I had create a new VPS instance in GCP successfully. Logged in via ssh and take root access. My commands to setting up a tun1 interface was successfull done:
ip tunnel del tun1
ip tunnel add tun1 mode gre remote xxx.xxx.xxx.xx local xx.xxx.xxx.xxx ttl 255
ip link set tun1 up
ip link set tun1 mtu 1360
ip addr add xxx.xxx.xxx.xx/32 dev lo
ip r add xxx.xxx.xxx.x/32 dev tun1
ip route add default via xxx.xxx.xxx.x dev tun1 table 200
ip rule add from xxx.xxx.xxx.xx table 200
If I check with lsmode | grep gre, I see
# lsmod | grep tun
tun 31740 0
ip_tunnel 25163 1 ip_gre
I try also:
# modprobe ip_tunnel
# modprobe gre
#
No results be displayed.
If everything is okay, I should be able to access my server with the external dedicated IP xxx.xxx.xxx.xx (it is a Cloud DNS system).
Push, could anybody out there help me ?
Unfortunately Google doesn't allow GRE traffic.
See here:
https://cloud.google.com/vpc/docs/firewalls#blockedtraffic
Always blocked traffic Google Cloud always blocks the traffic that is
described in the following table. Your firewall rules cannot be used
to allow any of this traffic.
Always blocked traffic Applies to GRE traffic All sources and
destinations, whether the source or destination is an internal IP
address or an external IP address.
This is now supported.
External IPv4 and IPv6 addresses only accept TCP, UDP, ICMP, IPIP, AH, ESP, SCTP, and GRE packets. Resources that use external IP addresses impose additional protocol restrictions:
Forwarding rules for protocol forwarding, external HTTP(S) Load Balancing, External SSL Proxy Load Balancing, External TCP Proxy Load Balancing, and Network Load Balancing only process the protocols and ports configured on the forwarding rule.
Cloud VPN gateways only accept VPN protocols.
Related
Taken from this article.
Any outbound connection from the App Service app, such as to a
back-end database, uses one of the outbound IP addresses as the origin
IP address.
Why can't it just use the inbound IP address, which I thought would be the IP address of the VM or whatever it is that is running the app service?
Does this mean if my app service calls an API, that API would receive a request with one of the outbound IP addresses as the value for X-Forwarded-For?
How does it know which IP address to use?
Why does it need multiple outbound IP addresses?
Why can't it just use the inbound IP address, which I thought would be the IP address of the VM or whatever it is that is running the app service?
The inbound IP is not a virtual machine, but a load balancer IP, otherwise, when you scale out, you would need to know multiple Inbound IP addresses and configure yourself a load balancer for the instances.
Does this mean if my app service calls an API, that API would receive a request with one of the outbound IP addresses as the value for X-Forwarded-For?
If you don't have any proxy or application gateway, then yes.
How does it know which IP address to use?
Every TCP and UDP packet contains a source port number and a
destination port number. Each of those packets is encapsulated in an
IP packet, whose IP header contains a source IP address and a
destination IP address.
https://en.wikipedia.org/wiki/Network_address_translation
Why does it need multiple outbound IP addresses?
Depending on your SLA uptime, you may need to host your application in multiple regions / availability zones. Which means, the datacenters won't have the same IP Addresses, reason why it has many outbound ip addresses.
There is an entire article on docs which talks about the different IP address when it comes to App Services: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
To get a single outbound IP address, you could, for example, use VNet-integration your App Service and then use NAT Gateway or Azure Firewall for egress.
Is it still impossible today in 2022 to perform traceroutes from a Linux VM in Azure ?
I've configured NSG so that ICMP and UDP traffic is allowed.
Ping VM without Public IP
VMs in Azure without a Public IP get to the Internet via a NAT address using an Azure load balancer managed by the fabric. Because the ICMP protocol is not permitted through the Azure load balancer, you will notice that you are unable to ping an Azure VM from the internet, and from within the Azure VM, you are unable to ping internet locations.
