azorius.aria.company

Seeking assistance setting up traefik with wireguard server
from mike_wooskey@lemmy.d.thewooskeys.com to selfhosted@lemmy.world on 28 Apr 20:50
https://lemmy.d.thewooskeys.com/post/149699

I’m hoping someone can help me figure out what I’m doing wrong.

I have a VM on my local network that has Traefik, 2 apps (whomai and myapp), and wireguard in server mode (let’s call this VM “server”). I have another VM on the same network with Traefik and wireguard in client mode (let’s call this VM “client”).

both VMs can can ping each other using their VPN IP addresses
wireguard successfully handshakes
I have myapp.mydomain.com as a host override on my router so every computer in my house points it to "client"
when I run curl -L --header ‘Host: myapp.mydomain.com’ from the myapp container it successfully returns the myapp page.

But when I browse to http://myapp.mydomain.com I get “Internal Server Error”, yet nothing appears in the docker logs for any app (neither traefik container, neither wireguard container, nor the myapp container).

Any suggestions/assistance would be appreciated!

#selfhosted

threaded - newest

mike_wooskey@lemmy.d.thewooskeys.com on 28 Apr 22:16 next collapse

I should add that I’m running Traefik 2.11.2 and wireguard from the Linuxserver image lscr.io/linuxserver/wireguard version v1.0.20210914-ls22.

mike_wooskey@lemmy.d.thewooskeys.com on 05 May 20:17 collapse

@deergon@lemmy.world, @shasta@lemm.ee, and @lemmyvore@feddit.nl,

THanks for your help. My main issue ended up being that I was trying to use Let’s Encrypt’s staging mode, but since staging certs are self-signed, Traefik was not accepting the requests. Also, though I had to switch Traefik’s logging level to Info instead of error to see that.

Lem453@lemmy.ca on 29 Apr 04:31 next collapse

This seems like an issue where the wireguard is not using the correct DNS server. Does the wireguard DNS setting point to the router?

A diagrams might help me to see what is going on more clearly.

mike_wooskey@lemmy.d.thewooskeys.com on 29 Apr 11:37 collapse

Thanks for helping, @Lem453@lemmy.ca.

Both wireguard containers are using my router for DNS, and my router points myapp.mydomain.com and whoami.mydomain.com to “client”.

lemmyvore@feddit.nl on 29 Apr 08:27 next collapse

You’ll have to give more details. Where are you browsing from? How is the tunnel between the VMs relevant? Are the VMs’ IPs routed on the LAN? Is myapp.mydomain.com defined in a DNS server, and if so which? Is it the DNS server on the LAN or a public DNS? Do both VM and the machine you’re browsing from resolve that address to the same IP, and is that IP reachable from the browser machine?

mike_wooskey@lemmy.d.thewooskeys.com on 29 Apr 11:45 collapse

Thanks for helping, @lemmyvore@feddit.nl.

I’m browsing from my laptop on the same network as promox: 192.168.1.0/24

The tunnel is relevant in that my ultimate goal will be to have “client” in the cloud so I can access my apps from the world while having all traffic into my house be through a VPN.

The VM’s IPs are 192.168.1.50 (“server”) and 192.168.1.51 (“client”). They can see everything on their subnet and everything on their subnet can see them.

Everything is using my router for DNS, and my router points myapp.mydomain.com and whoami.mydomain.com to “client”. And by “everything” I mean all computers on the subnet and all containers in this project.

Both VMs and my laptop resolve myapp.mydomain.com and whoami.mydomain.com to 192.168.1.51, which is “client”, and can ping it.

lemmyvore@feddit.nl on 29 Apr 12:02 collapse

Is the browser also using the LAN router for DNS? Some browsers are set to use DoT or DoH for DNS, which would mean they’d bypass your router DNS.

Do you also get “Internal Server Error” if you make the request with curl on the CLI on the laptop?

How did you check that mydomain is being resolved correctly on the laptop?

What do you get with curl from the other VM, or from the router, or from the host machine of the VM?

mike_wooskey@lemmy.d.thewooskeys.com on 29 Apr 15:17 collapse

Thanks so much for helping me troubleshoot this, @lemmyvore@feddit.nl!

Is the browser also using the LAN router for DNS? Some browsers are set to use DoT or DoH for DNS, which would mean they’d bypass your router DNS.

My browser was using DoH, but I turned it off and still have the same issue.

Do you also get “Internal Server Error” if you make the request with curl on the CLI on the laptop?

Yes, running curl -L -k --header ‘Host: whoami.mydomain.com’ 192.168.1.51 on the laptop results in “Internal Server Error”.

How did you check that mydomain is being resolved correctly on the laptop?

ping whoami.mydomain.com hits 192.168.1.51.

What do you get with curl from the other VM, or from the router, or from the host machine of the VM?

