Hi all,
I am new to Firezone and attempting to install and configure this as an proof of concept system. I am looking to move a few systems from OpenVPN (OpenVPN Access Server) to WireGuard with Firezone as the management system. Having problems and only get 502 Bad Gateway from the clients. I have attempted to access the system via local IP (as stated in the documentation) but no luck on that front either.
The environment that it is running in a NAT private subnet 192.168.0.0/24. The Docker server that is dedicated to Firezone is running on is a ubuntu server 20.04 lts running in a ProxMox, VM 1 core, 2GB RAM, 16GB disk. Docker 24.0.5 at IP 192.168.0.36 The network is supported by Nginx Proxy Manager running on a different Docker server @ 192.168.0.250
I have set the enticement variable with the following for testing (the whole 192.168.0.0 subnet):
PHOENIX_EXTERNAL_TRUSTED_PROXIES=["192.168.0.0/24"]
PHOENIX_PRIVATE_CLIENTS=["192.168.0.0/24"]
SECURE_COOKIES=false
Browsers pointing at the server get 502 Bad Gateway errors from its private network or routed from the public web. When attempting to connect from a browser to the Firezone server I get “Secure Connection Failed” “An error occurred during a connection to 192.168.0.36. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT”
When using curl from the local network (server running NPS) to the Firezone IP:
root@dlf-docker:/# curl -v https://192.168.0.36
* Trying 192.168.0.36:443...
* TCP_NODELAY set
* Connected to 192.168.0.36 (192.168.0.36) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
When using curl from the local network (server running NPS) to the Firezone URL:
root@dlf-docker:/# curl -v https://fzeh01.XXXXXXX.com /
* Trying 108.173.66.19:443...
* TCP_NODELAY set
* Connected to fzeh01.XXXXXXX.com (108.173.66.19) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=fzeh01.XXXXXXX.com
* start date: Aug 28 07:01:44 2023 GMT
* expire date: Nov 26 07:01:43 2023 GMT
* subjectAltName: host "fzeh01.XXXXXXX.com " matched cert's "fzeh01.XXXXXXX.com "
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5648f1f24300)
> GET / HTTP/2
> Host: fzeh01.XXXXXXX.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 502
< server: openresty
< date: Tue, 29 Aug 2023 23:45:37 GMT
< content-type: text/html
< content-length: 154
<
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>openresty</center>
</body>
</html>
* Connection #0 to host fzeh01.XXXXXXX.com left intact
Thanks in advance for the help.