Manage devices at remote site over VPN

tobycth3 · February 14, 2025, 7:45pm

Any tips or tricks to get a local controller to manage switches and APs at a remote site over a VPN (not using Route10) ?

Alta-Matt_v2 · February 14, 2025, 9:39pm

When you set up the controller, you were provided 2 DDNS hostnames; one beginning with “local.”

Provided the subnet for the IP that the hostname beginning with “local.” is reachable over the VPN tunnel (and TCP port 443 isn’t blocked in the process), you should be able to provide that hostname to Alta devices and they’ll communicate over the tunnel.

tobycth3 · February 27, 2025, 4:09pm

I would expect it to be that simple but it has not been my experience so far. I enter the local. address in the AP however it never connects to the on-prem controller at the remote site. All traffic is allowed and DNS resolves correctly, however it never connects and has to be factory reset to re-join the cloud controller.

Alta-Matt_v2 · February 27, 2025, 4:42pm

From that side of the link, can you access the controller with the hostname that starts with “local.” from a computer?

tobycth3 · February 27, 2025, 4:46pm

From the AP I can ping the local. address and hit the controller’s page with wget

Alta-Matt_v2 · February 27, 2025, 5:13pm

Did you use http://local. or https://local.?

tobycth3 · February 27, 2025, 5:13pm

https

Alta-Matt_v2 · February 27, 2025, 6:45pm

Can you DM me the link that you’re pasting into the device? Emphasis on DM for security purposes.

Alta-Matt_v2 · February 27, 2025, 7:06pm

That URL is good, that’s really weird given you’re able to curl the URL from the AP. What VPN protocol is in use? Maybe it’s MTU related or something like that.

tobycth3 · February 27, 2025, 7:08pm

The VPN tunnel is running wireguard via two Firewalla devices in a site-to-site configuration

Alta-Matt_v2 · February 27, 2025, 10:56pm

Rapidly running out of ideas. What are the 2 subnets in play at both sides?

tobycth3 · March 3, 2025, 5:37pm

Subnets are different and non-overlapping /24’s on each side

Alta-Matt_v2 · March 3, 2025, 8:45pm

Well, in that case, it’s time to call in the big guns. @Alta-Jeff do you have any insights that might explain why an Alta device won’t talk to a local controller over a VPN tunnel despite being accessible by all accounts, specifically WireGuard S2S (non-Alta if it matters)?

Alta-Jeff · March 3, 2025, 9:24pm

I’d have to look at device and controller logs, to know what’s going on, but the first thing I would do is ssh to the device and see if you can hit https://local…ddns.manage.alta.inc/api/status (with and without the local prefix).

tobycth3 · March 3, 2025, 9:36pm

root@<removed>:~# wget https://local.<removed>.ddns.manage.alta.inc/api/status
Downloading 'https://local.<removed>.ddns.manage.alta.inc/api/status'
Connecting to 192.168.<removed>:443
Writing to 'status'
status               100% |*******************************|    11   0:00:00 ETA
Download completed (11 bytes)

root@<removed>:~# vi status
{"ok":true}

Alta-Jeff · March 3, 2025, 9:54pm

Looks like you’re able to reach via local, at least. Can you try this on the AP/switch/router:

/etc/init.d/rc stop
echo https://.ddns.manage.alta.inc >/cfg/domain.txt (yes, without the local; rc will automatically detect whether the local prefix is necessary)
rm /cfg/rcapi.txt
/etc/init.d/rc start

The AP/switch/router should then be able to be controlled by that controller.

tobycth3 · March 3, 2025, 10:14pm

Performed those steps on the AP. Now the device is showing ‘disconnected’ on the Cloud Controller and is not showing up as a device to add on the Local Controller.

Browsing to it’s IP shows this message:

Alta-Jeff · March 3, 2025, 11:08pm

Can you share the controller logs by running journalctl on the controller as root? Would be best in a DM, if possible (or gdrive link, etc.)