write wg exit policy testing steps
This commit is contained in:
@@ -0,0 +1,39 @@
|
||||
import { Tabs } from 'nextra/components';
|
||||
import { Steps } from 'nextra/components';
|
||||
|
||||
import ExitPolicyTestServer from 'components/operators/snippets/wg-exit-policy-testing-from-server.mdx';
|
||||
import ExitPolicyTestOutside from 'components/operators/snippets/wg-exit-policy-testing-from-outside.mdx';
|
||||
|
||||
**For all routing configuration we provide one tool [`network-tunnel-manager.sh` (NTM)](https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/wireguard-exit-policy/wireguard-exit-policy-manager.sh). This tool manages WireGuard tests all configurations, including WireGuard exit policy as well.**
|
||||
|
||||
|
||||
You can use NTM to validate the application of the IP tables routes on your `nym-node` by checking it from the server side as well as from the outside.
|
||||
|
||||
<div>
|
||||
<Tabs items={[
|
||||
<strong>From the server</strong>,
|
||||
<strong>From the outside - using NymVPN</strong>
|
||||
]} defaultIndex={0}>
|
||||
<Tabs.Tab><ExitPolicyTestServer /></Tabs.Tab>
|
||||
<Tabs.Tab><ExitPolicyTestOutside /></Tabs.Tab>
|
||||
</Tabs>
|
||||
</div>
|
||||
|
||||
|
||||
If all works , your node has successfully implemented WireGuard exit policy with the same routing permissions like [Nym exit policy](https://nymtech.net/.wellknown/network-requester/exit-policy.txt) used on 5-hop (Mixnet) for TCP routing.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+22
-2
@@ -1,9 +1,29 @@
|
||||
import { Steps } from 'nextra/components';
|
||||
|
||||
Here are a few ways you can ensre your WireGuard exit policy is working correctly from the outside.
|
||||
|
||||
<Steps>
|
||||
|
||||
###### 1. Using NymVPN
|
||||
|
||||
- Connect to NymVPN and use your node as an Exit Gateway in dVPN (2-hop) mode
|
||||
|
||||
- While connected to NymVPN, navigate to [`portquiz.net:12345`](http://portquiz.net:12345) and see if you can load the page
|
||||
|
||||
- It shouldn't load, but if you navigate to some of the accepted ports, like[`portquiz.net:443`](http://portquiz.net:443) it should all work
|
||||
|
||||
###### 2. Test it from your local terminal
|
||||
|
||||
- Install these dependencies on your local machine:
|
||||
```shell
|
||||
sudo apt install tcpdump
|
||||
|
||||
sudo tcpdump -i nymwg -n
|
||||
```
|
||||
- Connect to [NymVPN](https://nym.com) and select your node as an Exit Gateway (after running the exit policy [manager script](#wireguard-exit-policy-configuration))
|
||||
- Connect to [NymVPN](https://nym.com) and select your node as an Exit Gateway
|
||||
|
||||
- Run the `tcpdump` command before registering
|
||||
- Have the output of the `echo $BLOCKED_IP` from your node and try to go into your browser or a registered client and try to connect - It will not resolve.
|
||||
|
||||
- Have the output of the `echo $BLOCKED_IP` from your node and try to go into your browser or a registered client and try to connect - It should not resolve
|
||||
|
||||
</ Steps>
|
||||
+31
-3
@@ -1,11 +1,39 @@
|
||||
Run this command to define variable `BLOCKED_IP` and try to `ping` it:
|
||||
import { Steps } from 'nextra/components';
|
||||
import { AccordionTemplate } from 'components/accordion-template.tsx';
|
||||
import ExitPolicyTestOutput from 'components/operators/snippets/wg-exit-policy-test-output.mdx';
|
||||
|
||||
|
||||
<Steps>
|
||||
|
||||
###### 1. Make sure to have the latest NTM:
|
||||
```sh
|
||||
curl -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh -o network-tunnel-manager.sh && \
|
||||
chmod +x network-tunnel-manager.sh && \
|
||||
./network-tunnel-manager.sh --help
|
||||
```
|
||||
|
||||
###### 2. Run tests with NTM
|
||||
```sh
|
||||
./network-tunnel-manager.sh exit_policy_test_connectivity
|
||||
./network-tunnel-manager.sh exit_policy_tests
|
||||
```
|
||||
|
||||
- The output should look like this:
|
||||
<AccordionTemplate name="Cosole output">
|
||||
<ExitPolicyTestOutput />
|
||||
</ AccordionTemplate>
|
||||
|
||||
###### 3. Optionally you can do some manual sanity checks
|
||||
- Run this command to define variable `BLOCKED_IP` and try to `ping` it:
|
||||
```shell
|
||||
BLOCKED_IP=$(grep "ExitPolicy reject" /etc/nym/exit-policy.txt | head -1 | sed -E 's/ExitPolicy reject ([^:]+):.*/\1/' | sed 's/\/.*$//')
|
||||
|
||||
ping -c 3 $BLOCKED_IP
|
||||
```
|
||||
You should see `100% packet loss` as an outcome.
|
||||
- You should see `100% packet loss` as an outcome.
|
||||
```shell
|
||||
telnet $BLOCKED_IP 80
|
||||
```
|
||||
You should see `telnet: Unable to connect to remote host: Connection timed out`.
|
||||
- You should see `telnet: Unable to connect to remote host: Connection timed out`.
|
||||
|
||||
</ Steps>
|
||||
Reference in New Issue
Block a user