gravitl / netclient Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Upgrade from 0.20.0 to 0.20.1 reports:
Fatal: could not save netclient config failed to obtain lockfile
the upgrade fails
the remove fails
the purge fails
basically it is all broken and stuck on 0.20.1
example log
apt purge netclient -f
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
netclient*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
(Reading database ... 24260 files and directories currently installed.)
Removing netclient (0.20.0-0) ...
[netclient] 2023-06-08 19:30:55 setting OS
[netclient] 2023-06-08 19:30:55 setting version
[netclient] 2023-06-08 19:30:55 setting netclient hostid
[netclient] 2023-06-08 19:30:55 setting name
[netclient] 2023-06-08 19:30:55 setting macAddress
[netclient] 2023-06-08 19:30:55 setting wireguard keys
[netclient] 2023-06-08 19:30:55 setting wireguard interface
[netclient] 2023-06-08 19:30:55 setting listenport
[netclient] 2023-06-08 19:30:55 setting proxyListenPort
[netclient] 2023-06-08 19:30:55 setting MTU
[netclient] 2023-06-08 19:30:55 setting traffic keys
[netclient] Fatal: could not save netclient config failed to obtain lockfile
dpkg: error processing package netclient (--remove):
installed netclient package pre-removal script subprocess returned error exit status 2
dpkg: too many errors, stopping
Errors were encountered while processing:
netclient
Processing was halted because there were too many errors.
E: Sub-process /usr/bin/dpkg returned an error code (1)
v0.20.1
Linux
No response
The netclient do not passes correctly the external routes of the egress nodes on my network.
The problem is on file wireguard_windows.go
mask := net.IP(addr.Network.Mask)
slog.Info("adding route to interface", "route", fmt.Sprintf("%s -> %s", addr.IP.String(), addr.Network.String()))
cmd := fmt.Sprintf("route -p add %s MASK %v %s", addr.IP.String(),mask,addr.IP.String())
_, err := ncutils.RunCmd(cmd, false)
if err != nil { slog.Error("failed to apply", "egress range", addr.IP.String()) }
The command that is created above
route -p add %s MASK %v %s", addr.IP.String(),mask,addr.IP.String()
Passes two times the addr.IP.String() that is the windows netmaker interface address
it should be like following
route -p add %s MASK %v %s", addr.Network.String(),mask,addr.IP.String()
The wrong route that is produced it is indeed passing to the routing table of the windows machine
I want to run netclient as a normal user. If the netmaker server is compromised, the netclient should only be permitted to affect wireguard tunnels. This has several requirements:
What else does netclient need root for?
In #307 we found missing packages can cause netclient to conclude there is no iptables/firewall support
Initially with versions v0.18.0/19.0 the error was triggered by the missing 'wg' binary for which package wireguard-tools is needed. (it's used in the endpoint startup script too on cleanup)
With v0.20.0 adding the wireguard-tools package was not enough anymore. Now it seems missing the ip6tables package causes netclient to conclude there is no iptables/firewall support.
For now it seems to work with this workaround in the docker compose file
entrypoint: bash -c "apk add wireguard-tools ip6tables; /bin/bash netclient.sh"
So two requests here:
Why?
Because theoretically it would be easy to set up inside a bash here to auto-build
It would not conflict with built in auto-upgrade .
Also non-go programmers, like us would not have to deal with this on our own.
(I've just installed GO on my PC, tried E:\netclient-develop\go build
and it has downloaded 500+ MB to my C:\...!!!
drive into various hidden directories without asking me ahead. )
I would like to donate if this problem gets resolved for good.
Thank you very much in forward!
Previously, when I added a DNS entry on Netmaker, it would add it as a new hostname in the /etc/hosts file even if there was already a hostname mapped to that IP. This allowed for e.g. pairing with an Nginx reverse proxy to map various hostnames to services on the same server.
Sometime between 0.20.0 and 0.21.2, this appears to have changed. Now, adding a new DNS entry on Netmaker will replace any existing for that same IP.
hey,
when i try to upgrade my packages with homebrew it can't uninstall version 0.17.1.
$ brew uninstall netclient
==> Uninstalling Cask netclient
==> Running uninstall script /opt/homebrew/Caskroom/netclient/0.17.1/blank.sh
Error: uninstall script /opt/homebrew/Caskroom/netclient/0.17.1/blank.sh does not exist.