To test connectivity, we instead recommend that you do a port ping. While Ping.exe uses ICMP, other tools such as PsPing, Nmap, or Telnet allow you to test connectivity to a specific TCP port.
https://learn.microsoft.com/en-us/archive/blogs/mast/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity
Ping VM with Public IP
I do want to note there are some articles out on the Internet saying you CAN Ping an Azure VM and there is one thing these articles have in common but they don't really elaborate on it and it is this. You can ping a VM if it is assigned an Azure Public IP (pip). This is because when using a pip you are bypassing the Azure Load balancer for Internet connectivity.
You need to allow ICMP on the NSG and ensure the VM has no Host level firewalls blocking ICMP.
Tracert
Tracert over UDP will not be allowed in Azure but you can get around this by using a tool like NMap which can do the traceroute over TCP.
C:\Users\test>nmap -sS -p 80 -Pn --traceroute www.google.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-21 15:26 Coordinated Universal Time
Nmap scan report for www.google.com (172.253.122.147)
Host is up (0.0020s latency).
Other addresses for www.google.com (not scanned): 172.253.122.104 172.253.122.103 172.253.122.99 172.253.122.106 172.253.122.105
rDNS record for 172.253.122.147: bh-in-f147.1e100.net
PORT STATE SERVICE
80/tcp open http
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 ... 26
27 2.00 ms bh-in-f147.1e100.net (172.253.122.147)
Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds
Please be sure that the PIP you assigned is
SKU: Standard
Routing preference: Internet
That made all the difference for tracert to work.
Setup
I am setting up an Azure VM (Standard E2as_v4 running Debian 10) to serve multiple services. I want to use a separate public IP address for each service. To test whether I can do this, I set up the following:
vm1
- nic1
- vnet1, subnet1
- ipconfig1: 10.0.1.1 <-> p.0.0.1
- nsg1
- allow: ssh (22)
- nic2
- vnet1, subnet2
- ipconfig2: 10.0.2.1 <-> p.0.0.2
- nsg2
- allow: http (80)
vnet1
- subnet1: 10.0.1.0/24
- subnet2: 10.0.2.0/24
- address space: [10.0.1.0/24, 10.0.2.0/24]
Where 10.x.x.x IPs are private and p.x.x.x IPs are public.
nic1 (network interface) and its accompanying nsg1 (network security group) were created automatically when I created the VM; otherwise they are symmetrical to nic2, nsg2 (except for nsg2 allowing HTTP rather than SSH). Also, both NICs register fine on the VM.
Problem
I can connect to SSH via the public IP on nic1 (p.0.0.1). However, I fail to connect to HTTP via the public IP on nic2 (p.0.0.2).
Things I've tried
Listening on 0.0.0.0. To check whether it is a problem with my server, I had my HTTP server listen on 0.0.0.0. Then I allowed HTTP on nsg1, and added a secondary IP configuration on nic1 with another public IP (static 10.0.1.101 <-> p.0.0.3). I added the static private IP address manually in the VM's configuration (/run/network/interfaces.d/eth0; possibly not the right file to edit but the IP was registered correctly). I was now able to connect via both public IPs associated with nic1 (p.0.0.1 and p.0.0.3) but still not via nic2 (p.0.0.2). This means I successfully set up two public IPs for two different services on the VM, but they share the same NIC.
Configuring a load-balancer. I also tried to achieve the same setup using a load balancer. In this case I created a load balancer with two backend pools - backend-pool1 for nic1 and backend-pool2 for nic2. I diverted SSH traffic to backend-pool1 and HTTP traffic to backend-pool2. The results were similar to the above (SSH connected successfully, HTTP failed unless I use backend-pool1 rather than backend-pool2). I also tried direct inbound NAT rules - with the same effect.
Check that communication via subnet works. Finally, I created a VM on subnet2. I can communicate with the service using the private IP (10.0.2.1) regardless of the NSG configuration (I tried a port which isn't allowed on the NSG and it passed). However, it doesn't work when I use the public IP (p.0.0.2).
Question
What am I missing? Is there a setting I am not considering? What is the reason for not being able to connect to my VM via a public IP address configured on an additional NIC?
Related questions
Configuring a secondary NIC in Azure with an Internet Gateway - the answer refers to creating a secondary public IP
Multiple public IPs to Azure VM - the answer refers to creating a load balancer
Notes: I can try to provide command lines to recreate the setup, if this is not enough information. The HTTP server I am running is:
sudo docker run -it --rm -p 10.0.2.1:80:80 nginx
And I replaced to listen on 0.0.0.0 for subsequent tests.
Here's the final topology I used for testing.
To allow the secondary interface (with a public IP) to access to or from the Internet, we don't need to create a load balancer. Instead, we can use iproute to maintain multiple routing tables. Read http://www.rjsystems.nl/en/2100-adv-routing.php and this SO answer for more details.
After my validation, you can add the following configurations and It was working on Linux (ubuntu 18.04) VM for me.
Activate Linux advanced routing on a Debian GNU/Linux system, install the iproute package:
apt-get install iproute
Configure two default routes
echo 2 cheapskate >> /etc/iproute2/rt_tables
Add the new default route to table cheapskate and then display it:
~# ip route add default via 10.0.2.1 dev eth1 table cheapskate
~# ip route show table cheapskate
default via 10.0.2.1 dev eth1
Add a rule for when a packet has a from pattern of 10.0.2.4 in which case the routing table cheapskate should be used with a priority level of 1000.
ip rule add from 10.0.2.4 lookup cheapskate prio 1000
The kernel searches the list of ip rules starting with the lowest priority number, processing each routing table until the packet has been routed successfully.
After all of this, you can check it with the following command, you will see the public IP address attached to the secondary interface.
curl --interface eth1 api.ipify.org?format=json -w "\n"
Please note you have enough permission to do all of the above steps.
I have Linux host with libvirt/kvm virtualization, VMs needs the "real" static IP addresses, so I decided to setup bridged network. I make br0 on the host and in the VMs properties I set source device: Host device vnet0(Bridge 'br0').
For example, my br0 have ip 192.168.1.1 and one of the VM have 192.168.1.5
Everything works pretty well, but then I connect to the virtual machine, the client address detects as 192.168.1.1. Also, all the HTTP requests comes from 192.168.1.1.
Q: Is it my mistake, some sort of misconfiguration? How can VM get the real IPs of the clients?
Let me try to answer based on what i infer from your question:
Since you want to assign routable IP addresses to the VMs,
Option 1: Add the host physical ethernet interface to the vswitch (aka vswitch uplink). Further, for all the VM ethernet interface, assign IP address in the same subnet in which the physical ethernet interface's IP belongs. Alternatively, if DHCP server is running in the same broadcast domain (subnet), the VMs would get the IP from the DHCP server if the interfaces are configured to get IP via DHCP
Option 2: Create the vswitch and assign X.Y.Z.1 IP to the vswitch (br0). Also enable IP forwarding in the host. Now you can assign IPs from the same subnet to the VM ethernet interfaces. Alternatively, you can run DHCP (e.g. DNSmasq) on br0 and assign IPs to the VM interfaces
Is it my mistake, some sort of misconfiguration? How can VM get the real IPs of the clients?
If you are connecting from the host on which your vms are running, then they are getting the real IP address. Your host shares a network (192.168.1.0/24 or similar, apparently) with the virtual machines. When you connect to your virtual machines from your host, the source address if 192.168.1.1.
If you are connecting from elsewhere on your network, you would need to provide us with more details of your configuration.
I am trying to access a linux system which is connected to OpenVPN connection.
In my case the global Ip for VPN connection using tun1 interface is x.x.x.x. The global Ip when not connected to VPN and using only ethernet using eth0 interface is y.y.y.y.
I am routing all the traffic to the VPN NIC(tun1 in my case). I want to use the y.y.y.y IP to SSH in to my computer when it is connected to the VPN. I have port forwarded in my router to local IP and it is working correctly when not connected to the VPN.
I have tried adding the following in the routing table,
route add -host "dynamicdnssite.com" gw 192.168.0.1 dev eth0
dynamicdnssite.com- redirects to my global IP y.y.y.y
192.168.0.1 - Local Ip of my router
But it is not working as it routes only the outgoing connection and I want to route the incoming connection on certain port.
I found this myself. You have to be connected to the same VPN which you are accessing and connect with the ethernet's global IP(y.y.y.y in my case).