker. And if this fails it wil restart the entire daemon, and as a consequence it wil also disable and renable the WireGuard interfaces. Which can cause an temporary outage.

Would it be possible to only disable/reenable these interfaces when new changes need to be applied. Meaning:
If the deamon restarts, the WireGuard interfaces already exists and the config is correct, the deamon won't touch the WireGuard interfaces.

I would love to know if this could be implemented, this would help immensely in an environment where mqtt/WS-connections can be weird

Version

v0.16.3

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

• Yes, I did.

rpm -qp --scripts netclient-0.17.0-0.x86_64.rpm
postinstall scriptlet (using /bin/sh):
systemctl preset netclient
systemctl daemon-reload
system**clt** enable netclient
systemctl start netclient
preuninstall scriptlet (using /bin/sh):
if [ "$1" = 0 ]; then
    if [ -x /sbin/netclient ]; then
        /sbin/netclient uninstall
    fi
fi

the line systemclt enable netclient should read systemctl enable netclient

Version: 0.21.0
OS: Mac M1

Reproduce:

• Join the network
• Turn off the self hosted server
• Try to leave network

Netclient will be stuck with error from server (status code 500), cannot turn off the app, have to uninstall via CLI and reinstall everything again.

What Happened?
Trying to join a network or running a netclient command from a OpenVZ VPS yields the following error:

root@01-lim:~# sudo netclient version
[netclient] 2023-05-19 06:02:20 setting OS 
[netclient] 2023-05-19 06:02:20 setting version 
[netclient] 2023-05-19 06:02:20 setting netclient hostid 
[netclient] 2023-05-19 06:02:20 setting name 
[netclient] 2023-05-19 06:02:20 setting macAddress 
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/gravitl/netclient/config.CheckConfig()
        /home/mkasun/netclient/config/config.go:489 +0x10ff
github.com/gravitl/netclient/config.InitConfig(0xc0000d21a0?)
        /home/mkasun/netclient/config/config.go:437 +0x70
github.com/gravitl/netclient/cmd.initConfig()
        /home/mkasun/netclient/cmd/root.go:53 +0x4f
github.com/spf13/cobra.(*Command).preRun(...)
        /home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:970
github.com/spf13/cobra.(*Command).execute(0x13de620, {0x141eee0, 0x0, 0x0})
        /home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:900 +0x563
github.com/spf13/cobra.(*Command).ExecuteC(0x13ddd80)
        /home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
        /home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/gravitl/netclient/cmd.Execute()
        /home/mkasun/netclient/cmd/root.go:31 +0x25
main.main()
        /home/mkasun/netclient/main.go:18 +0x4a

I suspect this issue is caused by the primary interface (venet0) not having a MAC Address.

root@01-lim:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/void 
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet 10.X.X.X/32 brd 10.X.X.X scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 2001:X:X:X:X:X/128 scope global 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.7.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fddd:X:X:X:X:X/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::X:X:X:X/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

testing netmaker 0.18.4. netclient ver 0.18.4, on all ubuntu hosts most on 22.04.2 lts with nftables active (iptables-nft), I've all these errors in the netclient docker version: "[netclient] 2023-03-30 10:16:30 Starting firewall...
[netclient] 2023-03-30 10:16:30 iptables is not supported, using nftables
[netclient] 2023-03-30 10:16:30 failed to intialize firewall: firewall support not found" and also this error:"[netclient] 2023-03-30 10:21:29 error adding route no such device". The netclient version is 0.18.4, Ubuntu 22.04.2 LTS and iptables v1.8.7 (nf_tables), nftables v1.0.2 (Lester Gooch). The errors shows up only if I configure egress option on the hosts to reach internal subnets. The routes seems to be correctly added to the rest of the allowed nodes but I can ping only the ip of the node exposing the internal subnet. If I manually add an nft rule to masquerade the outgoing interface (like ens18) I can then ping all the internal hosts. If you need further info just le me know.

Hi,

0.19 tries ip6tables even when ipv6 is disabled for the node;

[netclient] 2023-05-10 15:10:57 Starting firewall...
[netclient] 2023-05-10 15:10:57 iptables is supported
[netclient] 2023-05-10 15:10:58 failed to intialize firewall: couldn't get ipv6 filter table chains, error: running [/sbin/ip6tables -t filter -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.8 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

Not 100% sure, but I get the impression ipv4 iptables rules are therefore not set either.

