Unable to establish VPN: 10.1.1.2 not found in the routing table

[realbiz21]

I am using v0.16.1 on linux x86-64.

I am attempting to simulate two hosts behind NAT establishing a VPN connection.

I have two separate machines on the same LAN but are prohibited from talking to one other over the LAN. The machines only have internal 192.168.1.0/24 addresses.

I followed the tutorial exactly as written but when trying to ping host2 (edgevpn ip: 10.1.1.2) from host1 (edgevpn ip: 10.1.1.1), I get the error:

{"level":"DEBUG",
 "time":"[date]",
 "caller":"vpn/vpn.go:258",
 "message":"could not handle frame: '10.1.1.2' not found in the routing table\n"}

Invocation:

• host1: sudo ./edgevpn --interface edgevpn0 --config config.yaml --log-level=DEBUG --address 10.1.1.1/30 --libp2p-log-level=INFO --transient-conn
• host2: sudo ./edgevpn --interface edgevpn1 --config config.yaml --log-level=DEBUG --address 10.1.1.2/30 --libp2p-log-level=INFO --transient-conn

I have followed the sysctl -w net.core.rmem_max=2500000 step on both machines.

config.yaml was generated with edgevpn -g > config.yaml and is the same on both machines.

The DEBUG messages show that both machines Find Peers:

{"level":"DEBUG",
 "time":"[date]",
 "caller":"discovery/dht.go:229",
 "message":" Found peer: {12D3KooW....: [/ip4/147.189.X.Y/udp/4001/quic/p2p/12D3KooWE.../p2p-circuit ..."}

And even report Connected:

{"level":"DEBUG",
 "time":"[date]",
 "caller":"discovery/dht.go:229",
 "message":" Connected to: {12D3KooW....: [/ip4/147.189.X.Y/udp/4001/quic/p2p/12D3KooWE.../p2p-circuit ..."}

Yet edgevpn complains about the routing table when attempting to ping the other edgevpn IP address.

It works when both edgevpn0 and edgevpn1 are invoked on the same machine (and talk over localhost), but this does not simulate my intention: two hosts behind NAT.

edgevpn has many options that I don't know what they do - do I need to specify any of these?

[mudler]

Hi, thanks for opening the issue!

That seems rather odd. Can you compare with edgevpn 0.15.3?https://github.com/mudler/edgevpn/releases/tag/v0.15.3

Did you try to let the vpn run for a while? after establishing a connection it may take a while to get them exchanging messages.

The other thing I can think of is the clock of the machines - do they have too much drift? In such case you might need to enlarge the default otp key interval when generating the config file

[realbiz21]

@mudler - same behavior with v0.15.3. The debug logs indicate the peers are connected but still routing issues.

The time is accurate on both - they are NTP synced and within 1 second of each other.

I added the --api flag and I can see that on both WebUIs:

• VPN Nodes is 1, showing only itself
• Blockchain data only shows itself in the "machines" section
• Under Peers, Nodes only shows itself, but the other Peer is listed in Peer Store

I have let it run for up to 15 minutes. Should it take longer than this when both machines are behind the NAT and have the same public IP address? I will let it run overnight.

[realbiz21]

An overnight run of 12 hours with a concurrent ping 10.1.1.2 shell job showed 100% packet loss. The UI showed both machines discovered around 2k peers.

[mudler]

Il sab 10 set 2022, 21:06 realbiz21 ***@***.***> ha scritto:

…

An overnight run of 12 hours with a concurrent ping 10.1.1.12 shell job showed 100% packet loss. The UI showed both machines discovered around 2k peers. — Reply to this email directly, view it on GitHub <#29 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AASO6P43SPTZEV2IJQVJFX3V5TL4HANCNFSM6AAAAAAQIY6OMI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[realbiz21]

Back to edgevpn v0.16.3,

In the libp2p DEBUG logs, I saw that holepunch was failing:

DEBUG   p2p-holepunch   holepunch/svc.go:198    received hole punch request   {"peer": "12D3KooWQ...", "addrs": ["/ip4/[router public IP]/udp/45223/quic"]}
DEBUG   p2p-holepunch   holepunch/svc.go:256    starting hole punch   {"peer": "12D3KooWQ...", "addrs": ["/ip4/[router public IP]/udp/45223/quic"]}
DEBUG   p2p-holepunch   holepunch/util.go:64    hole punch attempt with peer failed   {"peer ID": "12D3KooWQ...", "error": "context deadline exceeded"}

Maybe hole punching doesn't work in this scenario, when both machines are on the same LAN without a direct connection. The hosts are obviously talking to one another through a relay.

I disabled holepunching, but it complains about transient connections:

WARN   net/identify   identify/peer_loop.go:93   failed to send Identify PUSH    {"peer": "12D3KooWQ...", "error": "failed to open push stream: transient connection to peer"}

The error occurs even though I supply --transient-conn or TRANSIENTCONN=1:

sudo /edgevpn --holepunch=0 --transient-conn
sudo env TRANSIENTCONN=1 ./edgevpn --holepunch=0

Looking at the libp2p code, the error occurs if transient connections aren't allowed, but from what I can tell edgevpn is enabling transient connections in main.go.

Is edgevpn enabling transient connections in libp2p properly?

[mudler]

@realbiz21 thanks for the deep dive, I'm going to check if there is anything in the code about that which is smelly - although we just enable the option and pass it to libp2p

[chairwa]

On windows 11 v0.22.0, the problem still exists.

{"level":"DEBUG","time":"2023-03-14T17:40:37.860+0800","caller":"vpn/vpn.go:288","message":"could not handle frame: '239.255.255.250' not found in the routing table\n"}