From the router:

Shell Output - curl -L -k --header 'Host: whoami.mydomain.com' 192.168.1.51
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0-
100    17  100    17    0     0   8200      0 --:--:-- --:--:-- --:--:-- 17000

100    21  100    21    0     0    649      0 --:--:-- --:--:-- --:--:--   649
Internal Server Error

From the wireguard client container on the “client” VM:

curl -L -k --header 'Host: whoami.mydomain.com' 192.168.1.51
Internal Server Error

From the traefik container on the “client” VM:

$ curl -L -k --header 'Host: whoami.mydomain.com' 192.168.1.51
Internal Server Error

From the “client” VM itself:

# curl -L -k --header 'Host: whoami.mydomain.com' 192.168.1.51
Internal Server Error

From the wireguard container on the “server” VM:

# curl -L -k --header 'Host: whoami.mydomain.com' 192.168.1.51
Internal Server Error

From the traefik container on the “server” VM (This is interesting. Why can’t I ping from this traefik installation but a can from the other? But even though it won’t ping, it did resolve to the correct IP):

$ ping whoami.mydomain.com
PING whoami.mydomain.com (192.168.1.51): 56 data bytes
ping: permission denied (are you root?)

From the “server” VM itself:

# curl -L -k --header 'Host: whoami.mydomain.com' 192.168.1.51
Internal Server Error

mike_wooskey@lemmy.d.thewooskeys.com on 29 Apr 15:20 collapse

Also, just to make sure the app is indeed running, I curled it from it’s own container (I’m using myapp here instead of whoami, because whoami doesn’t have a shell):

$ curl -L -k --header 'Host: myapp.mydomain.com localhost:8080

I can’t seem to display html tags in this comment, but the results are the html tags for the web page for the app - so the app is up and running

Decronym@lemmy.decronym.xyz on 29 Apr 11:55 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
VPN	Virtual Private Network

4 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #723 for this sub, first seen 29th Apr 2024, 11:55] [FAQ] [Full list] [Contact] [Source code]

deergon@lemmy.world on 29 Apr 16:12 next collapse

Just a few thoughts:

Did you enable access logs in Traefik as well as setting global log level to debug? This usually gives a lot more info about whats going on
Are the containers using the same docker network or host network, so they can reach each other?

mike_wooskey@lemmy.d.thewooskeys.com on 29 Apr 16:35 collapse

Thanks for helping, @deergon@lemmy.world.

Both traefik containers (on the “server” and “client” VMs) and the wireguard server container were built with TRAEFIK_NETWORK_MODE=host. The VMs can ping each other and the Wireguard containers can ping each other.

Both traefik containers were built with TRAEFIK_LOG_LEVEL=warn but I changed them both to TRAEFIK_LOG_LEVEL=info just now. There’s a tad more info in the logs, but nothing that seems pertinent.

deergon@lemmy.world on 29 Apr 21:22 collapse

How about the Traefik access logs (separate from the main log), do they reveal anything?

mike_wooskey@lemmy.d.thewooskeys.com on 30 Apr 00:26 collapse

From traefik’s access.log:

{"ClientAddr":"192.168.1.17:45930","ClientHost":"192.168.1.17","ClientPort":"45930","ClientUsername":"-","DownstreamContentSize":21,"DownstreamStatus":500,"Duration":13526669,"OriginContentSize":21,"OriginDuration":13462593,"OriginStatus":500,"Overhead":64076,"RequestAddr":"whoami.mydomain.com","RequestContentSize":0,"RequestCount":16032,"RequestHost":"whoami.mydomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-whoami-vpn@file","ServiceAddr":"10.13.16.1","ServiceName":"whoami-vpn@file","ServiceURL":{"Scheme":"https","Opaque":"","User":null,"Host":"10.13.16.1","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-04-30T00:21:51.533176765Z","StartUTC":"2024-04-30T00:21:51.533176765Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-04-30T00:21:51Z"}
{"ClientAddr":"192.168.1.17:45930","ClientHost":"192.168.1.17","ClientPort":"45930","ClientUsername":"-","DownstreamContentSize":21,"DownstreamStatus":500,"Duration":13754666,"OriginContentSize":21,"OriginDuration":13696179,"OriginStatus":500,"Overhead":58487,"RequestAddr":"whoami.mydomain.com","RequestContentSize":0,"RequestCount":16033,"RequestHost":"whoami.mydomain.com","RequestMethod":"GET","RequestPath":"/favicon.ico","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"websecure-whoami-vpn@file","ServiceAddr":"10.13.16.1","ServiceName":"whoami-vpn@file","ServiceURL":{"Scheme":"https","Opaque":"","User":null,"Host":"10.13.16.1","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-04-30T00:21:51.74274202Z","StartUTC":"2024-04-30T00:21:51.74274202Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-04-30T00:21:51Z"}

All I can tell from this is that there is a DownstreatStatus of 500. I don’t know what that means.

deergon@lemmy.world on 30 Apr 13:37 collapse

Have you tried accessing your service url from inside the Traefik container? Eg. wget 10.13.16.1? Also you seem to be accessing the service url with https, which usually requires insecureSkipVerify=true. Otherwise you might get http-500 error downstream.

shasta@lemm.ee on 29 Apr 18:16 collapse

500 errors typically log a stack trace in the server logs. Have you checked there? That would give more indication of where to start debugging.

mike_wooskey@lemmy.d.thewooskeys.com on 30 Apr 00:28 collapse

By “server log”, do you mean traefik’s log? If so, this is the only thing I could find (and I don’t know what it means): lemmy.d.thewooskeys.com/comment/514711

shasta@lemm.ee on 30 Apr 01:48 collapse

No. Traefik says the 500 error came from downstream. So that means either wireguard or myapp. Check the logs for those.