Forum / NoMachine for Windows / Unable to connect over Wireguard tunnel
Tagged: wireguard
- This topic has 6 replies, 4 voices, and was last updated 3 years, 4 months ago by gabriel_chamon.
-
AuthorPosts
-
July 1, 2021 at 16:51 #34276gabriel_chamonParticipant
I have recently setup a NoMachine server behind a network protected by Wireguard VPN.
When I connect using the Wireguard client for Windows, I can access all internal web pages and servers (using putty, for instance). The tunnel itself is, therefore, working properly on Windows. However, when I try to establish a connection using NoMachine with the server’s internal IP, it hangs and fails with a timeout message.
On Linux I can connect using NoMachine client without any issues using the private IP over Wireguard.
All traffic to the NoMachine server coming from the VPN server is allowed.
Tried disabling UPnP, but that didn’t help.
Any advice on how to debug?
July 2, 2021 at 13:12 #34302fishermanModeratorPlease enable debug, I understood that server host is Windows. Easiest way to enable logs on windows could be to run CMD as Administrator and then execute
"C:\Program Files (x86)\NoMachine\bin\nxserver" --debug --enable all
Then please restart NoMachine server and reproduce problem.
"C:\Program Files (x86)\NoMachine\bin\nxserver" --restart
and after reproducing error please send us created zip archive to forum[at]nomachine[dot]com and then disable debug.
"C:\Program Files (x86)\NoMachine\bin\nxserver" --debug --disable all
More information about enabling debug and collecting logs can be found here: Collect server side logs automatically
July 2, 2021 at 16:58 #34310gabriel_chamonParticipantThe NoMachine server is running on Ubuntu. Sorry, I missed that info. However, there are no logs in the server. Connection from Windows never reaches the server. However, if I initiate a connection from a Linux everything works as expected. The problem is that NoMachine client on Windows is ignoring the Wireguard tunnel.
July 14, 2021 at 13:01 #34449CarinParticipantHi gabriel_chamon,
we tested Wireguard in our labs on Linux and Windows machines and everything worked.
Can you provide us with additional information about your network configuration? Thanks!
July 14, 2021 at 14:41 #34450gabriel_chamonParticipantMy infrastructure is comprised of 2 AWS EC2 instances, an instance running NoMachine Server on Ubuntu, an instance running a Wireguard VPN Server on Amazon Linux 2, and a client running NoMachine Client on Windows.
If we use internal IPs from the CIDR block 172.31.0.0/16, connections go through the Wireguard tunnel. Other IPs go over the public internet.
In a nutshell, the connection should go like this:
(NoMachine Client on Windows) |–[Wireguard Tunnel]–> (Wireguard VPN Server) |–[Forward Packages]–> (NoMachine Server on Ubuntu).
However, the Windows Client times out when trying to connect over the VPN tunnel. Everything else that is behind the VPN connection works. For instance, we have a documentation service that is accessible only internally and the web page opens just fine. SSH connections are also only accessible through the Tunnel, which work fine using PuTTY. The only service that times out is the Windows client.
The workaround we applied is to open ports 4000 and 4011-4099 to the internet. This way we can connect to the NoMachine server using it’s public IP just fine.
This makes me believe that somehow, even though we setup the connection on NoMachine client using the private IP, it tries to connect to the server over the internet, ignoring the VPN tunnel.
Is there a way to specify the interface or device in the NoMachine client so that we force the connection to go through the tunnel?
July 20, 2021 at 08:38 #34517TomParticipantHi, I have set up two machines on AWS. First Amazon Linux 2 with WireGuard installed, second Amazon Linux 2 with Mate desktop and NoMachine installed. From my home computer with Windows, I am able to connect via WireGuard to VM number two using NoMachine, on a local IP. I suspect the problem is that port 4000 in security groups is not open for second VM.
It must be open at least for the IP VM with WireGuard or for the entire VPC.
It’s not a good idea to open port 4000 for everyone, but you can do it while testing.
Then remember to turn off. Greetings, TomJuly 21, 2021 at 08:06 #34526gabriel_chamonParticipantThanks @Tom,
I rechecked all my configs, reapplied the old configuration (I use terraform with git, so I can track all the change history) and using the internal IP I can now connect.
My guess is that something must have changed in the new server version, as I tested first with the external IP and the server prompted for an update. Or I was in a weird state and things just fixed itself somehow.
Anyway, it seems I can connect through the WireGuard tunnel now.
-
AuthorPosts
This topic was marked as solved, you can't post.