Articles in this section

See more

Testing inbound access to Lighthouse through a firewall

Robert Waldie
  • Updated
Follow

Once enrolled, all communications between nodes and Lighthouse are tunneled over Lighthouse VPN.  Lighthouse is the VPN server, listening on the OpenVPN service port – UDP 1194 by default. For node-initiated northbound enrollment, Lighthouse listens on the enrollment API service port – TCP 443 by default.

To test these ports are correctly configured and e.g. allowed through an external firewall, you can test access using the Opengear appliance you wish to enroll as a node.

In the following commands, replace external.address.of.lighthouse with the externally published address of Lighthouse, and 443 and 1194 with the externally published enrollment API and Lighthouse VPN ports, respectively.

1. Login to the Opengear appliance CLI as root or an admin-group user

2. To test the API service is accessible, create a dummy connection with:

curl -k https://external.address.of.lighthouse:443/api/v3.0/nodes

If successful, you will see JSON formatted output, similar to:

{"error":[{"level":1,"type":4,"text":"Not Found","code":28}]}

3. To test the Lighthouse VPN service is accessible, create a dummy connection with:

echo -e '\x38\x01\x00\x00\x00\x00\x00\x00\x00' | nc -w1 -u external.address.of.lighthouse 1194 | hd

If successful, you will see one or more encoded responses, similar to:

000000: 51eb3140 0f826ab8 0000008b 00000000 @1.Q.j........
00000e: 51eb3140 0f826ab8 0000008b 00000000 @1.Q.j........
00001c: 51eb3140 0f826ab8 0000008b 00000000 @1.Q.j........

While running these tests, you may also test that Lighthouse is receiving the packets from the Opengear appliance:

1. Login to the Lighthouse CLI as root or a Lighthouse Administrator

2. Run this command:

tcpdump -ntl -i net1 tcp port 443 or udp port 1194 and host source.address.of.appliance

.. replacing 443 with the enrollment API service port, and source.address.of.appliance with the address of the appliance.

Note that if the appliance is accessing Lighthouse from behind a firewall or masquerading gateway (SNAT), the source address may be different from the appliance's interface IP.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk