Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connection Issues when not NODE_NETWORK is set #31

Open
schrodit opened this issue Apr 24, 2023 · 1 comment
Open

Connection Issues when not NODE_NETWORK is set #31

schrodit opened this issue Apr 24, 2023 · 1 comment
Labels
kind/bug Bug lifecycle/stale Nobody worked on this for 6 months (will further age)

Comments

@schrodit
Copy link

What happened:

When the VPN server has no NODE_NETWORK configured it will constantly reconnect.

Configuring a dummy value temporarily fixes the issue.

server (seed):

using openvpn_network=192.168.123.0/24
2023-04-17 10:39:28 WARNING: file '/srv/secrets/vpn-server/tls.key' is group or others accessible
2023-04-17 10:39:28 OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2023-04-17 10:39:28 library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2023-04-17 10:39:28 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-04-17 10:39:28 TUN/TAP device tun0 opened
2023-04-17 10:39:28 /sbin/ip link set dev tun0 up mtu 1500
2023-04-17 10:39:28 /sbin/ip link set dev tun0 up
2023-04-17 10:39:28 /sbin/ip addr add dev tun0 192.168.123.1/24
2023-04-17 10:39:28 /firewall.sh on tun0 tun0 1500 1623 192.168.123.1 255.255.255.0 init
2023-04-17 10:39:28 Listening for incoming TCP connection on [AF_INET][undef]:1194
2023-04-17 10:39:28 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
2023-04-17 10:39:28 TCPv4_SERVER link remote: [AF_UNSPEC]
2023-04-17 10:39:28 Initialization Sequence Completed
2023-04-17 10:39:29 TCP connection established with [AF_INET]10.40.0.1:45364
2023-04-17 10:39:29 10.40.0.1:45364 Connection reset, restarting [0]
2023-04-17 10:39:37 TCP connection established with [AF_INET]10.40.0.1:47204

client (shoot)

[Mon Apr 17 09:43:46 UTC 2023]: using vpn-seed-server, dev tun0
[Mon Apr 17 09:43:46 UTC 2023]: openvpn --dev tun0 --remote api.fra.codesphere.internal.gardener.codesphere.com. --config openvpn.config
2023-04-17 09:43:46 OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2023-04-17 09:43:46 library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2023-04-17 09:43:46 TCP/UDP: Preserving recently used remote address: [AF_INET]34.77.130.229:8132
2023-04-17 09:43:46 Attempting to establish TCP connection with [AF_INET]34.77.130.229:8132 [nonblock]
2023-04-17 09:43:46 TCP connection established with [AF_INET]34.77.130.229:8132
2023-04-17 09:43:48 TCP_CLIENT link local: (not bound)
2023-04-17 09:43:48 TCP_CLIENT link remote: [AF_INET]34.77.130.229:8132
2023-04-17 09:43:48 [vpn-seed-server] Peer Connection Initiated with [AF_INET]34.77.130.229:8132
2023-04-17 09:43:48 TUN/TAP device tun0 opened
2023-04-17 09:43:48 /sbin/ip link set dev tun0 up mtu 1500
2023-04-17 09:43:48 /sbin/ip link set dev tun0 up
2023-04-17 09:43:48 /sbin/ip addr add dev tun0 192.168.123.10/24
2023-04-17 09:43:48 Initialization Sequence Completed

What you expected to happen:

Some providers in gardener like equinix expect not to have a node network configured to correctly work.
So the VPN should also work without a required node network.

How to reproduce it (as minimally and precisely as possible):

Create a shoot without a node network defined in the networks config.

Environment:

  • Gardener 1.62.x
  • Extension Equinix
  • VPN: 0.15.0 (also tested with 0.14.0 and 0.13.0)
@schrodit schrodit added the kind/bug Bug label Apr 24, 2023
@schrodit schrodit changed the title Connection Issues when Connection Issues when not NODE_NETWORK is set Apr 24, 2023
@ScheererJ
Copy link
Member

Hi Tim,

are you sure that you have actual connection issues without setting NODE_NETWORK? The local gardener development setup also does not set NODE_NETWORK and VPN is working fine there.

What you can see in the logs, though, is that the readiness/liveness probes happening every 10 seconds (see https://github.com/gardener/gardener/blob/5eb88cb64bc5d503cacb7d66fc026ef85ecd4189/pkg/component/vpnseedserver/vpn_seed_server.go#L341-L354). The attempt to clean the logs from the probe requests seems to not work in all environments equally well.

Could you please confirm that you face actual connections issues, i.e. do you also see the connect requests in vpn-shoot? Otherwise, I would close this issue.

Best regards,
Johannes.

@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Bug lifecycle/stale Nobody worked on this for 6 months (will further age)
Projects
None yet
Development

No branches or pull requests

3 participants