Secure connection to the server via ipmi

[Nico052020]

Hello,
I'm coming back to you about my project.
I configured everything on each side (PC1 and PC2).
I set up the forwarding on PC1.
So I think a link has been created, however, I can't see the IPMI admin interface or the router interface

My configuation:
PC2 (outside) :

[Interface]
PrivateKey = jjj
Address = 10.0.0.2/24

[Peer]
PublicKey = ggg
AllowedIPs = 10.0.0.1/24, 192.168.0.40/24
Endpoint = xx.xx.xx.xx:10000

PC1 (inside local network) :

[Interface]
PrivateKey = oooo
Address = 10.0.0.1/24
ListenPort = 10000


[Peer]
PublicKey = zzz
AllowedIPs = 10.0.0.2/24

Modem:
Tranfert UDP : external port 10000 => 192.168.0.30 internal port 10000

Then I see packets being sent and received from the PC in the local network :

Do you have any idea what is blocking it?

Regards

 

[Whattteva]

Then I see packets being sent and received from the PC in the local network :

Let's go back and review it. Can PC2 communicate with PC1? Can PC1 communicate with router? Can PC2 communicate with router?

 

[NugentS]

No, AFAIK none of the IPMI implementations contain a VPN server--that's something you'd set up elsewhere, ideally on your router. Another possible way to do it (which would also handle TLS termination) would be a reverse proxy with strong authentication mechanisms.

cloudfared tunnel would / should work. You can then secure the connection by email address or similar

 

[Nico052020]

Hello,

Let's go back and review it. Can PC2 communicate with PC1? Can PC1 communicate with router? Can PC2 communicate with router?

I am sure of one thing:
A connection has been established between PC1 and PC2.
Why?:
1] In the wireguard configuration file of PC1 (inside local network), I did not indicate an Endpoint parameter. When the connection is established, as you can see on the image of my post #41, it returns the IP (internet) address of my smartphone (I use my smartphone as a modem on PC2).
2] On both sides (on PC1 and PC2), the wireguard interface shows that there are packets sent and received.

Now I don't know how to give you more technical details.

When I put the IP address of my router 192.168.0.1, or the IP address of the IPMI of my NAS, 192.168.0.40 in the address bar of my browser, it returns me the classic error "sorry, impossible to access at tihis page" (ERR_CONNECTION_TIMED_OUT)

 

[Whattteva]

Hello,

I am sure of one thing:
A connection has been established between PC1 and PC2.
Why?:
1] In the wireguard configuration file of PC1 (inside local network), I did not indicate an Endpoint parameter. When the connection is established, as you can see on the image of my post #41, it returns the IP (internet) address of my smartphone (I use my smartphone as a modem on PC2).
2] On both sides (on PC1 and PC2), the wireguard interface shows that there are packets sent and received.

Now I don't know how to give you more technical details.

When I put the IP address of my router 192.168.0.1, or the IP address of the IPMI of my NAS, 192.168.0.40 in the address bar of my browser, it returns me the classic error "sorry, impossible to access at tihis page" (ERR_CONNECTION_TIMED_OUT)

I think what is happening is your network does not know where to route the VPN traffic to. Try adding a static route on your router to 10.0.0.0/24 with the gateway set to the IP address of PC1 (192.168.0.x)

 

[Nico052020]

I have some good news
I managed to get access to my IPMI administration page (192.168.1.40). However, I can't get access to the router administration page (192.168.0.1)
I have set up a static route. I admit I went in blind because I didn't quite understand what I should put in the available fields.
I have 3 fields titled:
Destination IP / Subnet mask / Gateway (192.168.0.*)
I tested several combinations, here are the ones that worked:
10.0.0.0 255.255.255.0 192.168.0.0
10.0.0.1 255.255.255.255 192.168.0.30 (ip pc1 inside local network)
10.0.0.2 255.255.255.255 192.168.0.30
10.0.0.2 255.255.255.255 192.168.0.1
10.0.0.0 255.255.255.255 192.168.0.0
10.0.0.0 0.0.0.0 192.168.0.0

After these tests, I could not understand to whom the subnet mask was applied (destination ip or gateway ?)
Do you know why I can access my ipmi and not my router, it's weird?

 

[Whattteva]

I have some good news
I managed to get access to my IPMI administration page (192.168.1.40). However, I can't get access to the router administration page (192.168.0.1)
I have set up a static route. I admit I went in blind because I didn't quite understand what I should put in the available fields.
I have 3 fields titled:
Destination IP / Subnet mask / Gateway (192.168.0.*)
I tested several combinations, here are the ones that worked:
10.0.0.0 255.255.255.0 192.168.0.0
10.0.0.1 255.255.255.255 192.168.0.30 (ip pc1 inside local network)
10.0.0.2 255.255.255.255 192.168.0.30
10.0.0.2 255.255.255.255 192.168.0.1
10.0.0.0 255.255.255.255 192.168.0.0
10.0.0.0 0.0.0.0 192.168.0.0

After these tests, I could not understand to whom the subnet mask was applied (destination ip or gateway ?)
Do you know why I can access my ipmi and not my router, it's weird?

You should only need 1 static route.
10.0.0.0 subnet mask 255.255.255.0 gateway 192.168.0.30

I have a question though. Is your IPMI connected to a separate router? Cause it's on a different network (192.168.1.0/24).

 

[Nico052020]

Hello,

I have a question though. Is your IPMI connected to a separate router? Cause it's on a different network (192.168.1.0/24).

no sorry, this is a mistake. its' 192.168.0.40

You should only need 1 static route.

Yes,
What I meant was that each line works independently of the others. I tested each case one by one.
That's why I didn't quite understand on which the mask is applied.

 

[Whattteva]

I have some good news
I managed to get access to my IPMI administration page (192.168.1.40). However, I can't get access to the router administration page (192.168.0.1)
I have set up a static route. I admit I went in blind because I didn't quite understand what I should put in the available fields.
I have 3 fields titled:
Destination IP / Subnet mask / Gateway (192.168.0.*)
I tested several combinations, here are the ones that worked:
10.0.0.0 255.255.255.0 192.168.0.0
10.0.0.1 255.255.255.255 192.168.0.30 (ip pc1 inside local network)
10.0.0.2 255.255.255.255 192.168.0.30
10.0.0.2 255.255.255.255 192.168.0.1
10.0.0.0 255.255.255.255 192.168.0.0
10.0.0.0 0.0.0.0 192.168.0.0

After these tests, I could not understand to whom the subnet mask was applied (destination ip or gateway ?)
Do you know why I can access my ipmi and not my router, it's weird?

Honestly, I'm not even sure how you can even access the IPMI because none of those routes are correct, except for the second and third one, but none of those lead to your IPMI.

What I meant was that each line works independently of the others. I tested each case one by one.
That's why I didn't quite understand on which the mask is applied.

10.0.0.0 255.255.255.0 192.168.0.0

This one is not necessary and really kinda' pointless. It's telling it to route 10.0.0.0/24 to 192.168.0.0 network. But 192.168.0.0 isn't a host, it's a network number.

10.0.0.1 255.255.255.255 192.168.0.30 (ip pc1 inside local network)

This one is a good route, but really too narrow and can be written better. Basically, this tells it to route traffic going to 10.0.0.1/32 (just 1 host) to 192.168.0.30.

10.0.0.2 255.255.255.255 192.168.0.30

This is similar to above, but instead of 10.0.0.1 host, it's traffic going to 10.0.0.2 host. In other words, 10.0.0.2/32 to 192.168.0.30. Both these routes can be just replaced with a single 10.0.0.0 255.255.255.255.0 192.168.0.30. This is just too restrictive and everytime you add a new host to the VPN, you'd have to add similar routes to this for every individual host and it's just going to be tedious.

10.0.0.2 255.255.255.255 192.168.0.1

This is wrong route. It's telling it to route 10.0.0.2/32 (just one host) to 192.168.0.1.... but 192.168.0.1 is just the router itself, so this doesn't really make sense. Delete this one.

10.0.0.0 255.255.255.255 192.168.0.0

This one also doesn't make sense. It's routing 10.0.0.0/32 which makes no sense cause you're just routing 1 host of 10.0.0.0, which doesn't exist because you have a 10.0.0.0/24 network so 10.0.0.0 is not a host, but the network number. It's also routing to 192.168.0.0, which again, is not a host but a network number. This is similar to your first one, but just a much more restricted route. Either way, neither make sense, delete them.

10.0.0.0 0.0.0.0 192.168.0.0

Not even quite sure what this will do. Probably route the whole 10.0.0.0/8 to 192.168.0.0. Again, 192.168.0.0 isn't a host and that subnet is way way too wide.

TL;DR, just use 10.0.0.0 255.255.255.0 192.168.0.30 and that's all you need. All the other ones are too funky and may mess up your network communication further down the line.

 

[Nico052020]

Hello and thank you for your feedback.
Yes, in fact I did some bastardized tests, because I didn't understand the static road pattern and I was looking for similarities to try to understand.
As you could see, I could not get anything out of my tests for my understanding.
You say that some of my tests should not even have worked. Maybe some parameters were left in memory somewhere, while I had changed those same parameters for the next test. Yet, I disabled/enabled Wireguard on both sides every time.
The important thing today is that I have access to my IPMI. Thanks a lot.
Do you have any idea why I can't access the router's administration interface?
I looked in the router settings, but, nothing seemed strange.

 

[Whattteva]

Hello and thank you for your feedback.
Yes, in fact I did some bastardized tests, because I didn't understand the static road pattern and I was looking for similarities to try to understand.
As you could see, I could not get anything out of my tests for my understanding.
You say that some of my tests should not even have worked. Maybe some parameters were left in memory somewhere, while I had changed those same parameters for the next test. Yet, I disabled/enabled Wireguard on both sides every time.
The important thing today is that I have access to my IPMI. Thanks a lot.
Do you have any idea why I can't access the router's administration interface?
I looked in the router settings, but, nothing seemed strange.

Can you ping the router from PC2 and vice-versa?
Oh wait, I think I may know why. Your router web server (admin page) may only take connections from the local LAN (192.168.0.0/24) and will refuse anything outside of that range (ie. 10.0.0.0/24).
If this is the case, I'd reckon that you'd still be able to ping it, just not access the admin page.