Wireguard TLS client not connecting
Hey, I'm trying to get my hetzner wireguard vps working with crowdsec.
I followed the TLS guide with cfssl from your website and that's working great in my local network so far. I made an unbound DNS overwrite to "security.localdomain" which includes my local crowdsec ip (192.168...) and the wireguard ip (10.0.0.3) in opnsense, installed all ecdsa521-certificates for the bouncer and agent. Worked more or less flawlessly except with my wireguard connected server.
I added the security.localdomain in the /etc/hosts file of the VPS and installed the ca-intermediate cert in /etc/ssl/certs IIRC and I'm able to ping the domain with correct WG IP address, but the lapi still refuses any connection. It worked without any TLS certficiates.
ping security.localdomain or ping 10.0.0.3 are all connecting and wg is up and running.
More information in the attached file.
Problem persists with disabled ufw. I also tried to allow port 8080 to 10.0.0.3 (crowdsec wg server ip) but no luck.
No idea what else I can try. I'm literally stuck with that problem for 2 days and rebuild the server twice.
Best regards, 79
TLS Authentication | CrowdSec
Overview
3 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Hello, maybe I misunderstood you, but the issue is more wireguard/fw related than crowdsec ?
More or less - I found the solution in the config.yaml :
Before:
After:
The domain security.localdomain was bound to both IPs on which I could reach the crowdsec-machine ( 10.0.0.x for wireguard and 192.x.x.x for local addresses ).
nslookup also showed the correct IPs.
The listen_uri couldnt handle the .localdomain name and needed to listen on all interfaces instead.