Had to;

modprobe ip6table_raw ip6table_mangle ip6table_nat ip6table_filter nf_nat

on the host to get rid of the error.

Documented here: https://docs.netmaker.io/advanced-client-install.html#cli-reference

The version of netclient 0.20.2 from apt doesn't have those arg. available, nor those the config file is used...

Any idea how to setup name and port ?

Thanks

netclient v0.18.6 installed with service running and everything properly configured as far as I can see, however the Egress node routes published upon connection established do not get removed after disconnection.
This causes the machine to lose connectivity to the IP ranges published by the Egress node when the netclient is not connected.

After upgrading netclient on macOS to 18.1 from 17.1 I cannot join a network anymore via the basic auth process.

sudo netclient join -n test -u test-user -s api.netmaker.example.de
Error: unknown shorthand flag: 'n' in -n
Usage:
  netclient join [flags]

Flags:
  -h, --help           help for join
  -t, --token string   enrollment token for joining network

Global Flags:
  -v, --verbosity int   set logging verbosity 0-4

I am able to click the toggle button, but it does not change state in the gui nor does it disconnect from the server.

I am shown a dialog box that request confirmation of disconnect, but clicking OK has no effect.

Hello,
I followed these instructions but was not able to locate the package.

https://netmaker.readthedocs.io/en/master/netclient.html#installation

E: Unable to locate package netclient

Fresh install:
Distributor ID: Ubuntu
Description: Ubuntu 22.10
Release: 22.10
Codename: kinetic

Currently we run into the issue that hosts connected to our VPN behind an egress gateway can not contact any of the public IP addresses for other nodes without getting a timeout because the request is routed publicly but the vpn node then responds via the netmaker VPN and of course that response arrives at the egress gateway via the wrong interface for that source address, triggering the reverse path filter in the Linux kernel.

To solve this I was experimenting with policy routing via the ip rule command, basically marking all incoming packets with fwmark values based on their interface which are then copied to the responses via connection tracking. This part all works fine but I then need the ability to only use the netmaker routes if the packets contain a specific fwmark value (i.e. are responses to request coming in via the VPN or locally originated initial requests). ip rule only seems to allow this if the routes I want to avoid are in a separate routing table. I tried the suppress_ifgroup flag there but that only seems to lookup a route and the reject it if it has a relevant interface, not filter the table by interface as I had initially hoped.

I am sure there are other use cases for routes in a separate routing table as wg-quick also supports this via the Table= option.

I'm at Win10 x64 and just installed 0.18.7 from .msi package. It created desktop and menu start icons that are pointing to the wrong file -
netclient.exe. But in this release the file name that is installed is "netclient-windows-amd64.exe". So when i click on the file Windows always ask to find destination file.
I've attached screenshots.

I can't quite narrow it down to the exact circumstances but with about half of our macOS users netclient does not take down the VPN interface on netclient disconnect -n <network name>

Is there any way to run netclient with more logging or details beyond the --vvvv option which doesn't show anything relevant?

I use v0.17.1 for both servers and clients and I tried to set the endpoint of node6 to a IPv6 address.

However, netclient (on another node) refused to join showing

[netclient] 2023-03-12 09:01:42 error installing:  error creating node 500 Internal Server Error {"Code":500,"Message":"address 2408:---:---:---:----:---:----:----:-----: too many colons in address"}

(The - symbol is used for privacy).

What can I do?

Is there a way how to configure netclient via some configuration files ? This would be useful for non interactive environments.

The Windows MSI installer is 404, the Powershell command to install tries to download a netclient.exe that is also 404.

Has this project been abandoned? Or has a decision just been made to stop supporting Windows cleints?

Hi

I'm using Netmaker v0.20.1
I installed netclient on windows and tried to add a network using the Enrollment Key instead I got the message Failed to Connect to Network.
I've tried installing netclient with a different version (v0.20.0) but still with the same problem.

Hi,
I have set up netclient on a Mac and a windows PC - the Windows PC is on the same LAN as the server (main netclient) I can get LAN access to a server 6000 miles away from my mac but not the PC - also speed is quite slow and not sure why - the windows PC often shows a warning sign -
I have very little to go on - when my mac just works the PC really doesn't

We use a Egress Gateway to connect to our Office Networks.
The netclient does not set the routes for the egress networks. The Wireguard tunnel comes up fine and the route for the VPN itself exists but all routes for the egress networks are missing. Even when doing a netclient pull manually the routes are not set.
Also when leaving a network the netmaker routes are not removed and stay in the persistant routes.

