github-starred/olm
2
0
Fork 0
mirror of https://github.com/fosrl/olm.git synced 2026-03-09 07:13:10 -05:00
Code Issues 9 Packages Projects Releases 7 Wiki Activity

Newt/Olm Connection Issues #19

New Issue
Closed
opened 2025-11-19 07:04:16 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-19 07:04:16 -06:00
Owner
Copy Link

Originally created by @tullisar on GitHub (Oct 14, 2025).

Describe the Bug

I'm having trouble with connectivity between some of my newt/olm clients, and have exhausted the troubleshooting covered in the docs. I'm not sure if my setup is supported or if I'm doing something else wrong. I have both Newt and Olm running on the same host in Docker containers. Newt is configured to run with --native, and both of the services are running with network_mode = "host". I can see both WG interfaces on the host machine. However, in some cases I can't ping newt sites from an olm client where there is also a newt instance running on the same machine because of IP routing issues that I'm not sure how to solve. My goal was to be able to use olm/newt in this way to be able to connect my host running a particular monitoring service to a remote agent service running on another host.

Example:

Host 1
    Newt IP - 100.90.128.2
    Olm IP - 100.90.128.0
Host 2
    Newt IP - 100.90.128.4
    Olm IP - 100.90.128.6
Host 3
    Newt IP - 100.90.128.1

The sites and clients all show as connected in Pangolin. Each site is configured to allow the respective clients access (and the newt clients are themselves configured to accept clients). However, connection from one host's Olm client to another site seems to depend on how the host routes things. For instance, I can ping 100.90.128.1 from Host 1, but not from Host 2. When pinging from Host 2, I get a destination host unreachable error (since it seems like the ping originates from 100.90.128.4 rather than 100.90.128.6).

Ping from Host 2 -> Host 1

$ ping 100.90.128.1
PING 100.90.128.1 (100.90.128.1) 56(84) bytes of data.
From 100.90.128.4 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

Olm logs on Host 2

olm-1  | 2025-10-14T22:44:00.962945100Z DEBUG: 2025/10/14 15:44:00 Attempting to send monitor packet to 100.90.128.1:54181
olm-1  | 2025-10-14T22:44:00.962962500Z INFO: 2025/10/14 15:44:00 Error sending packet: write udp 100.90.128.4:40769->100.90.128.1:54181: write: required key not available

I can confirm that sysctl net.ipv4.ip_forward reports it is enabled. I'm not sure if NAT masquerading is properly enabled though. I ran the command in the guide but noticed that my hosts all use nf_tables under the hood so when list the POSTROUTING chain with iptables I see this error:

$ sudo iptables -L POSTROUTING
iptables v1.8.7 (nf_tables): chain `POSTROUTING' in table `filter' is incompatible, use 'nft' tool.

Is what I'm trying to do possible with Olm/Newt right now?

Environment

  • OS Type & Version: 22.04.5 LTS
  • Pangolin Version: 1.10.3
  • Gerbil Version: 1.2.1
  • Traefik Version: 3.5.3
  • Newt Version: 1.5.2
  • Olm Version: 1.1.4

To Reproduce

  1. Configure Olm/Newt on same host both in host networking mode for multiple sites.
  2. Attempt to ping another site from one client.
  3. Depending on how the ping is routed, it will either fail or work.

Expected Behavior

Reliably connect from an Olm client on a host also running Newt.

Originally created by @tullisar on GitHub (Oct 14, 2025). ### Describe the Bug I'm having trouble with connectivity between some of my newt/olm clients, and have exhausted the troubleshooting covered in the docs. I'm not sure if my setup is supported or if I'm doing something else wrong. I have both Newt and Olm running on the same host in Docker containers. Newt is configured to run with `--native`, and both of the services are running with `network_mode = "host"`. I can see both WG interfaces on the host machine. However, in some cases I can't ping newt sites from an olm client where there is also a newt instance running on the same machine because of IP routing issues that I'm not sure how to solve. My goal was to be able to use olm/newt in this way to be able to connect my host running a particular monitoring service to a remote agent service running on another host. Example: ```` Host 1 Newt IP - 100.90.128.2 Olm IP - 100.90.128.0 Host 2 Newt IP - 100.90.128.4 Olm IP - 100.90.128.6 Host 3 Newt IP - 100.90.128.1 ```` The sites and clients all show as connected in Pangolin. Each site is configured to allow the respective clients access (and the newt clients are themselves configured to accept clients). However, connection from one host's Olm client to another site seems to depend on how the host routes things. For instance, I can ping 100.90.128.1 from Host 1, but not from Host 2. When pinging from Host 2, I get a destination host unreachable error (since it seems like the ping originates from 100.90.128.4 rather than 100.90.128.6). Ping from Host 2 -> Host 1 ``` $ ping 100.90.128.1 PING 100.90.128.1 (100.90.128.1) 56(84) bytes of data. From 100.90.128.4 icmp_seq=1 Destination Host Unreachable ping: sendmsg: Required key not available ``` Olm logs on Host 2 ``` olm-1 | 2025-10-14T22:44:00.962945100Z DEBUG: 2025/10/14 15:44:00 Attempting to send monitor packet to 100.90.128.1:54181 olm-1 | 2025-10-14T22:44:00.962962500Z INFO: 2025/10/14 15:44:00 Error sending packet: write udp 100.90.128.4:40769->100.90.128.1:54181: write: required key not available ``` I can confirm that `sysctl net.ipv4.ip_forward` reports it is enabled. I'm not sure if NAT masquerading is properly enabled though. I ran the command in the guide but noticed that my hosts all use nf_tables under the hood so when list the POSTROUTING chain with iptables I see this error: ``` $ sudo iptables -L POSTROUTING iptables v1.8.7 (nf_tables): chain `POSTROUTING' in table `filter' is incompatible, use 'nft' tool. ``` **Is what I'm trying to do possible with Olm/Newt right now?** ### Environment - OS Type & Version: 22.04.5 LTS - Pangolin Version: 1.10.3 - Gerbil Version: 1.2.1 - Traefik Version: 3.5.3 - Newt Version: 1.5.2 - Olm Version: 1.1.4 ### To Reproduce 1. Configure Olm/Newt on same host both in host networking mode for multiple sites. 2. Attempt to ping another site from one client. 3. Depending on how the ping is routed, it will either fail or work. ### Expected Behavior Reliably connect from an Olm client on a host also running Newt.
GiteaMirror commented 2025-11-19 07:04:17 -06:00
Author
Owner
Copy Link

@tullisar commented on GitHub (Oct 14, 2025):

The more I think about this, it probably isn't possible - it seems like a source routing issue. I imagine supporting something like this would better be by allowing Newt sites to be configured to allow connections to other sites with restrictions.

@tullisar commented on GitHub (Oct 14, 2025): The more I think about this, it probably isn't possible - it seems like a source routing issue. I imagine supporting something like this would better be by allowing Newt sites to be configured to allow connections to other sites with restrictions.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
documentation
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/olm#19
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?