[eduVPN-deploy] eduVPN v3 questions: multiple profile setup, Shibboleth impact on access to node-api.php, NAT using node IP

Sat Sep 10 09:25:04 CEST 2022

On 09.09.22 18:49, Louis Twomey via eduVPN-deploy wrote:
> Hi François,

Hi Louis,

> I’ve been trying to create a new eduVPN v3 setup with 1x controller,
> and 2x nodes, using Wireguard only, on Debian 11.

Cool!

> I successfully created a single profile which resulted in my VPN
> connection landing on either of nodeA or nodeB seemingly chosen at
> random, as expected. So it appears that my basic setup is not
> fundamentally broken.

This is also what was (extensively) tested.

> After that I tried to get a little creative but without success.
> Specifically, I tried to create two different profiles, one which
> would use nodeA only, and the other which would use nodeB only. As
> part of troubleshooting the issue I attempted two different
> approaches:

This is actually supposed to work, but won't based on what you tried. 
There's a bug in the server which needs to be solved, but I am not (yet) 
100% sure how to do this in a nice way. Let me think about it.

I created an issue: https://todo.sr.ht/~eduvpn/server/90

> Approach 1: --------------- Setup: In vpn-user-portal/config.php,
> profileA referenced nodeA only, and profileB referenced nodeB only.
> In /etc/vpn-server-node/config.php I referenced profileA on nodeA,
> and profileB on nodeB.
> 
> Outcome: Running vpn-maint-apply-changes on nodeA works, but running
> it on nodeB gets “ERROR: 500” and “error: wRangeFour for node “1” is
> not set”.

This is the bug.

> I’m wondering if, within a profile the first node referenced is
> always designated as node 0, and the second node referenced is always
> node 1?

Yes.

  If so, then in profileA my nodeA is designated node 0, but
> also in profileB my nodeB is designated node 0 - in that case, how
> would I define/name the key for nodeB in /etc/vpn-user-portal/keys on
> the controller since the file node.0.key is already used for nodeA?

You can't, that's the bug.

> Approach 2: --------------- Setup: In vpn-user-portal/config.php,
> both profiles referenced nodeA and nodeB. As before, in
> /etc/vpn-server-node/config.php I referenced profileA on nodeA, and
> profileB on nodeB.
> 
> Outcome: Running vpn-maint-apply-changes on both nodeA and node B
> works. But when I connect from an eduVPN client, and choose profileA,
> my connection lands on nodeA sometimes and nodeB sometimes, so my
> definition of a single profile in /etc/vpn-server-node/config.php is
> not restricting that specific node to that specific profile.

Yes, this was a good idea, but won't work because indeed the client will 
sometimes end up on the wrong node.

> I’d be grateful for any pointers to what I might be doing wrong here,
> as I certainly seem to be something (lots of things? :) ) wrong.

There's (one) bug :-)

> * Before I enabled Shibboleth on the controller, both nodes were able
> to successfully access
> https://CONTROLLER/vpn-user-portal/node-api.php. But after enabling
> Shibboleth that failed, so obviously vpn-maint-apply-changes now
> failed from both nodes. It seems that the "<Files node-api.php>”
> section in /etc/apache2/conf-enabled/vpn-user-portal.conf no longer
> works with Shibboleth in place.
> 
> As a quick hack I added a "<Location /vpn-user-portal/node-api.php>”
> section to /etc/apache2/sites-enabled/CONTROLLER.conf, explicitly
> permitting the node IP addresses, and vpn-maint-apply-changes works
> once more on both nodes.

Yes, this should be added to the SHIBBOLETH_SP.md documentation file:

     https://github.com/eduvpn/documentation/blob/v3/SHIBBOLETH_SP.md#apache

I just did that, does this matches with what you did?

> Is it expected that enabling Shibboleth causes the "<Files
> node-api.php>” stanza to no longer work?

Yes, the documentation needed to be updated...

> * For nodeA I’m using a pool of addresses in wRangeFour and wRangeSix
> and it works as expected. But on nodeB, which I plan to use for
> testing, I’d like to hide all clients behind the pubic IPv4/IPv6
> address of the node itself and I haven’t figured out how to do that.

This is not a problem.

> I tried to use nodeB’s single IPv4/IPv6 addresses as the “pools", but
> unsurprisingly the software generates an error for that config. Can
> you tell me how to setup this form of NAT (assuming that it’s even
> possible with Wireguard)?

Yes, assign "private network" addresses to the VPN clients through 
wRangeFour, wRangeSix:

https://en.wikipedia.org/wiki/Private_network

Then you can enable NAT, which is the default already, see the 
documentation and the firewall templates:

https://github.com/eduvpn/documentation/blob/v3/FIREWALL.md
https://github.com/eduvpn/documentation/blob/v3/resources/firewall/node/iptables
https://github.com/eduvpn/documentation/blob/v3/resources/firewall/node/ip6tables

Thank you for your questions/bug report! Let me know if you have more 
questions or if my answers are not clear.

Regards,
François