search

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
https://netmaker.io
Other
9.51k stars 552 forks source link

[Bug]: two endpoints behind nat can not handshake #1501

Closed thanatos40 closed 5 months ago

thanatos40 commented 2 years ago

Contact Details

No response

What happened?

I have three endpoints one is a cloud server and the other two are pcs with udp hole punching enabled in different nat. The three one all have registered in netmaker, this two endpoints behind nat can successfully handshake with cloud server,but can not handshake with each other. My question is, can this scenario worked if so, what have I miss? Or I have to make the cloud server as a relay server so that this two can communicate with each other?

one of my pc: image

netmaker-server: image

my cloud server image

my other pc image

Version

v0.14.6

What OS are you using?

Linux, Windows

Relevant log output

No response

Contributing guidelines

mattkasun commented 2 years ago

As long as the peers are behind a simple NAT, it should just work. Double NAT or CGNAT may require a relay of one or both peers

thanatos40 commented 2 years ago

I used some tools to determine the two endpoints's nat type and found out they weren't the same nat type, one was port restricted cone and the other was symmetric. Since they weren't the same nat type, I used netmaker-1 as a relay server, they could now communicate with each other. But I met another problem, one of my pcs are egress gateway, I couldn't ping the subnet, but egress gateway could, did I miss something?

image

image

varoudis commented 2 years ago

@thanatos40 can you advise on the tools and troubleshooting you did? I have a similar problem and two systems behind nat wont handshake. One has port forwarding (via Pfsense fw) and the other one is on LTE router.

lexbritvin commented 2 years ago

I face the similar issue with UDP Hole punching (v0.15.2). I'm behind CGNAT on both sides. But I noticed that Tailscale can actually establish the direct connection. Is there a way to troubleshoot it on Netmaker? I believe there is a way to fix this in Netmaker if Tailscale can make it.

lexbritvin commented 2 years ago

I was able to resolve the issue in the following way:

  1. Go to Nodes
  2. Edit every node that's behind NAT
  3. Toggle Dynamic port to On (it was disabled in my case, some why).
  4. Save

That's it! I have working connection behind CGNAT and home router. My home router is set to NAT Full cone.