michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63799a7655f42ba97e7da30f68292d277ad82f9a
michaelschiemer/docs/deployment/WIREGUARD-DNS-FIX-IMPLEMENTED.md
Michael Schiemer 3ed2685e74 feat: add comprehensive framework features and deployment improvements 
Major additions:
- Storage abstraction layer with filesystem and in-memory implementations
- Gitea API integration with MCP tools for repository management
- Console dialog mode with interactive command execution
- WireGuard VPN DNS fix implementation and documentation
- HTTP client streaming response support
- Router generic result type
- Parameter type validator for framework core

Framework enhancements:
- Console command registry improvements
- Console dialog components
- Method signature analyzer updates
- Route mapper refinements
- MCP server and tool mapper updates
- Queue job chain and dependency commands
- Discovery tokenizer improvements

Infrastructure:
- Deployment architecture documentation
- Ansible playbook updates for WireGuard client regeneration
- Production environment configuration updates
- Docker Compose local configuration updates
- Remove obsolete docker-compose.yml (replaced by environment-specific configs)

Documentation:
- PERMISSIONS.md for access control guidelines
- WireGuard DNS fix implementation details
- Console dialog mode usage guide
- Deployment architecture overview

Testing:
- Multi-purpose attribute tests
- Gitea Actions integration tests (typed and untyped)
2025-11-04 20:39:48 +01:00

