Join Log in
Score:-1
Martini avatar Ubuntu

VPN Connectivity and Routing Problem - Local Server to Internet via Cloud Hosted Server - wget/apt Oubound Connections

mg flag
Martini

I have a network/connectivity/routing problem associated with achieving public internet connectivity through a VPN tunnel to a cloud connected server hosting a VPN server/gateway. The Local Server is situated in a remote geography with restricted ISP options with no facility for inbound network connections [hence the need to use this architecture].

Local ISP                    ┌──------ wg1 10.8.90.1/24
10.8.0.2/24          network/internet            │   VPN network
        wg1│             xxxxxx           ┌──────┴─┐
         ┌─┴──┐         xx    xx  ──────--┤ VPN gw |
         |    |        xx      xx    ens3 │        |
         │    ├─eno1  xx        xx        └────────┘
         │    │        xx      xx           Cloud
         │    │         xx    xx            Server
         └────┘          xxxxxx           [WG Server]
         Local
         Server
       [WG Client]

The Local Server hosts a number of data services that need to be accessed remotely. As configured, inbound connections to the Local Server work correctly. Likewise, responses from local services route correctly via the Cloud Server. Thus far, all good. What is unusual is that ‘wget’ and ‘apt update’ requests from the Local Server do not work when the VPN tunnel interface is up.

To be clear, the Wireguard Server/Client configurations have been checked correct. And the iptables SNAT/DNAT directions have also been checked correct. Both the Local Server and Cloud Server are running Ubuntu 22.04 and are fully upto date.

The guidance at https://ubuntu.com/server/docs/wireguard-vpn-defaultgw has been followed. And the netplan configuration has been checked.

With the Wireguard tunnel up, ping and traceroute tests from the Local Server route correctly as expected across the tunnel and out to the internet via the Cloud Server.

The problem appears to be specific to the Local Server Hardware/Software configuration. Tests with a similarly configured Multipass/Ubuntu client using similar connectivity works as expected with ‘wget’ and ‘apt’ requests working correctly.

My current thoughts are that problem may be one of: a specific ethernet hardware driver problem, a routing/netplan problem, or an MTU/fragmentation problem.

I’d welcome suggestions for further investigating and isolating this problem. Many thanks.

[ps. Of possible relevance, this problem also occurs when using an openvpn tunnel rather than a wireguard tunnel hence my thought that it is specific hardware/software issue related to the Local Server]

70
1 + 2
vpn
David avatar
cn flag
David
I am not seeing anything in this question is related to this Ubuntu support site.
0
Reply
Martini avatar
mg flag
Martini
Sorry, David. I'm not sure what you mean. Am I posting my question in the wrong place? Thanks.
0
Reply
Score:0
Martini avatar Ubuntu
mg flag
Martini

Ok. It seems my question above shouldn't have been posted here as it is not exclusively about Ubuntu.

After further research, I found the root cause of the problem. While I had correctly used iptables DNAT/SNAT rules they weren't providing a complete solution.

There is an excellent GitHub repository at https://github.com/mochman/Bypass_CGNAT#readme discussing and providing a solution to the same problem I encountered.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.