Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conflicts in network addresses across locations are not detected (bug/enhancement) #614

Open
dbutti opened this issue Apr 8, 2024 · 0 comments
Open

Conflicts in network addresses across locations are not detected (bug/enhancement) #614

dbutti opened this issue Apr 8, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@dbutti
Copy link

dbutti commented Apr 8, 2024

Describe the bug
If two or more VPN locations use the same IP network address, a conflict arises if the corresponding tunnels are connected simultaneously

To Reproduce
Steps to reproduce the behavior:

  1. Create two VPN locations
  2. Assign (unique) gateway IP addresses but on the same network
  3. Connect a Defguard client to both locations at the same time (nothing stops you from doing so)
  4. In the best case only 1 tunnel will work. Conflicts may also arise in the assignment of IP addresses to the clients

Expected behavior/enhancement
Defguard considers every VPN location as a completely independent realm, where no coordination in the assignment of IP addresses is attempted, and under the silent assumption that locations using the same VPN IP netmask are not to be connected to simultaneously. This can be a valid use case, but the situation where several VPN locations could be sharing the same VPN IP network are valid (and very useful), too.

For instance, I frequently use Wireguard to set up a pattern manually where:

  • VPN servers (gateways) at different locations use IP addresses from the same network
  • client define a single Wireguard interface, with all the gateways as peers on this single interface. The "allowedIPs" field is used to define static routing

In this way, the client can access several parts of a distributed infrastructure by using a single wireguard interface, which simplifies management and reduces the number of addresses/networks to handle.

This use case could be easily supported by Defguard if:

  • we would detect when the same VPN IP network is entered for different locations
  • we would then allow an option to "group" those locations together and treat them as a single tunnel connecting every client to different endpoint.
  • The client would then have an option to connect to the whole "location group" with a single action (bringing up a single wireguard interface), entering MFA information only once, and so on.

I hope my description is clear enough; please feel free to contact me in case additional information is needed (also on matrix: @dbutti:matrix.neaweb.ch)

Version information

  • Defguard Core version: v0.10.0
  • Defguard Gateway version: v0.10.0
@dbutti dbutti added the bug Something isn't working label Apr 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dbutti