[eduVPN-deploy] eduVPN v3 questions: multiple profile setup, Shibboleth impact on access to node-api.php, NAT using node IP

Fri Sep 9 18:49:34 CEST 2022

Hi François,
I’ve been trying to create a new eduVPN v3 setup with 1x controller, and 2x nodes, using Wireguard only, on Debian 11. 

I successfully created a single profile which resulted in my VPN connection landing on either of nodeA or nodeB seemingly chosen at random, as expected. So it appears that my basic setup is not fundamentally broken.

After that I tried to get a little creative but without success. Specifically, I tried to create two different profiles, one which would use nodeA only, and the other which would use nodeB only. As part of troubleshooting the issue I attempted two different approaches:

Approach 1:
---------------
Setup: In vpn-user-portal/config.php, profileA referenced nodeA only, and profileB referenced nodeB only. In /etc/vpn-server-node/config.php I referenced profileA on nodeA, and profileB on nodeB.

Outcome: Running vpn-maint-apply-changes on nodeA works, but running it on nodeB gets “ERROR: 500” and “error: wRangeFour for node “1” is not set”. 

I’m wondering if, within a profile the first node referenced is always designated as node 0, and the second node referenced is always node 1? If so, then in profileA my nodeA is designated node 0, but also in profileB my nodeB is designated node 0 - in that case, how would I define/name the key for nodeB in /etc/vpn-user-portal/keys on the controller since the file node.0.key is already used for nodeA?

Approach 2:
---------------
Setup: In vpn-user-portal/config.php, both profiles referenced nodeA and nodeB. As before, in /etc/vpn-server-node/config.php I referenced profileA on nodeA, and profileB on nodeB.

Outcome: Running vpn-maint-apply-changes on both nodeA and node B works. But when I connect from an eduVPN client, and choose profileA, my connection lands on nodeA sometimes and nodeB sometimes, so my definition of a single profile in /etc/vpn-server-node/config.php is not restricting that specific node to that specific profile.

I’d be grateful for any pointers to what I might be doing wrong here, as I certainly seem to be something (lots of things? :) ) wrong.

I also have a couple of other questions:

* Before I enabled Shibboleth on the controller, both nodes were able to successfully access https://CONTROLLER/vpn-user-portal/node-api.php. But after enabling Shibboleth that failed, so obviously vpn-maint-apply-changes now failed from both nodes. It seems that the "<Files node-api.php>” section in /etc/apache2/conf-enabled/vpn-user-portal.conf no longer works with Shibboleth in place. 

As a quick hack I added a "<Location /vpn-user-portal/node-api.php>” section to /etc/apache2/sites-enabled/CONTROLLER.conf, explicitly permitting the node IP addresses, and vpn-maint-apply-changes works once more on both nodes. 

Is it expected that enabling Shibboleth causes the "<Files node-api.php>” stanza to no longer work?

* For nodeA I’m using a pool of addresses in wRangeFour and wRangeSix and it works as expected. But on nodeB, which I plan to use for testing, I’d like to hide all clients behind the pubic IPv4/IPv6 address of the node itself and I haven’t figured out how to do that. 

I tried to use nodeB’s single IPv4/IPv6 addresses as the “pools", but unsurprisingly the software generates an error for that config. Can you tell me how to setup this form of NAT (assuming that it’s even possible with Wireguard)?

Thanks a lot,
Louis Twomey
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040   louis.twomey at heanet.ie  www.heanet.ie
Registered in Ireland, No. 275301.  CRA No. 20036270