This worked fine until v0.20.3. Since v0.20.4 it does not work anymore. In the changelog for 0.20.4 it says
Precise Interface routes to improve multi-network functionality
So i guess this could be the source of the problem

Version
v0.20.6

What OS are you using?
Windows 11 Pro

Problem:

netclient SILENTLY LOSES additional information in /etc/hosts, eg: additional host names, comments and spacing

Expected:

do not touch existing lines / no reconstruction. keep changes to your own section.

Impact:

potentially breaks other applications that rely on hosts file

Version

v0.17.1

Example:

127.0.1.1    host host.domain.com other.domain
127.0.1.1 node # comment

becomes:

127.0.1.1 host
127.0.1.1 node

The default service address is not suitable for the local network environment. I hope to add definition parameters.

Problem:

netclient rewrites /etc/hosts unnecessary when internal ordering of hosts changes

Expected:

rewrite file only when meaningful change occurs

Impact:

possible race condition risk / change monitoring / manual editing of hosts file

Suggested solution:

• sort the host list
• do not modify the file if no meaningful change

This would be useful in situations where the client is no longer able to connect to the server because of Netmaker. For example, recently Netmaker assigned one of my clients an IP that also happened to be the IP that it uses for DNS (that was my fault), so it was unable to send DNS requests and connect to the server to disconnect itself from the network. I had to completely uninstall the client in order to get DNS functionality to return. If I had a --force option, to continue even if the server connection failed, I would not have had to reinstall it.

netclient join -n netmaker -u admin -s api.nm.138-2-8-191.nip.io

setting host fields
Continuing with user, admin.
Please input password:
[netclient] 2023-11-20 03:00:07 error connecting to api.nm.138-2-8-191.nip.io : read tcp 100.66.149.104:37 544->138.2.8.191:443: read: connection reset by peer

Contact Details

No response

What happened?

We have been using netmaker for a few weeks now with about 25 users and a couple of servers (overall about 40 nodes).

So far one node has disappeared twice and another once from the netmaker node list.

The access logs show that nobody called a delete route on those nodes and there is also no mention of their removal in the netmaker.service logs in journald.

Version

v0.17.1

What OS are you using?

Linux

Relevant log output

The UUID is the UUID of one of the nodes that disappeared according to older logs.


Mar 12 12:15:54 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-12 12:15:54 adding  22f907d2-fce1-42b4-bf2e-d8443e7da0de  to zombie list
Mar 12 12:15:54 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-12 12:15:54 adding 22f907d2-fce1-42b4-bf2e-d8443e7da0de to zombie quaratine list

Mar 13 09:37:37 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:37:37  failed to get node info [22f907d2-fce1-42b4-bf2e-d8443e7da0de]: no result found
Mar 13 09:37:37 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:37:37 processed request error: no result found

Mar 13 09:36:03 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:36:03 mq-ping error getting node:  no result found
Mar 13 09:36:03 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:36:03 error reading database  no result found

### Contributing guidelines

- [X] Yes, I did.

Hi, I am running a netclient using docker and I keep getting the same error. If I try connecting to the broker using this tool or a C# sample I am able to have a successful connection and I can subscribe and send messages.

{"time":"2023-09-02T20:30:50.669546749Z","level":"ERROR","source":"daemon.go 195}","msg":"unable to connect to broker","server":"","error":"status can only transition to connecting from disconnected"}
[netclient] 2023-09-02 20:31:50 could not connect to broker at wss://broker.netmaker.xxxxx.com 
[netclient] 2023-09-02 20:31:50 error publishing checkin connection timeout 

