Unable to connect over Wireguard tunnel

Forum / NoMachine for Windows / Unable to connect over Wireguard tunnel

Tagged: 

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #34276
    gabriel_chamon
    Participant

    I have recently setup a NoMachine server behind a network protected by Wireguard VPN.

    When I connect using the Wireguard client for Windows, I can access all internal web pages and servers (using putty, for instance). The tunnel itself is, therefore, working properly on Windows. However, when I try to establish a connection using NoMachine with the server’s internal IP, it hangs and fails with a timeout message.

    On Linux I can connect using NoMachine client without any issues using the private IP over Wireguard.

    All traffic to the NoMachine server coming from the VPN server is allowed.

    Tried disabling UPnP, but that didn’t help.

    Any advice on how to debug?

    #34302
    fisherman
    Moderator

    Please enable debug, I understood that server host is Windows. Easiest way to enable logs on windows could be to run CMD as Administrator and then execute
    "C:\Program Files (x86)\NoMachine\bin\nxserver" --debug --enable all

    Then please restart NoMachine server and reproduce problem.
    "C:\Program Files (x86)\NoMachine\bin\nxserver" --restart

    and after reproducing error please send us created zip archive to forum[at]nomachine[dot]com and then disable debug.

    "C:\Program Files (x86)\NoMachine\bin\nxserver" --debug --disable all

    More information about enabling debug and collecting logs can be found here: Collect server side logs automatically

    #34310
    gabriel_chamon
    Participant

    The NoMachine server is running on Ubuntu. Sorry, I missed that info. However, there are no logs in the server. Connection from Windows never reaches the server. However, if I initiate a connection from a Linux everything works as expected. The problem is that NoMachine client on Windows is ignoring the Wireguard tunnel.

    #34449
    Carin
    Participant

    Hi gabriel_chamon,

    we tested Wireguard in our labs on Linux and Windows machines and everything worked.

    Can you provide us with additional information about your network configuration? Thanks!

    #34450
    gabriel_chamon
    Participant

    My infrastructure is comprised of 2 AWS EC2 instances, an instance running NoMachine Server on Ubuntu, an instance running a Wireguard VPN Server on Amazon Linux 2, and a client running NoMachine Client on Windows.

    If we use internal IPs from the CIDR block 172.31.0.0/16, connections go through the Wireguard tunnel. Other IPs go over the public internet.

    In a nutshell, the connection should go like this:

    (NoMachine Client on Windows) |–[Wireguard Tunnel]–> (Wireguard VPN Server) |–[Forward Packages]–> (NoMachine Server on Ubuntu).

    However, the Windows Client times out when trying to connect over the VPN tunnel. Everything else that is behind the VPN connection works. For instance, we have a documentation service that is accessible only internally and the web page opens just fine. SSH connections are also only accessible through the Tunnel, which work fine using PuTTY. The only service that times out is the Windows client.

    The workaround we applied is to open ports 4000 and 4011-4099 to the internet. This way we can connect to the NoMachine server using it’s public IP just fine.

    This makes me believe that somehow, even though we setup the connection on NoMachine client using the private IP, it tries to connect to the server over the internet, ignoring the VPN tunnel.

    Is there a way to specify the interface or device in the NoMachine client so that we force the connection to go through the tunnel?

    #34517
    Tom
    Participant

    Hi, I have set up two machines on AWS. First Amazon Linux 2 with WireGuard installed, second Amazon Linux 2 with Mate desktop and NoMachine installed. From my home computer with Windows, I am able to connect via WireGuard to VM number two using NoMachine, on a local IP. I suspect the problem is that port 4000 in security groups is not open for second VM.
    It must be open at least for the IP VM with WireGuard or for the entire VPC.
    It’s not a good idea to open port 4000 for everyone, but you can do it while testing.
    Then remember to turn off. Greetings, Tom

    #34526
    gabriel_chamon
    Participant

    Thanks @Tom,

    I rechecked all my configs, reapplied the old configuration (I use terraform with git, so I can track all the change history) and using the internal IP I can now connect.

    My guess is that something must have changed in the new server version, as I tested first with the external IP and the server prompted for an update. Or I was in a weird state and things just fixed itself somehow.

    Anyway, it seems I can connect through the WireGuard tunnel now.

Viewing 7 posts - 1 through 7 (of 7 total)

This topic was marked as solved, you can't post.