I am online, but can't access the resource

noid · December 5, 2023, 1:58pm

# Versions
$ sudo twingate --version
Twingate 2023.250.97595 | 0.149.1
$ uname -a
Linux hostname 6.1.61 #1-NixOS SMP PREEMPT_DYNAMIC Thu Nov  2 08:35:33 UTC 2023 x86_64 GNU/Linux

# Twingate is online
$ sudo twingate status
online

# Resource is visible in the resources list
$ sudo twingate resources -l | grep "\[dev\]RDS"
'[dev]RDS'

# I have no other VPN running
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4e:40:7d:db:7b:18 brd ff:ff:ff:ff:ff:ff permaddr dc:41:a9:fb:d4:6b
    inet 192.168.88.214/24 brd 192.168.88.255 scope global dynamic noprefixroute wlan0
       valid_lft 570sec preferred_lft 495sec
    inet6 fe80::4c40:7dff:fedb:7b18/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::d84e:7a08:93b1:ee85/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:3c:98:7f:ce brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
8: sdwan0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 100.96.0.2/32 scope global noprefixroute sdwan0
       valid_lft forever preferred_lft forever
    inet6 fe80::8b24:5035:36d9:e199/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

I have no access to the resource (every TCP connection to the address fails with TIMEOUT, however ICMP ECHO works correctly)
My device is not visible in activities
My colleague has an access to the resource, and his device is visible in activities list

2023-12-05_17-521536×991 88.1 KB
dig-ing address on my and colleagues laptop shows different answers

How to solve this problem? I’ve tried restarting, unplugging and plugging back in and every other possible trivial solution

Arthur · December 5, 2023, 4:18pm

When you dig the resource, are you still getting back a CGNAT IP (100.x.x.x) even if that is different from your colleagues?

noid · December 5, 2023, 4:32pm

; <<>> DiG 9.18.19 <<>> REDACTED
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23936
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
; REDACTED IN A

;; ANSWER SECTION:
REDACTED 3600 IN CNAME OTHER_REDACTED
OTHER_REDACTED 60 IN A 100.0.7.59
OTHER_REDACTED 60 IN A 100.0.9.232

;; Query time: 759 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Dec 05 20:30:57 +04 2023
;; MSG SIZE  rcvd: 209

Arthur · December 5, 2023, 4:59pm

The response you’re getting back indicates that Twingate is not actively intercepting the lookup request, as that IP is the public IP for that particular hostname/resource.

I am unsure which user account is yours in the tenant so I can’t confirm security group assignments and such, but are you certain you have appropriate/equivalent access to the resource in question?

Can you DM me the full output of twingate resources

noid · December 5, 2023, 5:32pm

How do I DM here? I know how to do this in other discourse forums, but I can’t find the button in this one

Arthur · December 5, 2023, 5:35pm

Might just be easier to email me - arthur (at) twingate.com

noid · December 6, 2023, 5:31pm

From private conversation it turned out that twingate sets up local DNS server which overrides all other DNS configurations basically intercepting all of the DNS queries. This solution was never intended for setups where local DNS server is used, since twingated tries to listen on 53 port, and it is not configurable.

I’ve disabled local DNS server and twingate was able to setup properly. However, I do not consider it a solution since

I need this local resolver, since I am using not only twingate. I am connecting to multiple VPNs from time to time and this is requirement of my job, so I don’t want to change my DNS configurations every time I connect to different VPN.
I do not feel comfortable when a closed-source program collects and reports all of my DNS queries.
I think that there can be a better solution where I could just use my local DNS server to redirect resource-specific queries to twingated, just on different port. But it is not configurable

noid · December 6, 2023, 10:29pm

Solution

Twingate has DNS server available in their IP range. I’ve configured my local DNS server to forward requests there and it solved the problem

These are the servers:

nameserver[0] : 100.95.0.251
nameserver[1] : 100.95.0.252
nameserver[2] : 100.95.0.253
nameserver[3] : 100.95.0.254

Topic		Replies	Views
Linux client repeatedly connects to resource Support / Troubleshooting	0	130	September 1, 2023
Windows Client installed but cannot see any resource found, why? Support / Troubleshooting	4	682	May 2, 2023
Can't acces ressources Support / Troubleshooting	2	259	September 12, 2023
Resource webpage not loading when using Twingate Support / Troubleshooting	3	334	February 22, 2024
Issue Joining Network Support / Troubleshooting	29	5864	March 7, 2024

I am online, but can't access the resource

Solution

Related Topics