I am trying to install netclient on a Ubuntu 22.04 VPS, the command crashed with the following error:
root@linux:~# netclient version
[netclient] 2023-04-23 07:53:01 setting OS
[netclient] 2023-04-23 07:53:01 setting version
[netclient] 2023-04-23 07:53:01 setting netclient hostid
[netclient] 2023-04-23 07:53:01 setting name
[netclient] 2023-04-23 07:53:01 setting macAddress
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/gravitl/netclient/config.CheckConfig()
/home/runner/work/netclient/netclient/config/config.go:472 +0x12bf
github.com/gravitl/netclient/config.InitConfig(0xc0000c8340?)
/home/runner/work/netclient/netclient/config/config.go:423 +0x70
github.com/gravitl/netclient/cmd.initConfig()
/home/runner/work/netclient/netclient/cmd/root.go:53 +0x4f
github.com/spf13/cobra.(*Command).preRun(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:970
github.com/spf13/cobra.(*Command).execute(0x10f90e0, {0x1137e00, 0x0, 0x0})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:900 +0x563
github.com/spf13/cobra.(*Command).ExecuteC(0x10f8840)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/gravitl/netclient/cmd.Execute()
/home/runner/work/netclient/netclient/cmd/root.go:31 +0x25
main.main()
/home/runner/work/netclient/netclient/main.go:27 +0x85
Host env and installed package version:
root@linux:~# dpkg -l | grep netclient
ii netclient 0.18.6-0 amd64 netclient daemon - a platform for modern, blazing fast wireguard virtual networks
root@linux:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"
Netmaker and Netclient are v0.18.5.
I have a netmaker network 10.1.0.0/24 and two nodes: 10.1.0.1/24 (test1) and 10.1.0.2/24 (test2).
Both of the nodes are egress gateways with networks:
Netclient sets iptables rules for 10.1.0.1/24 (test1):
-A FORWARD -d 10.1.5.0/24 -i netmaker -m comment --comment NETMAKER -j netmakerfilter
-A netmakerfilter -s 10.1.0.2/32 -d 10.1.5.0/24 -j ACCEPT
-A netmakerfilter -j DROP
-A netmakerfilter -j RETURN
These rules reject all packets from 10.1.6.0/24 network. For example packet from 10.1.6.10 to 10.1.5.10 is forbidden.
The releases for v0.18.5 seem to have the FreeBSD version missing.
Problem
The Endpoint IP
for all clients were not automatically getting set and even trying to manually set them via UI wasn't working.
I recreated my entire AWS VPN bastion network using 0.20.1
. My guess is based on the image above, there's an issue communicating with turn
? I'm not familiar enough.
Workaround
Downgrade the client to 0.20.0
via install script and endpointip
works great again.
Both netmaker and netmaker-ui can remain 0.20.1
. So far haven't noticed any issues.
Expected Result
v0.20.1 works the same as v0.20.0 - endpointip is automatically updated and/or be manually updated via UI.
gravitl/netmaker#2378 - Original issue that I opened thinking the problem was over there.
netclient version 0.20.1
the one downloaded and installed - not the brew install
osx 12.6.5
With each release a section "What's Fixed" is included on the release page.
In most cases I suppose something was fixed based on a reported issue.
Can I suggest to mention the issue numbers as a link for each item in that "What's Fixed" list?