284 lines
7.1 KiB
Markdown
Raw Blame History

# WireGuard DNS Fix - Implementation Status
**Status**: ✅ Phase 1 COMPLETED - DNS Configuration Added
**Datum**: 2025-01-29
**Implementiert**: DNS-Konfiguration in Ansible Variables
## Was wurde geändert?
### 1. Ansible Group Variables Update
**Datei**: `deployment/ansible/group_vars/production.yml`
**Änderung**:
```yaml
# WireGuard DNS Configuration
# DNS server for VPN clients (points to VPN server IP)
# This ensures internal services are resolved to VPN IPs
wireguard_dns_servers:
- "{{ wireguard_server_ip_default }}"
```
**Effekt**:
- Template `wireguard-client.conf.j2` wird jetzt `DNS = 10.8.0.1` in Client-Configs generieren
- Die `{% if wireguard_dns_servers | length > 0 %}` Bedingung im Template wird jetzt TRUE
- Alle neu generierten Client-Configs enthalten DNS-Konfiguration
## Wie funktioniert es?
### Template Logic (bereits vorhanden)
```jinja2
{% if wireguard_dns_servers | length > 0 %}
# DNS servers provided via Ansible (optional)
DNS = {{ wireguard_dns_servers | join(', ') }}
{% endif %}
```
### Generated Client Config (nach Regenerierung)
```ini
[Interface]
PrivateKey = <client_private_key>
Address = 10.8.0.7/24
DNS = 10.8.0.1 # ← JETZT ENTHALTEN!
[Peer]
PublicKey = <server_public_key>
Endpoint = michaelschiemer.de:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25
```
## Erwartetes Verhalten
### DNS Resolution (Windows Client)
```powershell
# Nach Import der neuen Config:
Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}
# Expected Output:
InterfaceAlias : WireGuard Tunnel wg0
ServerAddresses : {10.8.0.1} # ← VPN DNS Server
```
### Service Resolution
```powershell
Resolve-DnsName grafana.michaelschiemer.de
# Expected Output:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
grafana.michaelschiemer.de A 300 Answer 10.8.0.1 # ← VPN IP statt Public IP!
```
### HTTP Traffic Routing
```bash
# Traefik Access Log (Server-Side):
# VORHER (ohne DNS):
89.246.96.244 - - [Date] "GET /grafana HTTP/2.0" 404
↑ Public IP (FALSCH)
# NACHHER (mit DNS):
10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
↑ VPN IP (KORREKT)
```
## Nächste Schritte (PENDING)
### Phase 2: Client Config Regenerierung
**Für Windows Client "mikepc"**:
```bash
cd ~/dev/michaelschiemer/deployment/ansible
ansible-playbook -i inventory/production.yml \
playbooks/regenerate-wireguard-client.yml \
-e "client_name=mikepc" \
-e "client_ip=10.8.0.5"
```
**Output**:
- Backup: `mikepc.conf.backup-<timestamp>`
- Neue Config: `deployment/ansible/wireguard-clients/mikepc.conf`
- QR Code: `deployment/ansible/wireguard-clients/mikepc.png`
### Phase 3: Docker Container Test (OPTIONAL)
Teste VPN-Funktionalität in isolierter Umgebung:
```bash
ansible-playbook -i inventory/production.yml \
playbooks/test-wireguard-docker-container.yml \
-e "client_name=mikepc"
```
**Verifizierung**:
```bash
# Ping Test
docker exec wireguard-test-mikepc ping -c 4 10.8.0.1
# DNS Test
docker exec wireguard-test-mikepc nslookup grafana.michaelschiemer.de 10.8.0.1
# HTTP Test
docker exec wireguard-test-mikepc curl -v https://grafana.michaelschiemer.de
```
### Phase 4: Windows Client Import
1. **WireGuard Application öffnen**
2. **Tunnel "wg0" deaktivieren** (falls aktiv)
3. **Tunnel "wg0" löschen** (alte Config entfernen)
4. **Neue Config importieren**:
- "Add Tunnel" → "Import from file"
- Datei: `deployment/ansible/wireguard-clients/mikepc.conf`
5. **Tunnel "wg0" aktivieren**
### Phase 5: Verification (Windows)
**DNS Check**:
```powershell
Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}
# Expected: ServerAddresses = {10.8.0.1}
Resolve-DnsName grafana.michaelschiemer.de
# Expected: IPAddress = 10.8.0.1
```
**Browser Test**:
```
https://grafana.michaelschiemer.de
Expected: Grafana Dashboard OHNE 404 Error
```
**Server-Side Verification**:
```bash
# Traefik Access Log
ssh deploy@michaelschiemer.de
docker logs traefik --tail 50 | grep grafana
# Expected:
# 10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
# ↑ VPN IP statt Public IP!
```
## Troubleshooting
### Problem: DNS Still Not Working
**Check 1: Verify Config Contains DNS Line**
```powershell
Get-Content "C:\Path\To\mikepc.conf" | Select-String -Pattern "DNS"
# Expected:
DNS = 10.8.0.1
```
**Check 2: Verify Windows Uses VPN DNS**
```powershell
Get-DnsClientServerAddress | Format-Table InterfaceAlias, ServerAddresses
# WireGuard Interface should show 10.8.0.1
```
**Check 3: Flush DNS Cache**
```powershell
ipconfig /flushdns
Clear-DnsClientCache
```
### Problem: VPN Connects But Still Uses Public IP
**Check 1: Verify Routes**
```powershell
Get-NetRoute | Where-Object {$_.DestinationPrefix -eq "10.8.0.0/24"}
# Should exist with WireGuard interface
```
**Check 2: Test DNS Resolution**
```powershell
Resolve-DnsName grafana.michaelschiemer.de -Server 10.8.0.1
# Direct query to VPN DNS should work
```
### Problem: Cannot Reach grafana.michaelschiemer.de
**Check 1: CoreDNS on Server**
```bash
ssh deploy@michaelschiemer.de
docker ps | grep coredns
docker logs coredns
```
**Check 2: Traefik Configuration**
```bash
docker logs traefik | grep grafana
# Check for middleware configuration
```
## Rollback Plan
Falls Probleme auftreten:
### Rollback Client Config
```bash
# Restore backup on server
ssh deploy@michaelschiemer.de
cd /etc/wireguard/clients
cp mikepc.conf.backup-<timestamp> mikepc.conf
# Re-import on Windows
```
### Rollback Ansible Variables
```bash
git diff deployment/ansible/group_vars/production.yml
git checkout deployment/ansible/group_vars/production.yml
```
## Success Criteria
**DNS Configuration Added**: Ansible variables updated
**Client Config Regenerated**: PENDING
**Windows Client Import**: PENDING
**DNS Resolution Working**: PENDING
**HTTP/HTTPS via VPN**: PENDING
**Traefik Shows VPN IP**: PENDING
## Alternative Options (If DNS Fix Fails)
### Option B: Full Tunnel VPN
```yaml
# AllowedIPs = 0.0.0.0/0 statt 10.8.0.0/24
# Routes ALL traffic through VPN
```
### Option C: Alternative VPN Software
- OpenVPN (bewährt, stabil)
- Tailscale (managed, einfach)
- ZeroTier (mesh network)
## Referenzen
- **Implementation Plan**: `WIREGUARD-IMPLEMENTATION-PLAN.md`
- **Original Analysis**: `WIREGUARD-WINDOWS-ROUTING-FINAL-ANALYSIS.md`
- **DNS Solution**: `WIREGUARD-WINDOWS-DNS-FIX.md`
- **Template**: `deployment/ansible/templates/wireguard-client.conf.j2`
- **Variables**: `deployment/ansible/group_vars/production.yml`
## Notes
**Warum DNS-Konfiguration fehlt**:
- Template hatte bereits Unterstützung via `{% if wireguard_dns_servers | length > 0 %}`
- Variable `wireguard_dns_servers` fehlte in group_vars
- Jetzt gesetzt auf `["{{ wireguard_server_ip_default }}"]``["10.8.0.1"]`
**Erwarteter Effekt**:
- Alle neuen Client-Configs enthalten `DNS = 10.8.0.1`
- Windows nutzt VPN-DNS für Namensauflösung
- Interne Services (grafana.michaelschiemer.de) werden zu VPN-IP (10.8.0.1) aufgelöst
- HTTP/HTTPS Traffic geht über VPN statt Public Interface
**Nächster kritischer Schritt**:
Client Config für "mikepc" regenerieren und auf Windows importieren
Reference in New Issue View Git Blame Copy Permalink