Skip to content

🐛 BUG: "Refusing to handshake with myself" when configuring self as unsafe_routes via #1157

New issue
New issue
Open
Open
🐛 BUG: "Refusing to handshake with myself" when configuring self as unsafe_routes via#1157
@johnmaguire

Description

@johnmaguire
johnmaguire
opened on Jun 5, 2024

What version of nebula are you using? (nebula -version)

1.9.2

What operating system are you using?

Linux

Describe the Bug

While debugging an issue on Nebula OSS I saw confusing behavior where a host reported "Handshake message sent" with a vpnIp field equal to its own IP address. This was followed by "Refusing to handshake with myself."

On Linux, when attempting to connect to your own IP address, it will typically send traffic over the loopback interface. Therefore it's unexpected that we would see Nebula try to handshake with its own IP address. It seems that this can occur when a host configures itself as a via for an unsafe_routes entry.

I think this is probably always a misconfiguration - maybe we should spit out an error if we detect the host's own IP address in a via at startup / reload time?

Logs from affected hosts

Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Firewall rule added" firewallRule="map[caName: caSha: direction:incoming endPort:8080 groups:[benn] host: ip: localIp:10.2.0.0/24 proto:6 startPort:8080]"
...
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Nebula interface is active" boringcrypto=false build=1.9.2 interface=nebula1 network=100.2.0.2/24 udpAddr="0.0.0.0:4242"
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Added route" route="10.2.0.0/24 metric: 100"
...
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=info msg="Handshake message sent" handshake="map[stage:1 style:ix_psk0]" initiatorIndex=1681038003 localIndex=1681038003 remoteIndex=0 udpAddrs="[135.180.109.31:4242]" vpnIp=100.2.0.2
Jun 05 11:09:16 i-wanna-be-a-mac nebula[67753]: time="2024-06-05T11:09:16-07:00" level=error msg="Refusing to handshake with myself" certName=server fingerprint=3788d2880810f6681d07a354c43a58f1d9b59fb6be9a74151c81a47a9c640004 handshake="map[stage:1 style:ix_psk0]" issuer=90226e53fe26e8dee76bdd04797b83a38260fce1ef8488c4532fa676e9920fc6 udpAddr="10.2.0.1:4242" vpnIp=100.2.0.2

Config files from affected hosts

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions