Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 BUG: "Refusing to handshake with myself" when configuring self as unsafe_routes via #1157

Open
johnmaguire opened this issue Jun 5, 2024 · 0 comments
Open

🐛 BUG: "Refusing to handshake with myself" when configuring self as unsafe_routes via #1157

johnmaguire opened this issue Jun 5, 2024 · 0 comments

Comments

@johnmaguire
Copy link
Collaborator

johnmaguire commented Jun 5, 2024
edited
Loading

What version of nebula are you using? (nebula -version)

1.9.2

What operating system are you using?

Linux

Describe the Bug

While debugging an issue on Nebula OSS I saw confusing behavior where a host reported "Handshake message sent" with a vpnIp field equal to its own IP address. This was followed by "Refusing to handshake with myself."

On Linux, when attempting to connect to your own IP address, it will typically send traffic over the loopback interface. Therefore it's unexpected that we would see Nebula try to handshake with its own IP address. It seems that this can occur when a host configures itself as a via for an unsafe_routes entry.

I think this is probably always a misconfiguration - maybe we should spit out an error if we detect the host's own IP address in a via at startup / reload time?

Logs from affected hosts

Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:8080 groups:[benn] host: ip: localIp:10.2.0.0/24 proto:6 startPort:8080]"
...
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Nebula interface is active" boringcrypto=false build=1.9.2 interface=nebula1 network=100.2.0.2/24 udpAddr="0.0.0.0:4242"
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Added route" route="10.2.0.0/24 metric: 100"
...
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Handshake message sent" handshake="map[stage:1 style:ix_psk0]" initiatorIndex=1681038003 localIndex=1681038003 remoteIndex=0 udpAddrs="[135.180.109.31:4242]" vpnIp=100.2.0.2
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=error msg="Refusing to handshake with myself" certName=server fingerprint=3788d2880810f6681d07a354c43a58f1d9b59fb6be9a74151c81a47a9c640004 handshake="map[stage:1 style:ix_psk0]" issuer=90226e53fe26e8dee76bdd04797b83a38260fce1ef8488c4532fa676e9920fc6 udpAddr="10.2.0.1:4242" vpnIp=100.2.0.2

Config files from affected hosts

n/a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnmaguire