Comments (6)
teon
commented on June 19, 2024
@almulalic could you share any details about the configuration so we could replicate/try to. find what's wrong? If you don't want to post them here publicly you can email us at: [email protected].
We need:
- name of the VPN
- name of the device
- first, ast name & username of the user for which the device was configured
- VPN server IP
- port
- VPN network address
Also can you go to the "core" logs and post them?
Based on that we will replicate and have the ability to fix.
from defguard.
almulalic
commented on June 19, 2024
Sure, I can publish it here. I managed to get a video for this which I sent to support email.
Most of the questions are answered in the video, however I can't share the IP and port.
However I could share my deployment info:
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: defguard
namespace: infra
spec:
replicas: 1
selector:
matchLabels:
app: defguard
template:
metadata:
labels:
app: defguard
spec:
containers:
- name: core
image: ghcr.io/defguard/defguard:sha-db61513
envFrom:
- secretRef:
name: defguard-secret
ports:
- containerPort: 8000
protocol: TCP
- containerPort: 50055
protocol: TCP
volumeMounts:
- name: ssl-certs
mountPath: /ssl
- name: proxy
image: ghcr.io/defguard/defguard-proxy:latest
envFrom:
- secretRef:
name: defguard-secret
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 50052
protocol: TCP
volumeMounts:
- name: ssl-certs
mountPath: /ssl
volumes:
- name: ssl-certs
hostPath:
path: /opt/defguard/ssl
---
apiVersion: v1
kind: Service
metadata:
name: defguard-tcp
namespace: infra
spec:
selector:
app: defguard
ports:
- name: defguard-grpc
protocol: TCP
port: 50055
targetPort: 50055
- name: defguard-proxy
protocol: TCP
port: 50052
targetPort: 50052
- name: defguard-main-ui
protocol: TCP
port: 8000
targetPort: 8000
- name: defguard-enroll-ui
protocol: TCP
port: 8080
targetPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: defguard-udp
namespace: infra
spec:
externalTrafficPolicy: Local
type: NodePort
selector:
app: defguard
ports:
- protocol: UDP
port: 50051
targetPort: 50051
name: wireguard-def
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-grpc
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`grpc.defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 50055
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-main-ui
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 8000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-proxy
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`proxy.defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 50052
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-enroll-ui
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`enroll.defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 8080
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: defguard-wireguard
namespace: infra
spec:
entryPoints:
- wireguard-def
routes:
- services:
- name: wireguard-defguard
port: 50051
weight: 9
nativeLB: true
gateway
apiVersion: apps/v1
kind: Deployment
metadata:
name: defguard-homeserver-gateway
namespace: infra
spec:
replicas: 1
selector:
matchLabels:
app: defguard-homeserver-gateway
template:
metadata:
labels:
app: defguard-homeserver-gateway
spec:
containers:
- name: gateway
image: ghcr.io/defguard/gateway:latest
securityContext:
capabilities:
add:
- NET_ADMIN
ports:
- containerPort: 50051
protocol: UDP
envFrom:
- secretRef:
name: defguard-homeserver-gateway-secret
volumeMounts:
- name: ssl-certs
mountPath: /ssl
dnsPolicy: "None"
dnsConfig:
nameservers:
- 192.168.98.6
- 8.8.8.8
volumes:
- name: ssl-certs
hostPath:
path: /opt/defguard/ssl
---
apiVersion: v1
kind: Service
metadata:
name: defguard-homeserver-gateway
namespace: infra
spec:
externalTrafficPolicy: Local
type: NodePort
selector:
app: defguard-homeserver-gateway
ports:
- protocol: UDP
port: 50051
targetPort: 50051
name: wireguard-def
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: defguard-homeserver-gateway
namespace: infra
spec:
entryPoints:
