Several Locations and the One-line install script

Question

Several Locations and the One-line install script

Closed this issue 3 months ago · 1 comments

Describe the bug
Hi I'm testing out defguard. I think I found a documentation issue. I set up an instance with the One-line install script and with one location it works fine. After adding another location and setting up another instance of the gateway in docker-compose.yml (by copying the existing gateway service, changing name and token) both gateways shows connected.

But once I connect to one of the locations the other one stops working... I think this has to do with using networking: "host". It seems like defguard instucts the gateway to change wg0 for the connection. Observing wg show I can se the port of the peer changes on wg0 when i connect with each location.

The IFACE setting on the gateway don't seem to have any effect, and both gateways use the same wg interface on the host.

That said. Changing the gateway instances to use internal network (not host) and forwarding the correct udp ports fixes the issue and both locations works at the same time. Please note that this is not that straight forward as the gateway needs to have a valid certificate on the defguard GRPC host. I did it like this:

  gateway_remote:
    image: ghcr.io/defguard/gateway:${GATEWAY_IMAGE_TAG:-latest}
    restart: unless-stopped
    extra_hosts:
      # need valid certificate
      - "host.example.com:172.18.0.4"
    ports:
      - "50052:50052/udp"
    environment:
      DEFGUARD_GRPC_URL: https://host.example.com:50055
      DEFGUARD_GRPC_CA: /ssl/defguard-ca.pem
      DEFGUARD_STATS_PERIOD: 30
      DEFGUARD_TOKEN: "snip"
    volumes:
      - ${VOLUME_DIR:-./.volumes}/ssl:/ssl
    cap_add:
      - NET_ADMIN

To Reproduce
Steps to reproduce the behavior:

Set up an instance with the One-line install
Add location and follow the docker-compose instructions for adding a location (token and name)
Connect to both locations.
Observe that just one location works and that wg show just shows one interface wg0 with the udp port defined in the last connected location.

Expected behavior
I assume this is just a documentation isse with using the One-Line install script. (As everything works fine if you don't use host networking)

That said, is there a reason the IFACE configuration option on the gateway dosent work? Without knowing the details, can't defguard just instruct the gateway to use another wg interface?

Version information

Defguard Core version: latest docker image as of 2024-08-31
Defguard Gateway version: latest docker image as of 2024-08-31
- Operating system and version running the gateway: Debian Bookworm clean VM with just docker.
Firefox 129.0.2

Answer 1 · 2024-09-02T19:23:28.000Z

@thoj you are right - there is a bug in the documentation - I have fixed it. You need to add:

    command: ["-i", "wg1"]

below the image to define a separate interface for the second gateway.

All is updated here: https://defguard.gitbook.io/defguard/tutorials/step-by-step-setting-up-a-vpn-server/adding-additional-vpn-locations

Thank you for pointing this out and for a very constructive and spot on deduction!