search

mr-ransel / addon-nebula

Home Assistant addon for slackhq/nebula
MIT License
17 stars 4 forks source link

static_host_map key is not in our subnet, invalid #9

Open Cyberes opened 1 month ago

Cyberes commented 1 month ago

I have the following error:

-----------------------------------------------------------
 Add-on: Nebula
 HomeAssistant addon for slackhq/nebula
-----------------------------------------------------------
 Add-on version: dev
 You are running the latest version of this add-on.
 System: Home Assistant OS 12.4  (amd64 / qemux86-64)
 Home Assistant Core: 2024.7.3
 Home Assistant Supervisor: 2024.06.2
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/config.sh
[19:14:17] WARNING: Nebula add-on is not configured as certificate authority. You must generate and place certificates for this node and the CA in /ssl/nebula/nodes/home_assistant/home_assistant.(crt|key) and /ca/ca.crt
Generating a config.yaml
[19:14:18] NOTICE: Custom nebula config.yaml detected, ignoring generated nebula configuration!
Setting up IP Forwarding and iptables rules...
cont-init: info: /etc/cont-init.d/config.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun nebula (no readiness notification)
[19:14:18] INFO: Starting Nebula...
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:1 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
time="2024-07-20T19:14:18-06:00" level=info msg="Firewall started" firewallHash=35609bb65c7b67a47b2a362eaeb28e808916ab3e77fbe437afbd2bdb3846eab3
time="2024-07-20T19:14:18-06:00" level=info msg="listen.read_buffer was set" size=20971520
time="2024-07-20T19:14:18-06:00" level=info msg="listen.write_buffer was set" size=20971520
time="2024-07-20T19:14:18-06:00" level=info msg="Main HostMap created" network=192.168.0.1/24 preferredRanges="[192.168.0.0/24 172.0.0.0/20 192.168.1.0/24]"
time="2024-07-20T19:14:18-06:00" level=info msg="punchy enabled"
time="2024-07-20T19:14:18-06:00" level=error msg="static_host_map key is not in our subnet, invalid" entry=1 network=192.168.0.1/24 vpnIp=172.0.0.2

My config is as follows:

hass_node_name: home_assistant
hass_is_lighthouse: false
hass_is_cert_authority: false
nebula_network_cidr: 172.0.0.0/20
hass_advertise_addrs:
  - 172.0.3.107:4242
node_list:
  - name: home_assistant
    overlay_ip: 172.0.3.107
other_lighthouses: []
cert_expiry_time: 26280h
preferred_route_cidrs:
  - 172.0.0.0/20
firewall:
  conntrack:
    default_timeout: 10m
    max_connections: 100000
    tcp_timeout: 12m
    udp_timeout: 3m
  inbound:
  - host: any
    port: any
    proto: icmp
  - host: any
    port: any
    proto: any
  outbound:
  - host: any
    port: any
    proto: any
lighthouse:
  am_lighthouse: false
  hosts:
  - 172.0.0.2
  - 172.0.0.3
  interval: 60
listen:
  batch: 128
  host: 0.0.0.0
  port: 0
  read_buffer: 10485760
  write_buffer: 10485760
logging:
  format: text
  level: info
pki:
  ca: ...
  cert: ...
  key: ...
preferred_ranges:
- 192.168.1.0/24
punchy:
  delay: 1s
  punch: true
  punch_back: true
  respond: true
relay:
  am_relay: false
  relays:
  - 172.0.0.2
  - 172.0.0.3
  use_relays: true
static_host_map:
  172.0.0.2:
  - ...:4242
  172.0.0.3:
  - ...:4242
tun:
  dev: nebula1
  disabled: false
  drop_local_broadcast: false
  drop_multicast: false
  routes: null
  tx_queue: 5000
  unsafe_routes: null
mr-ransel commented 1 month ago

Apologies my email formatted poorly and I misunderstood, ignore my previous (now deleted) comment.

It looks like the issue is with the certificates you generated, as the log indicates the addon isn't generating your certs.

Specifically, when you generated your host certs, it sounds like you used the subnet 192.168.0.1/24 as your overlay network range, and nebula is balking because the config.yaml is using 172.0.0.2 as an overlay IP

Cyberes commented 1 month ago

Thanks.

The addon shouldn't be generating anything and should only be connecting using the info defined in config.yaml.

mr-ransel commented 1 month ago

Yep, if you regenerate your home assistant nebula certs to use the correct overlay network and IPs you should be in good (or at least better) shape.