rsync over ssh (+ wireguard)

  • cat /etc/*release*

    uname -a

    Code
    Linux odroidHC2 4.14.222-odroidxu4 #3 SMP PREEMPT Fri Oct 8
    19:48:20 UTC 2021 armv7l GNU/Linux

    cat /etc/apt/sources.list

  • Guys ... can anyone tell me what this /:: in this message is about?

    Looks a bit like IPv6 :: ...

    Could it be there is something wrong that routes certain traffic from an IPv4 interface to an IPv6 interface, which then ends in nowhere?

    This confuses me a bit.

    Maybe is problem related to IPv6 routing?

  • How can I do that?

    On your client device open a command line and type traceroute <target IP Adress or Name>


    Example:

    If this does not work, you need to play around a bit with the -I and -T parameter.

    It is possible you need to install traceroute first, if you are on a linux system.


    If your client is an android phone, and you do not have such a nice command line, you can install one of many network analysis apps, which can also do traceroute from a more graphical interface.


    Traceroute tells you which path through the networks your data packages take. This way you can see whether your package goes through the wireguard tunnel, or from your phone in your phone network and does timeout because it simply is not routed in the tunnel.



    In addition to this, can you send the output of the following commands from your omv server:

    Code
    netstat -tulpen
    ifconfig -a


    Just to get a round picture of your environment. I am still confused about the :: in your error message.

  • Linux odroidHC2 4.14.222-odroidxu4 #3 SMP PREEMPT Fri Oct 8

    I don't know if this will work straight but you can try it.

    The method is for Raspberry but works on all Debian variants.


    First things first:

    DISCLAIMER:

    Do this at your own risk. I won't be held accountable for anything that goes wrong with your server.

    Consider yourself warned from this moment onwards.


    Clean your wireguard docker container and remove the folders you created from it.


    DO NOT DELETE /lib/modules FROM THE HOST!!!!!!

    Only delete the volume created for the config (in your case and according to your YML/stack it's /docker/wireguard/config)


    Then follow CAREFULLY the instructions from step 5 onwards from this guide (it's a bit old but works flawlessly)

    How to Set Up WireGuard on a Raspberry Pi (engineerworkshop.com)


    If you have an error with the step 5, go to step 1 and follow everything from the Top.

    Explanation:

    If your kernel has the wireguard modules included, all you need is to run step 5 sudo apt install wireguard.

    If your kernel doesn't have the wireguard modules, then you need to do the whole procedure to install the modules to your kernel.


    Good luck, ;)

  • ifconfig -a

  • netstat -tulpen - 1. part

  • netstat -tulpen - 2.part

  • I tried to figure out what path your connection tries to take.

    The error message says it tries to connect to 192.168.1.77:22 from :: Port 38358 .

    I do not see anything related to Port 38358 , so at least it is no conflict with any server you have running there.


    I am still building my docker skill. Does anyone here know how to check the linux bridge configuration for docker thoroughly? I need to read in to this.


    My actual guess is, that there is something wrong with the bridge configuration or iptables, and either the traffic gets routed to the wrong bridge (e.g. into a non existing ipv6 network) or gets blocked by iptables.

    My guess is actually only based on the error message.


    I found the following article:

    https://docs.docker.com/network/bridge/


    which contains:



    As I mentioned I could use some support in digging in to the linux bridges configuration.

  • Just gathering some information here to be used further. Can you please confirm if this is correct?


    by the way .... your container is running in a virtual network with the IP 10.13.13.2

    The docker engine itself uses 172.17.0.1

    And your system is 192.168.1.66


    Your listen port for wireguard is 51820 according to a previous post. From your netstat these two entries exist for this port.

    Code
    udp 0 0 0.0.0.0:51820 0.0.0.0:* 0 813603 18849/docker-proxy
    udp6 0 0 :::51820 :::* 0 814727 18857/docker-proxy


    So your wireguard container with the internal virtual IP hosts his service externally on the 172.17. network as well as the 192.168.1 network, (correct?), and all IPv6 networks.


    Question for you darkopi ... Do you use IPv6 at all, or is it just active, but you do not really use it?


    Can you please run :

    Code
    docker network inspect bridge

    ...to give us more information about the bridge configuration of your docker environment.


    Edit:


    And please:

    Code
    docker network ls
  • docker network inspect bridge

  • Ok. Can you tell us a little bit more about your setup?

    You are trying to connect from an Android phone to the server 192.167.1.77 by ssh, by using a wireguard tunnel through 192.167.1.66.

    Wireguard is running in a docker network which is 10.13.13.2 and which is bridged to 172.17.0.1 on the same that has 192.168.1.66


    Where exactly do you get this error message when trying to ssh?

    Do you get this message from your android phone, when trying to ssh using some app?

    You can succesfully establish the wireguard session but you cannot tunnel ssh through the connection to another server, right?

    Code
    Faild to connect to /192.168.1.77 (port 22) from /:: (port 38358) connect failed: ETIMEDOUT (Connection timed out)

    `Which IP does your client have in this scenario? Also a local IP in the 192.168.1 network?


    Can you try to do a traceroute? (command: traceroute) to your server 192.168.1.66 ?


    The bridge looks ok. It binds to the 172 network. I want to find out where your ssh session fails, and find out about the exact traffic flow of incoming traffic through the container and the bridge to the 172 network. As your ssh target has a 192. adress, bur your docker bridge goes to a 172 adress, maybe there is something blocking the ssh session from locally going from the 172 bridge network to the 192 outgoing interface.


    Edit:

    And please show us the output of

    Code
    docker network inspect host
    docker network inspect faa520e3e10a
  • And one thing more. If you do not use IPv6 at all, could you disable it?


    Disable IPv6 manually by creating /etc/sysctl.d/70-disable-ipv6.conf with the content: net.ipv6.conf.all.disable_ipv6 = 1 . Activate it and reboot.

    Check with ifconfig -a if there are still IPv6 entries.

  • docker network inspect host

  • docker network inspect faa520e3e10a

  • I am connecting from an Android with ConnectBot app to the ip 192.167.1.77 by ssh, by using a wireguard tunnel through 192.167.1.66 where is wireguard server.

    Phone is connect to mobile data and wireguard is enabled but I can access only server ip.

  • Wireguard docker is on bridge network..


    docker network inspect bridge

  • Same problem with wireguard "outside docker".

    I cannot access LAN devices but only services on my NAS where is wireguard installed.

    :(

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!