Not sure if automating it is feasible like mentioned here;
https://www.7pace.com/blog/how-to-link-github-issues-to-github-releases
But adding the issue numbers manually would already be very helpful
client and server version 0.20.1 + 0.20.2 in a privileged k8s container with public ip
no connectivity first,listen port 51800, then siwtching proxy off make connectivity work, logs:
net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy.go-53] Close(): ------> Closing Proxy for jqCTwmCLFKM64cT+lRZQN8AFehS/XyVWcTPT2KnQxxk= │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy_helper.go-46] toRemote(): error reading: read udp 127.0.0.1:55295->127.0.0.1:51800: use of closed network connection │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy.go-53] Close(): ------> Closing Proxy for 49E1m0W1RZL1tIjdrXfHbrDfEOmFFr4uy5Fbi7sDUHg= │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [proxy_helper.go-46] toRemote(): error reading: read udp 127.0.0.1:40756->127.0.0.1:51800: use of closed network connection │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:45 [manager.go-351] processPayload(): --> processed peer update for proxy │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:46 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer jqCTwmCLFKM64cT+lRZQN8AFehS/XyVWcTPT2KnQxxk= dial tcp 192.168.1.103:7547: i/o timeout │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:17:47 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer IIKbQaL9RyKvyVjaNOtdmDeujkU6FI8mFGzX1Q0SV1w= dial tcp 10.1.0.189:51723: i/o timeout │
after some seconds this log appears and connectivity is lost:
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [mqpublish.go-240] UpdateHostSettings(): checkin with server(s) │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [mqpublish.go-349] UpdateHostSettings(): publishing global host update for endpoint changes │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [mqhandlers.go-119] HostPeerUpdate(): received peer update for host from: netmaker-broker.development-noffice-alt.conceptboard.com │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:06 [peer.go-105] SetPeersEndpointToProxy(): Setting peers endpoints to proxy... │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:07 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer 49E1m0W1RZL1tIjdrXfHbrDfEOmFFr4uy5Fbi7sDUHg= dial tcp 172.17.0.2:40700: i/o timeout │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:08 [manager.go-56] Start(): -------> PROXY-MANAGER: {Action:NO_PROXY InterfaceName: Server:netmaker-broker.development-noffice-alt.conceptboard.com Peers:[] PeerMap:map[49E1m0W1RZL1tIjdrXfHbrDfEO │
│ net-k8s-development-noffice │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:08 [manager.go-351] processPayload(): --> processed peer update for proxy │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:08 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer rsjgoBXAzsgT0lykatD268dw5giWZ1ADkZJvekrdrkU= dial tcp 10.1.0.2:51722: i/o timeout │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:09 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer jqCTwmCLFKM64cT+lRZQN8AFehS/XyVWcTPT2KnQxxk= dial tcp 192.168.1.103:7547: i/o timeout │
│ net-k8s-development-noffice [netclient] 2023-06-20 06:18:10 [mqhandlers.go-304] handleEndpointDetection(): failed to check for endpoint on peer IIKbQaL9RyKvyVjaNOtdmDeujkU6FI8mFGzX1Q0SV1w= dial tcp 10.1.0.189:51723: i/o timeout
switching proxy back on brings connectivity back again until checking with server
log appears.
The documentation states a localaddress
flag can be provided when joining a network: https://docs.netmaker.io/advanced-client-install.html
The latest CLI (v0.20.6) doesn't seem to support this option anymore. Is it still possible to provide the local address when joining? If so how?
After stopping netclient, I still see 2 netmaker entries
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N netmakerfilter
-A FORWARD -i netmaker -j netmakerfilter
v0.20.2 is the last one available on https://apt.netmaker.org
After upgrading netclient on macOS to 18.1
from 17.1
I cannot join a network anymore via the auth token process.
Note that the token is still valid, but only for test/dummy deployment of netmaker, so no harm can be done with it I think.
How does netclient decode the token? Can I debug this?
sudo netclient join -t eyJhcGljb25uc3RyaW5nIjoiYXBpLm5ldG1ha2VyLmVycGYuZGU6NDQzIiwibmV0d29yayI6InRlc3QiLCJrZXkiOiI4MDI0MDRiNDNhYTBjMTIwIn0=
[netclient] 2023-04-03 19:01:07 join failed Post "https:///api/v1/host/register/eyJhcGljb25uc3RyaW5nIjoiYXBpLm5ldG1ha2VyLmVycGYuZGU6NDQzIiwibmV0d29yayI6InRlc3QiLCJrZXkiOiI4MDI0MDRiNDNhYTBjMTIwIn0=": http: no Host in request URL
I am a NixOS user, and one of the changes NixOS makes is that /etc/hosts is symlinked from the nix store, which is read only.
The issue this causes is when using the DNS integration, since /etc/hosts can't be modified, nothing is populated into there.
I was also thinking this might cause other conflicts with other programs that might also try to modify /etc/hosts. Is there a way to work around this, or would that require integrating a different solution for dns resolution into netclient?
Hi,
I noticed netmaker and netmaker-ui v0.20.0 docker images are available.
But no netclient v0.20.0 docker image.
https://hub.docker.com/r/gravitl/netclient/tags?page=1&name=20
No response
In the current version of netclient it wil constantly try to connect to the Broker. And if this fails it wil restart the entire daemon, and as a consequence it wil also disable and renable the WireGuard interfaces. Which can cause an temporary outage.
Would it be possible to only disable/reenable these interfaces when new changes need to be applied. Meaning:
If the deamon restarts, the WireGuard interfaces already exists and the config is correct, the deamon won't touch the WireGuard interfaces.
I would love to know if this could be implemented, this would help immensely in an environment where mqtt/WS-connections can be weird
v0.16.3
Linux
No response
rpm -qp --scripts netclient-0.17.0-0.x86_64.rpm
postinstall scriptlet (using /bin/sh):
systemctl preset netclient
systemctl daemon-reload
system**clt** enable netclient
systemctl start netclient
preuninstall scriptlet (using /bin/sh):
if [ "$1" = 0 ]; then
if [ -x /sbin/netclient ]; then
/sbin/netclient uninstall
fi
fi
the line systemclt enable netclient should read systemctl enable netclient
Version: 0.21.0
OS: Mac M1
Reproduce:
Netclient will be stuck with error from server (status code 500), cannot turn off the app, have to uninstall via CLI and reinstall everything again.
What Happened?
Trying to join a network or running a netclient command from a OpenVZ VPS yields the following error:
root@01-lim:~# sudo netclient version
[netclient] 2023-05-19 06:02:20 setting OS
[netclient] 2023-05-19 06:02:20 setting version
[netclient] 2023-05-19 06:02:20 setting netclient hostid
[netclient] 2023-05-19 06:02:20 setting name
[netclient] 2023-05-19 06:02:20 setting macAddress
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/gravitl/netclient/config.CheckConfig()
/home/mkasun/netclient/config/config.go:489 +0x10ff
github.com/gravitl/netclient/config.InitConfig(0xc0000d21a0?)
/home/mkasun/netclient/config/config.go:437 +0x70
github.com/gravitl/netclient/cmd.initConfig()
/home/mkasun/netclient/cmd/root.go:53 +0x4f
github.com/spf13/cobra.(*Command).preRun(...)
/home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:970
github.com/spf13/cobra.(*Command).execute(0x13de620, {0x141eee0, 0x0, 0x0})
/home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:900 +0x563
github.com/spf13/cobra.(*Command).ExecuteC(0x13ddd80)
/home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/mkasun/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/gravitl/netclient/cmd.Execute()
/home/mkasun/netclient/cmd/root.go:31 +0x25
main.main()
/home/mkasun/netclient/main.go:18 +0x4a
I suspect this issue is caused by the primary interface (venet0) not having a MAC Address.
root@01-lim:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/void
inet 127.0.0.1/32 scope host venet0
valid_lft forever preferred_lft forever
inet 10.X.X.X/32 brd 10.X.X.X scope global venet0:0
valid_lft forever preferred_lft forever
inet6 2001:X:X:X:X:X/128 scope global
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.7.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fddd:X:X:X:X:X/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::X:X:X:X/64 scope link stable-privacy
valid_lft forever preferred_lft forever
testing netmaker 0.18.4. netclient ver 0.18.4, on all ubuntu hosts most on 22.04.2 lts with nftables active (iptables-nft), I've all these errors in the netclient docker version: "[netclient] 2023-03-30 10:16:30 Starting firewall...
[netclient] 2023-03-30 10:16:30 iptables is not supported, using nftables
[netclient] 2023-03-30 10:16:30 failed to intialize firewall: firewall support not found" and also this error:"[netclient] 2023-03-30 10:21:29 error adding route no such device". The netclient version is 0.18.4, Ubuntu 22.04.2 LTS and iptables v1.8.7 (nf_tables), nftables v1.0.2 (Lester Gooch). The errors shows up only if I configure egress option on the hosts to reach internal subnets. The routes seems to be correctly added to the rest of the allowed nodes but I can ping only the ip of the node exposing the internal subnet. If I manually add an nft rule to masquerade the outgoing interface (like ens18) I can then ping all the internal hosts. If you need further info just le me know.
Hi,
0.19 tries ip6tables even when ipv6 is disabled for the node;
[netclient] 2023-05-10 15:10:57 Starting firewall...
[netclient] 2023-05-10 15:10:57 iptables is supported
[netclient] 2023-05-10 15:10:58 failed to intialize firewall: couldn't get ipv6 filter table chains, error: running [/sbin/ip6tables -t filter -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.8 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Not 100% sure, but I get the impression ipv4 iptables rules are therefore not set either.
Had to;
modprobe ip6table_raw ip6table_mangle ip6table_nat ip6table_filter nf_nat
on the host to get rid of the error.
Documented here: https://docs.netmaker.io/advanced-client-install.html#cli-reference
The version of netclient 0.20.2 from apt doesn't have those arg. available, nor those the config file is used...
Any idea how to setup name and port ?
Thanks
netclient v0.18.6 installed with service running and everything properly configured as far as I can see, however the Egress node routes published upon connection established do not get removed after disconnection.
This causes the machine to lose connectivity to the IP ranges published by the Egress node when the netclient is not connected.
After upgrading netclient on macOS to 18.1
from 17.1
I cannot join a network anymore via the basic auth process.
sudo netclient join -n test -u test-user -s api.netmaker.example.de
Error: unknown shorthand flag: 'n' in -n
Usage:
netclient join [flags]
Flags:
-h, --help help for join
-t, --token string enrollment token for joining network
Global Flags:
-v, --verbosity int set logging verbosity 0-4
Hello,
I followed these instructions but was not able to locate the package.
https://netmaker.readthedocs.io/en/master/netclient.html#installation
E: Unable to locate package netclient
Fresh install:
Distributor ID: Ubuntu
Description: Ubuntu 22.10
Release: 22.10
Codename: kinetic
Currently we run into the issue that hosts connected to our VPN behind an egress gateway can not contact any of the public IP addresses for other nodes without getting a timeout because the request is routed publicly but the vpn node then responds via the netmaker VPN and of course that response arrives at the egress gateway via the wrong interface for that source address, triggering the reverse path filter in the Linux kernel.
To solve this I was experimenting with policy routing via the ip rule command, basically marking all incoming packets with fwmark values based on their interface which are then copied to the responses via connection tracking. This part all works fine but I then need the ability to only use the netmaker routes if the packets contain a specific fwmark value (i.e. are responses to request coming in via the VPN or locally originated initial requests). ip rule only seems to allow this if the routes I want to avoid are in a separate routing table. I tried the suppress_ifgroup flag there but that only seems to lookup a route and the reject it if it has a relevant interface, not filter the table by interface as I had initially hoped.
I am sure there are other use cases for routes in a separate routing table as wg-quick also supports this via the Table= option.
I'm at Win10 x64 and just installed 0.18.7 from .msi package. It created desktop and menu start icons that are pointing to the wrong file -
netclient.exe. But in this release the file name that is installed is "netclient-windows-amd64.exe". So when i click on the file Windows always ask to find destination file.
I've attached screenshots.
I can't quite narrow it down to the exact circumstances but with about half of our macOS users netclient does not take down the VPN interface on netclient disconnect -n <network name>
Is there any way to run netclient with more logging or details beyond the --vvvv option which doesn't show anything relevant?
I use v0.17.1 for both servers and clients and I tried to set the endpoint of node6
to a IPv6 address.
However, netclient
(on another node) refused to join showing
[netclient] 2023-03-12 09:01:42 error installing: error creating node 500 Internal Server Error {"Code":500,"Message":"address 2408:---:---:---:----:---:----:----:-----: too many colons in address"}
(The -
symbol is used for privacy).
What can I do?
Is there a way how to configure netclient via some configuration files ? This would be useful for non interactive environments.
The Windows MSI installer is 404, the Powershell command to install tries to download a netclient.exe that is also 404.
Has this project been abandoned? Or has a decision just been made to stop supporting Windows cleints?
Hi,
I have set up netclient on a Mac and a windows PC - the Windows PC is on the same LAN as the server (main netclient) I can get LAN access to a server 6000 miles away from my mac but not the PC - also speed is quite slow and not sure why - the windows PC often shows a warning sign -
I have very little to go on - when my mac just works the PC really doesn't
We use a Egress Gateway to connect to our Office Networks.
The netclient does not set the routes for the egress networks. The Wireguard tunnel comes up fine and the route for the VPN itself exists but all routes for the egress networks are missing. Even when doing a netclient pull manually the routes are not set.
Also when leaving a network the netmaker routes are not removed and stay in the persistant routes.
This worked fine until v0.20.3. Since v0.20.4 it does not work anymore. In the changelog for 0.20.4 it says
Precise Interface routes to improve multi-network functionality
So i guess this could be the source of the problem
Version
v0.20.6
What OS are you using?
Windows 11 Pro
netclient SILENTLY LOSES additional information in /etc/hosts
, eg: additional host names, comments and spacing
do not touch existing lines / no reconstruction. keep changes to your own section.
potentially breaks other applications that rely on hosts file
v0.17.1
127.0.1.1 host host.domain.com other.domain
127.0.1.1 node # comment
becomes:
127.0.1.1 host
127.0.1.1 node
The default service address is not suitable for the local network environment. I hope to add definition parameters.
netclient rewrites /etc/hosts
unnecessary when internal ordering of hosts changes
rewrite file only when meaningful change occurs
possible race condition risk / change monitoring / manual editing of hosts file
This would be useful in situations where the client is no longer able to connect to the server because of Netmaker. For example, recently Netmaker assigned one of my clients an IP that also happened to be the IP that it uses for DNS (that was my fault), so it was unable to send DNS requests and connect to the server to disconnect itself from the network. I had to completely uninstall the client in order to get DNS functionality to return. If I had a --force
option, to continue even if the server connection failed, I would not have had to reinstall it.
setting host fields
Continuing with user, admin.
Please input password:
[netclient] 2023-11-20 03:00:07 error connecting to api.nm.138-2-8-191.nip.io : read tcp 100.66.149.104:37 544->138.2.8.191:443: read: connection reset by peer
No response
We have been using netmaker for a few weeks now with about 25 users and a couple of servers (overall about 40 nodes).
So far one node has disappeared twice and another once from the netmaker node list.
The access logs show that nobody called a delete route on those nodes and there is also no mention of their removal in the netmaker.service logs in journald.
v0.17.1
Linux
The UUID is the UUID of one of the nodes that disappeared according to older logs.
Mar 12 12:15:54 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-12 12:15:54 adding 22f907d2-fce1-42b4-bf2e-d8443e7da0de to zombie list
Mar 12 12:15:54 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-12 12:15:54 adding 22f907d2-fce1-42b4-bf2e-d8443e7da0de to zombie quaratine list
Mar 13 09:37:37 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:37:37 failed to get node info [22f907d2-fce1-42b4-bf2e-d8443e7da0de]: no result found
Mar 13 09:37:37 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:37:37 processed request error: no result found
Mar 13 09:36:03 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:36:03 mq-ping error getting node: no result found
Mar 13 09:36:03 hostname-removed netmaker_0.17.0[3969]: [netmaker_0.17.0] 2023-03-13 09:36:03 error reading database no result found
### Contributing guidelines
- [X] Yes, I did.
Hi, I am running a netclient using docker and I keep getting the same error. If I try connecting to the broker using this tool or a C# sample I am able to have a successful connection and I can subscribe and send messages.
{"time":"2023-09-02T20:30:50.669546749Z","level":"ERROR","source":"daemon.go 195}","msg":"unable to connect to broker","server":"","error":"status can only transition to connecting from disconnected"}
[netclient] 2023-09-02 20:31:50 could not connect to broker at wss://broker.netmaker.xxxxx.com
[netclient] 2023-09-02 20:31:50 error publishing checkin connection timeout
I am running NetMaker in docker:
version: "3.4"
services:
netmaker:
container_name: netmaker
image: gravitl/netmaker:v0.20.6
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
restart: always
volumes:
- dnsconfig:/root/config/dnsconfig
- sqldata:/root/data
environment:
SERVER_NAME: "wss://broker.netmaker.xxxxx.com"
SERVER_HOST: "xxx.xxx.xxx.xxx"
SERVER_API_CONN_STRING: "api.netmaker.xxxxx.com:443"
COREDNS_ADDR: "xxx.xxx.xxx.xxx"
DNS_MODE: "on"
SERVER_HTTP_HOST: "api.netmaker.xxxx.com"
API_PORT: "8081"
CLIENT_MODE: "on"
RCE: "on"
MASTER_KEY: "xxxxx"
CORS_ALLOWED_ORIGIN: "*"
DISPLAY_KEYS: "on"
DATABASE: "sqlite"
NODE_ID: "netmaker-server-1"
TELEMETRY: "off"
MQ_HOST: "xxx.xxx.xxx"
MQ_PORT: "1883"
HOST_NETWORK: "off"
VERBOSITY: "4"
MANAGE_IPTABLES: "on"
PORT_FORWARD_SERVICES: "dns"
ports:
- "51821-51830:51821-51830/udp"
- 4481:8081
......
mq:
container_name: mq
image: eclipse-mosquitto:2.0.11-openssl
depends_on:
- netmaker
restart: unless-stopped
volumes:
- ./mosquitto/data/:/mosquitto/data
- ./mosquitto/logs/:/mosquitto/log
- ./mosquitto/conf/:/mosquitto/config/
ports:
- "1883:1883"
- "8883:8883"
- "8885:8885"
This is the mosquitto config
per_listener_settings true
listener 8885 <--- Broker traffic is being rerouted to this port
allow_anonymous true
protocol websockets
require_certificate false
use_identity_as_username true
listener 8883
allow_anonymous false
require_certificate true
use_identity_as_username true
certfile /mosquitto/config/sslCert.cert
keyfile /mosquitto/config/privkey.pem
listener 1883
allow_anonymous true
The netclient install routine currently determines root privileges by checking for a string literal username "root". This causes the installation to fail on systems where the superuser is not named root, e.g. all Qnap NAS devices, where the root user is named "admin".
Sample output of an installation attempt on a QNAP TS1635AX:
[/share/CACHEDEV1_DATA/homes/admin] # whoami
admin
[share/CACHEDEV1_DATA/homes /admin] # id
uid=0 (admin) gid=0 (administrators)
[/share/CACHEDEV1_DATA/homes/admin] # . /netclient install
2023/08/18 13:41:33 This program must be run with elevated privileges. Please re-run with sudo or as root.
[/share/CACHEDEV1_DATA/homes/admin] #
The code in question is here:
netclient/config/config_unix.go
Line 18 in 8f6ea4d
Instead I would propose checking for userid 0 like so:
if user.Uid != "0" {
When uninstalling netclient from windows get the following error;
PS C:\Program Files (x86)\Netclient> .\netclient.exe uninstall
[netclient.exe] 2023-07-04 07:32:47 setting OS
[netclient.exe] 2023-07-04 07:32:47 setting version
[netclient.exe] 2023-07-04 07:32:47 setting netclient hostid
[netclient.exe] 2023-07-04 07:32:47 setting name
[netclient.exe] 2023-07-04 07:32:47 setting macAddress
[netclient.exe] 2023-07-04 07:32:47 setting wireguard keys
[netclient.exe] 2023-07-04 07:32:47 setting wireguard interface
[netclient.exe] 2023-07-04 07:32:47 setting listenport
[netclient.exe] 2023-07-04 07:32:47 setting proxyListenPort
[netclient.exe] 2023-07-04 07:32:47 setting MTU
[netclient.exe] 2023-07-04 07:32:47 setting traffic keys
[netclient.exe] 2023-07-04 07:32:47 migration to v0.18 started
removing netclient binary and supporting files
[netclient.exe] 2023-07-04 07:32:47 wrote the daemon config file to the Netclient directory
[netclient.exe] 2023-07-04 07:32:47 error running command: "C:\Program Files (x86)\Netclient\winsw.exe" "stop"
[netclient.exe] 2023-07-04 07:32:47 2023-07-04 07:32:47,738 FATAL - The specified service does not exist as an installed service.
[netclient.exe] 2023-07-04 07:32:47 error with stop of Windows Netclient daemon: exit status 1060 : 2023-07-04 07:32:47,738 FATAL - The specified service does not exist as an installed service.
remove C:\Program Files (x86)\Netclient\\netclient.exe: Access is denied.
remove C:\Program Files (x86)\Netclient\\netclient.exe: Access is denied.
this was run as administrator.
Could be the double \\
in the path?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.