- wireguard-def
routes:
- services:
- name: defguard-homeserver-gateway
port: 50051
weight: 9
nativeLB: true
.env
# Databse
DEFGUARD_DB_HOST=postgresql.data.svc.cluster.local
DEFGUARD_DB_PORT=5432
DEFGUARD_DB_USER=defguard
DEFGUARD_DB_PASSWORD=X
DEFGUARD_DB_NAME=defguard
# Core
DEFGUARD_LOG_LEVEL=DEBUG
DEFGUARD_AUTH_SECRET=X
DEFGUARD_YUBIBRIDGE_SECRET=X
DEFGUARD_GATEWAY_SECRET=X
DEFGUARD_SECRET_KEY=X
DEFGUARD_URL=https://defguard.X.cloud
DEFGUARD_WEBAUTHN_RP_ID=defguard.X.cloud
DEFGUARD_COOKIE_INSECURE=false
DEFGUARD_ENROLLMENT_URL=https://enroll.defguard.X.cloud
DEFGUARD_PROXY_URL=http://defguard-tcp.infra.svc.cluster.local:50052
DEFGUARD_DEFAULT_ADMIN_PASSWORD=X
# Proxy
DEFGUARD_PROXY_GRPC_PORT=50052
DEFGUARD_PROXY_HTTP_PORT=8080
gateway .env
DEFGUARD_GRPC_URL=http://defguard-tcp.infra.svc.cluster.local:50055
DEFGUARD_STATS_PERIOD=30
DEFGUARD_TOKEN=X
POSTUP=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
POSTDOWN=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
from defguard.
teon
commented on June 19, 2024
@almulalic from what I see you are not using official release images (sha-xxx). That may be the case.
Can you user 0.9.0 image tag (latest release)?
from defguard.
almulalic
commented on June 19, 2024
Tried to migrate but got some SQL migration errors which are fine for now as I used this cluster for testing. I created a fresh new database with the :latest tag on core and the same issue still persists.
- Create a network
- Assign it to admin group
- Create a new user that doesen't have admin group
- Log in as the user, go to add device and go through the wizard
- Wizard will crash after the key setup
- (Optional) go back to his profile, same behaviour is present on
Show configurationoption - Go back to admin account
- Add admin group to user
- Go back to user
- Show configuration should work now and the wizard for adding new devices should complete
Also the behaviour should be present when you visit https://domain.com/add-device and refresh the page.
The code is minified so I didn't get much info from digging through references in console, but the error is same
from defguard.
almulalic
commented on June 19, 2024
Also, I tested out the scenario where there are 2 locations one is admin only and the other one is public so it seems that as long as there is one location that user has access to everything works.
My best guess would be that QR code generation is done under the assumption that there is at least one network/location, and then when 0 networks are returned it tries to find property netowrkId on nothing.
from defguard.
teon
commented on June 19, 2024
@j-chmielewski I've replicated this on our DEV:
- New account (not admin)
- Logged in to this account
- Added a new device
- Named the device -> NEXT
ERROR IN CONSOLE:
from defguard.
Related Issues (20)
- Design: S2S design updates
- Design: option that users can/can't add their own devices
- Rocky Linux support HOT 1
- Cannot deploy Gateway HOT 5
- User can bypass MFA process for OpenID auth when app is already accepted for the account.
- OpenID cookie "defguard_sign_in" is not checked during normal login
- Conflicts in network addresses across locations are not detected (bug/enhancement)
- Peer disconnect threshold [seconds] value is incorrect
- Typo in feature listing HOT 1
- [typo] SSH Key for users
- Netlink error after upgrade to 0.10.0 HOT 2
- I would like to add the ability to force MFA for users on admin accounts.
- security review url on github is dead
- How to import users to Defguard?
- Make SMTP credentials optional
- OIDC client instead of server HOT 3
- docker compose - Database connection failed: Database(PgDatabaseError { severity: Fatal, code: "28P01", message: "password authentication failed for user "defguard"" HOT 1
- Ability to configure SMTP that doesn't require atuhentication
- MFA screen should have blue half background from top to bottom
- comprehensive security report not found HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from defguard.