Error: can't reach relay node (using wireguard)

Hi @Alexd1985

I am migrating the pool to a bare metal setup with local block producer and relay (other relay off-site)

wireguard is set correctly (they can ping back and forth and both sync cardano-node), however the relay is not recognized on the port specified in certificate (6001).

The url-based relay points to public IP, which is set as endpoint. I have allowed the UDP port and the cert port using ufw, and even though they sync, Adapools and PoolVet won’t recognize the setup.

There is a static assignment for both internal IPs and port forwarding rules on modem for the UDP port, as well as the Cardano TCP ports registered in pool certificate.

Am I missing something to route 6001/tcp to the relay? They are open in modem and locally with ufw

References:

Check here if the port is accesible from extern

Cheers,

Relay port seems closed, even though there is a port forwarding rule allowing that tcp port and
also ufw rules allowing the udp port and necessary tcp on each node.

Wireguard is setup correctly, they are synced, and my endpoint is set to public ip. I can see both nodes in Grafana, as well.

Thanks @Alexd1985

because you are on local network, but check the PF settings, can be something wrong there… how did u set it?

The tunnel should look like this:

external — udp port — relay ---- bp

On Port Forwarding I created a rule for (udpport - sameudpport) to only expose the network through that wg udp port.

I understand the node communication is under LAN, and opened necessary ports with ufw, just in case. They communicate well and bp depends on relay as it should.

My doubt is how to port forward the tcp 6001 so that it goes thru the tunnel. I just tried to open the port by adding the required TCP, no forwarding though. Can the TCP be routed thru the UDP port?

try to deactivate the FW on relays to see if this way it’s working, if not then the only problem should be the PF settings

for PF the rule should be like this

all coming traffic on port x → should be forwarded to tunnel IP port y

I wish I can help you but I am not using wireguard…

Hi. Why you need wireguard?

Hi @os11k

I am trying to set up a local bp and relay with Armada Alliance best security practices, so that the bp can communicate only locally with relay1, and the network be exposed only through this tunnel.

wg is setup correctly, nodes sync, bp depends on relay data, and I can see the Grafana dashboard correctly, with relay and bp showing actual kes rotation.

I guess @Alexd1985 is right, it must be an issue with the FW and PF in the router. I haven’t figured out the right set of rules yet.

check this topic, perhaps it will help you

https://forum.mikrotik.com/viewtopic.php?t=184261

Thank you @Alexd1985

Try to remove wireguard and check if you can access your relay in that case. That would help isolate a problem - is it related to wireguard or not.

That is a good idea for debugging that part.

I was checking port activity using the ufw gui called gufw (other wg users suggest tcpdump for that as well)

It must be the ufw firewall blocking ports or wireguard not forwarding, as you mention.

Thank you @os11k. I’ll post the solution when I find it.

I found the solution, needed to add PostUp and PostDown rules in server and in remotes (I was missing these rules on my relay)

On wg0.conf in BP (enp3s0)

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

On wg0.conf for relay (eno1)

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE;

Thanks for helping me debug this @Alexd1985 and @os11k
I’ll be glad to help anyone having problems with wireguard.