I am running NetMaker in docker:

version: "3.4"

services:
  netmaker:
    container_name: netmaker
    image: gravitl/netmaker:v0.20.6
    cap_add: 
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
    restart: always
    volumes:
      - dnsconfig:/root/config/dnsconfig
      - sqldata:/root/data
    environment:
      SERVER_NAME: "wss://broker.netmaker.xxxxx.com"
      SERVER_HOST: "xxx.xxx.xxx.xxx"
      SERVER_API_CONN_STRING: "api.netmaker.xxxxx.com:443"
      COREDNS_ADDR: "xxx.xxx.xxx.xxx"
      DNS_MODE: "on"
      SERVER_HTTP_HOST: "api.netmaker.xxxx.com"
      API_PORT: "8081"
      CLIENT_MODE: "on"
      RCE: "on"      
      MASTER_KEY: "xxxxx"
      CORS_ALLOWED_ORIGIN: "*"
      DISPLAY_KEYS: "on"
      DATABASE: "sqlite"
      NODE_ID: "netmaker-server-1"
      TELEMETRY: "off"      
      MQ_HOST: "xxx.xxx.xxx"
      MQ_PORT: "1883"
      HOST_NETWORK: "off"
      VERBOSITY: "4"
      MANAGE_IPTABLES: "on"
      PORT_FORWARD_SERVICES: "dns"
    ports:
      - "51821-51830:51821-51830/udp"
      - 4481:8081
  ......
  mq:
    container_name: mq
    image: eclipse-mosquitto:2.0.11-openssl
    depends_on:
      - netmaker
    restart: unless-stopped
    volumes:
      - ./mosquitto/data/:/mosquitto/data
      - ./mosquitto/logs/:/mosquitto/log
      - ./mosquitto/conf/:/mosquitto/config/
    ports:
      - "1883:1883"
      - "8883:8883"
      - "8885:8885"

This is the mosquitto config

per_listener_settings true

listener 8885 <--- Broker traffic is being rerouted to this port
allow_anonymous true
protocol websockets
require_certificate false
use_identity_as_username true

listener 8883
allow_anonymous false
require_certificate true
use_identity_as_username true
certfile /mosquitto/config/sslCert.cert
keyfile /mosquitto/config/privkey.pem

listener 1883 
allow_anonymous true

The netclient install routine currently determines root privileges by checking for a string literal username "root". This causes the installation to fail on systems where the superuser is not named root, e.g. all Qnap NAS devices, where the root user is named "admin".

Sample output of an installation attempt on a QNAP TS1635AX:

[/share/CACHEDEV1_DATA/homes/admin] # whoami
admin
[share/CACHEDEV1_DATA/homes /admin] # id
uid=0 (admin) gid=0 (administrators)
[/share/CACHEDEV1_DATA/homes/admin] # . /netclient install
2023/08/18 13:41:33 This program must be run with elevated privileges. Please re-run with sudo or as root.
[/share/CACHEDEV1_DATA/homes/admin] #

The code in question is here:

Instead I would propose checking for userid 0 like so:

if user.Uid != "0" {

When uninstalling netclient from windows get the following error;

PS C:\Program Files (x86)\Netclient> .\netclient.exe uninstall
[netclient.exe] 2023-07-04 07:32:47 setting OS
[netclient.exe] 2023-07-04 07:32:47 setting version
[netclient.exe] 2023-07-04 07:32:47 setting netclient hostid
[netclient.exe] 2023-07-04 07:32:47 setting name
[netclient.exe] 2023-07-04 07:32:47 setting macAddress
[netclient.exe] 2023-07-04 07:32:47 setting wireguard keys
[netclient.exe] 2023-07-04 07:32:47 setting wireguard interface
[netclient.exe] 2023-07-04 07:32:47 setting listenport
[netclient.exe] 2023-07-04 07:32:47 setting proxyListenPort
[netclient.exe] 2023-07-04 07:32:47 setting MTU
[netclient.exe] 2023-07-04 07:32:47 setting traffic keys
[netclient.exe] 2023-07-04 07:32:47 migration to v0.18 started

removing netclient binary and supporting files
[netclient.exe] 2023-07-04 07:32:47 wrote the daemon config file to the Netclient directory
[netclient.exe] 2023-07-04 07:32:47 error running command: "C:\Program Files (x86)\Netclient\winsw.exe" "stop"
[netclient.exe] 2023-07-04 07:32:47 2023-07-04 07:32:47,738 FATAL - The specified service does not exist as an installed service.
[netclient.exe] 2023-07-04 07:32:47 error with stop of Windows Netclient daemon: exit status 1060 : 2023-07-04 07:32:47,738 FATAL - The specified service does not exist as an installed service.

remove C:\Program Files (x86)\Netclient\\netclient.exe: Access is denied.
remove C:\Program Files (x86)\Netclient\\netclient.exe: Access is denied.

this was run as administrator.
Could be the double \\ in the path?