Superfluous response.WriteHeader

[Mariaab1]

Hello everyone,

I recently downloaded and installed version v8.0.0 Clustering using the provided binaries instead of building them from source.

After installation, I can see that the deny rules are reflected in the application's firewall state. I am able to register a user and successfully authenticate.

However, my issue is that the authenticated user can only access the VPN server, and not any other resources. Upon checking the logs, I found the following errors:

2024/09/25 11:27:17 http: superfluous response.WriteHeader call from github.com/NHAS/wag/internal/router.(*Challenger).WS (session_manager.go:157) 2024/09/25 11:27:21 websocket origin does not equal expected value: "http://172.16.101.1:445" != "" 2024/09/25 11:27:21 pablo_deny 172.16.101.212 failed to create websocket challenger: websocket: request origin not allowed by Upgrader.CheckOrigin 2024/09/25 11:27:21 http: superfluous response.WriteHeader call from github.com/NHAS/wag/internal/router.(*Challenger).WS (session_manager.go:157) {"level":"info","ts":"2024-09-25T11:27:24.409979+0200","caller":"traceutil/trace.go:171","msg":"trace[755734487] put","detail":"{key:wag/node/229e0fb671e145bf/ping; req_size:65; response_revision:32151; }","duration":"249.360221ms","start":"2024-09-25T11:27:24.160602+0200","end":"2024-09-25T11:27:24.409962+0200","steps":["trace[755734487] 'process raft request' (duration: 249.278958ms)"],"step_count":1} 2024/09/25 11:27:25 websocket origin does not equal expected value: "http://172.16.101.1:445" != "" 2024/09/25 11:27:25 pablo_deny 172.16.101.212 failed to create websocket challenger: websocket: request origin not allowed by Upgrader.CheckOrigin 2024/09/25 11:27:25 http: superfluous response.WriteHeader call from github.com/NHAS/wag/internal/router.(*Challenger).WS (session_manager.go:157)

Could you help me with this error? Is it that I'm configuring it incorrectly, or could it be a bug?

Thanks in advance for your help!

[NHAS]

Howdy, that looks like you haven't sent the domain url properly.

It's checking the origin of the web socket verifier request (which effectively allows you to change networks and not have to re-mfa if your device responds within 6 seconds)

But it's not finding the challenge so it might be deauthenticating you.

Also, if you're installing wag from binaries have you enabled IP forwarding?

Can you asloc heck that the user is shown as authenticated in the wag ui..

[Mariaab1]

Hello! 🤠

Thank you for the quick response; you are right, I hadn't configured the following in the config.json

I’m not sure if this is what you were referring to, but after adding it, the WebSocket error has gone.

On the other hand, yes, the IP forwarding policy in iptables is set to accept:

Finally, yes, the user is authenticated and registered:

Now, despite not showing any errors in the log, I still cannot access the local network:

Ping to the VPN server:

Ping to a powered-on server in the local network:

Thank you :)

[NHAS]

That screenshot doesn't show if the user is authenticated or not. Can you show me the debug firewall state?

[Mariaab1]

Mmm sorry, I thought that if the registration was successful, it would also grant authorization.Are you referring to this?:

[NHAS]

Yes. That's showing its not authorised. And also that it's trying to register your mfa for some reason.

I think you should probably reset the account mfa and try again.

Not sure what the problem is there

[Mariaab1]

Well, I don't understand it 😭 . I've reset the MFA key, but now I'm getting the same WebSocket error as before. And my colleague has successfully re-registered, now they appear as authorized: