Articles in this section

See more

Testing inbound access to Lighthouse through a firewall

Robert Waldie
  • Updated
Follow

Once enrolled, all communications between nodes and Lighthouse are tunneled over Lighthouse VPN.  Lighthouse is the VPN server, listening on the OpenVPN service port – UDP 1194 by default. For node-initiated northbound enrollment, Lighthouse listens on the enrollment API service port – TCP 443 by default.

To test these ports are correctly configured and e.g. allowed through an external firewall, you can test access using the Opengear appliance you wish to enroll as a node.

In the following commands, replace 1.2.3.4 with the externally published address of Lighthouse, and 443 and 1194 with the externally published enrollment API and Lighthouse VPN ports, respectively.

1. Login to the Opengear appliance CLI as root or an admin-group user and set these variables to your Lighthouse IP address, API and VPN ports:

LIGHTHOUSE_ADDRESS=1.2.3.4
API_PORT=443
VPN_PORT=1194

2. To test the API service is accessible, create a dummy connection with:

curl -k https://${LIGHTHOUSE_ADDRESS}:${API_PORT}/api/v3.0/nodes

If successful, you will see JSON formatted output, similar to:

{"error":[{"level":1,"type":4,"text":"Not Found","code":28}]}

3. To test the Lighthouse VPN service is accessible, create a dummy connection with:

bash -c "exec 3<>/dev/udp/${LIGHTHOUSE_ADDRESS}/${VPN_PORT}; echo -e '\x38\x01\x00\x00\x00\x00\x00\x00\x00' >&3; od -xc <&3"

If successful, you will see one or more encoded responses, similar to:

0000000 f740 98fd 4e9a ce96 004b 0000 0000 f740
@ 367 375 230 232 N 226 316 K \0 \0 \0 \0 \0 @ 367

While running these tests, you may also test that Lighthouse is receiving the packets from the Opengear appliance:

1. Login to the Lighthouse CLI as root or a Lighthouse Administrator

2. Run this command:

tcpdump -ntl -i net1 tcp port 443 or udp port 1194 and host source.address.of.appliance

.. replacing 443 with the enrollment API service port, and source.address.of.appliance with the address of the appliance.

Note that if the appliance is accessing Lighthouse from behind a firewall or masquerading gateway (SNAT), the source address may be different from the appliance's interface IP.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk