Gateway WireGuard Configuration Local Check

📢 News & Announcements
,
1

LOCAL CHECK OF WIREGUARD CONFIGURATION

During the Operators AMA 2 weeks ago I demoed a way how to setup a Gateway properly to route WG. This flow is also described in the step by step guide shared here You're invited to talk on Matrix

Many operators followed this flow and got their nodes up to date - nym-node version 1.1.6 with all setup needed. It’s seen and appreciated.

Problem

However, on this week AMA I shared about the known problem where Nym Harbourmaster shows less than 20 well configured Gateways at a time. Testing this behaviour over multiple snapshots we found out that:

  • No one Gateway is listed as well configured (including fully routing WG) continuously
  • Most of the Gateways are listed as well configured every now and then

This means that the problem is not on the operators setup but on the way how Harbourmaster runs the measurement.

Solution

Meanwhile we are working on this to be fixed, we found out that there is an easy way to check your Gateway configuration locally, using WG network probe.

How to Guide

Note: If you need any support, ask in the Operators Matrix channel.

The WG network probe is based on Nym Gateway probe and therefore the compilation and usage is very similar. Start by installing Go and Rust languages on your system and then follow these steps:

  1. Clone the repository:
git clone https://github.com/nymtech/nym-vpn-client.git
  1. Navigate into the repo and switch to a branch wg_probe:
cd nym-vpn-client
git checkout wg_probe
  1. Build Wireguard Client:
make build-wireguard
  1. Compile nym-gateway-probe:
make build-nym-vpn-core
  1. Navigate to the release directory
cd nym-vpn-core/target/release
  1. Run the probe substituting <GATEWAY_ID> with your Gateway Identity Key:
./nym-gateway-probe --gateway <GATEWAY_ID> --no-log

As you can see, the Gateway I presented during the demo, shows all red X on Harbourmaster, but I just confirmed that it works perfectly fine, using this diagnostic tool:

{
  "gateway": "2w5RduXRqxKgHt1wtp4qGA4AfXaBj8TuUj1LvcPe2Ea1",
  "outcome": {
    "as_entry": {
      "can_connect": true,
      "can_route": true
    },
    "as_exit": {
      "can_connect": true,
      "can_route_ip_v4": true,
      "can_route_ip_external_v4": true,
      "can_route_ip_v6": true,
      "can_route_ip_external_v6": true
    },
    "wg": {
      "can_register": true,
      "can_handshake": true
    }
  }
}

Bonus Gift

If you made it all the way here, you probably aware what’s coming to you…

Congratulation, you just installed NymVPN CLI as a bonus! Do you want to test it right away? Just ping any of the mentors in the chat, show your positive output of the test above and they will send you your CLI credential straight away without a need to sign up!

Enjoy the end of holiday, if you have any, more good news coming soon.

8 Likes
2

WIREGUARD GATEWAY UPDATE

Happy Wednesday operators. We are proud to see that a majority of you upgraded to the newest version and a solid number of operators configured their Gateways correctly for WireGuard routing. Nym Harbourmaster has been fixed and it shows more-less correct number of Gateways. There is still quite a few of you missing. Meanwhile we are polishing next release, containing many improvements, please make sure to configure your nym-node to get to the top tier ( :peanuts:) in Harbourmaster.

Steps to check

  1. Check that you run the latest release - 2024.9-topdeck - nym-node v1.1.6

  2. Follow up this detailed guide thoroughly to confirm that:

  • your UFW Firewall rules are updated and active
  • network_tunnel_manager.sh applied WG IP tables
  • your node service file is updated with the flag --wireguard-enabled true
  • network_tunnel_manager.sh tests positive on IPv4 when running with an option ./network_tunnel_manager.sh joke_through_wg_tunnel (IPv6 not implemented for WG just yet)

  1. Make sure to bond with IPv4 address and not with a hostname/domain. This issue needs to be fixed on our side, but for now to bond with an IPv4 address does the job

  2. In case you have a reverse proxy or WSS configuration, make sure you have the hostname field in your config.toml written correctly (without https://), in case you don’t have such setup, this field must be empty

  3. In case everything above is working as it should and you still don’t see your Gateway listed in the top routing tier on Harbourmaster ( :peanuts:), please test your node locally, following this guide to install nym-gateway-probe

  • the probe installation also contains nym-vpn-cli which is even more reliable routing test, as you can chose your gateways manually and see if you can route through them
  1. In case of trouble with the previous steps and configuration or if you run a node which confirms all above, but still wouldn’t route, please share your questions and feedback in Operators Matrix Channel

Gateways with Problems

Here is a list of Gateways which struggle to complete WG handshake. The ones commented with a domain name are nodes bonded with hostname instead of IP, please change your bonding settings to IPv4 for the time being.

"5Ao1J38frnU9Rx5YVeF5BWExcnDTcW8etNe9W2sRASXD"
"5P8MmJTdmoS4rhV8VHArABkyPE3M9RMrZsiX3qYkJ6u" #gateway7.tupinymquim.com
"5M5fS3VV1vfNba2HSeDYgtA1cD91tRej5A48StBHYtEA"
"5DniVTMsnyHBEhhsd51Tojnv6XLmxgnTaaEgNYu7pdMP"
"5ZKjibWCCwrydJy2btSa4uYjg2XFeXvVsWM92obEGrSY"
"63ctaex57EvjJZu92jT2ve2ULgmjVYAQph83qNjMpFDZ"
"6DBkGmo67bze3QfubPy555gSyUnpZF9J8Th4EfDZwTnQ"
"6T2ZH531Nn4xPh3rhNyDUPHwovgwnWLn2aKi6BSv4quD"
"7VJQ4FGRmLESkmjTeTpF6o3VFLVZ5xe9CoJSR38bZawQ"
"72SCrUZ3u81QrryUVL65pr8jWfQC3LpC3CyQgqLgJnrQ"
"7HBvFP97s1nsDdE41w5YZdVsqLp4WUaAtmY9FtTc1xso"
"7JQw4HJrcxMgGDM1vfRixFWyVJvGgkCNcjMhQEv46V8e" #gateway11.tupinymquim.com
"AY4uHZFYVxwT6NiEXGLmdp9mxVZpW33ViUUqPgzWcF59"
"9xJM74FwwHhEKKJHihD21QSZnHM2QBRMoFx9Wst6qNBS"
"9PG6vqoVniK7bWD7esueje9pD3P3iU3Md1T8FAuNQipW"
"BEA48WgjLb3h3NnVXKfWw3GZ1H1Kv38SVHwKPMnsQmDs" #mendeleev.hiddeninternauts.com
"BAtj3hwFMC5PsxdCXXqvy3asAEKCpVRX9pMuvufvhDAL" #nym04.avril14th.org
"BW1Aia6qDBL53jYQfjo97T4EDHafzECNNTLECkS9ra9q"
"C2XfR5MJL2dNMHzEJMrwRRAS983k32CyjQHCHLWrQi1s"
"CHaxTLDqQ42M5vwErRABmhiwW9i4vxfUayhjaM92ytRv"
"DB4kV1APyA1xjnft9FjGAHbtrXY44A5NHNQhEuroVD3s" #gateway9.tupinymquim.com
"Cb4h4UdvyuWuRkYvJC9BwZ5AhLwvFjyDYtzm2dh8HFkJ" #gateway1.tupinymquim.com
"DAmZukNn2u3WgsHPsJxKo99QY87NAmkDqUr9LHAUXMUY" #nym02.avril14th.org
"EZCHsCs1VPr7vLmhM8xpWG2XtSv7dxpUNztSEqXCsRpY"
"DgD7K1RHn7kMPC3ibg6HkJFkDqaFstxpEFHgronRdCqj" #gateway4.tupinymquim.com
"FGQXnYX5JFEA71ZUUNU2JkrLYpbjraYthQvnTgVKvXVX" #gateway8.tupinymquim.com
"FfcgJCn449xscyJ6tWeFKFfLw1wbbxW7RE19giNzaBYj"
"GwPzj3VXALYZJKjbEaveL8CD9wp4eDU4DXxUjMTRxFn6"
"H7rDKAXAjJjtkJAgz3paB95zUowH5pHVMBQBdxrx6Yzg"
"HMbxs892i1thjXtPhtz9TGU41ghZCiyC8HhYWkQZs4Cn"
"qj3GgGYgGZZ3HkFrtD1GU9UJ5oNXME9eD2xtmPLqYYw" #gateway12.tupinymquim.com
"Hs463Wh5LtWZUNyAmt4trcCbNVsuUhry1wpEXpVnAAfn" #gateway3.tupinymquim.com)

Issues & Bugs

  • Compiling binaries from source does not include WG compilation by default. This has been worked on and will be merged soon into the default building command, meanwhile please use:
cargo build --release --features=wireguard
  • If the WG probing result (on Harbourmaster or running the probe) returns null, it means that the test never started, and your node has a problem to connect in the first place. Check your ports, binding with IPv4, hostname or follow these steps if your node is blacklisted.

See you all on next OPERATORS AMA - Tuesday, September 10th, 14:00 UTC

3 Likes
3

Thx @serinko Our Gateways problems were due to an incorrect configuration of the ufw firewall, we opened the Wireguard port 51822 in tcp instead of udp. Be careful with this :slight_smile:

imagen

2 Likes
4

These kinds of small details go unnoticed when we do things quickly, :yum: Thanks.