Accessing multiple machine from one network

Hi all,
I have a problem figuring out my problem. So i have multiple machine inside a vmware esxi, i want to access it from another computer outside of my network. i’m using mikrotik (just for extra information). If i set the worker in one of my machine call it machine A using the public address of my mikrotik how can i access my other machine for example machine B (using the same public address) is there any idea how to solve this ?

What you would want to do is have a worker sitting in your VMware environment that registers with a control plane where you can access both the control plane and that worker’s proxy port (9202 by default) from outside the virtual environment. Then you can register the target VMs with their vNet addresses inside the ESXi environment and the worker proxies the connections for you. Then set tags in the worker config and use those tags to create a worker filter for the targets so only that worker (or other workers you set up similarly) will be used to connect to those targets.

If you’re using HCP Boundary, the control plane and a set of workers is hosted by HashiCorp and you can use multi-hop workers to do this, which makes it a lot easier as you can use those HCP-hosted workers as the multi-hop ingress without setting up a bunch of virtual routing and port-forwarding just to make it work.

Thanks for the answer it really help me understand a few things. I tried the HCP Boundary one first but i kinda confused. HCP Boundary provided me with 2 worker and i choose the first one for the initial upstream for my target. This is the config of pki worker inside of ubuntu machine in vmware esxi:

disable_mlock = true

listener "tcp"{
  address = "0.0.0.0:9202"
  purpose = "proxy"
}

worker {
  initial_upstreams = ["X.proxy.boundary.hashicorp.cloud:9202"]
  auth_storage_path = "/home/X/Boundary/worker2"
  tags {
        type = ["downstream"]
  }
}

This is what i get after inserting the token into HCP Boundary

image1513×72 4.59 KB

Is there anything wrong with it ?

For HCP Boundary, you’ll want to use hcp_boundary_cluster_id instead of initial_upstreams. You can get the cluster ID from the info page for your cluster in HCP – it’s also the first part of the Boundary cluster’s admin URL (it looks like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).

There’s an HCP self-managed worker tutorial that walks you through PKI worker setup – it uses an AWS instance as the Boundary worker but the general flow of installing and configuring the worker are the same regardless of environment. Just make sure your clients can get to port 9202 on the worker inside your ESXi server.

Thanks for the reply but i got this error messages when following the tutorial

Error starting worker: worker.(Worker).Start: error making controller connections: worker.(Worker).StartControllerConnections: no initial upstream addresses found: parameter violation: error #100

This is the config of pki worker

disable_mlock = true

hcp_boundary_cluster_id = "xxx-xxx-xxx"

listener "tcp" {
  address = "0.0.0.0:9202"
  purpose = "proxy"
}

worker {
  auth_storage_path = "/home/X/Boundary/worker1"
  tags {
    type = ["worker1", "upstream"]
  }
}

Aha, I think you’re using the open-source binary for your worker and you need to use the Enterprise binary – if you’re installing from DEB packages, it’s called boundary-enterprise (I think the name is the same in the RPM repo, but I’m on Ubuntu so I don’t know for certain); if you’re downloading the binary directly from releases.hashicorp.com, it’s the boundary version tagged with +ent (latest version is in Boundary v0.13.1+ent Binaries | HashiCorp Releases).

I see thanks for the help i manage to run it but i got problem when trying credential store using Vault. My Vault is in openstack environment and have public ip x.x.x.x when i tried to insert it to Boundary i got this error

address that i use for it is http://x.x.x.x:8200 how can i fix this did i need a worker running on it ?

The problem you are facing is that you are trying to access two machines on the same network from a machine outside of that network. This is not possible without some kind of routing or NAT configuration.

In your case, you can use your Mikrotik router to configure port forwarding. This will allow you to access machine B from outside of your network by using the public IP address of your Mikrotik router.
Regard: Softkeybox

Thanks for the answer the problem that i facing is if i use public ip of my mikrotik in machine A i cant access anything from machine B even tho i already set the public ip addr and port forwarding. I tried to specify the port and it doesn’t show anything ( i just make a simple hello world web and hello friend web) if i didn’t specify the port only one of the first can be access the other one will resulting with ERR_CONNECTION_RESET.

If the Vault instance has a public IP that the HCP control plane can reach then you don’t need a private-Vault worker, but if that “public” IP is still on a private subnet or behind a firewall then you would.

Sorry maybe this is out of this topic discussion but i cant establish connection between my kali linux and Boundary Console with this error

{"@level":"error","@message":"event.WriteError: event.(Eventer).writeError: event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n","@timestamp":"2023-08-16T10:25:15.869826+07:00"}
{"@level":"error","@message":"event.WriteError: unable to write error: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","@timestamp":"2023-08-16T10:25:15.869856+07:00"}
{"id":"dsYtq6W1Hh","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"worker.(Worker).upstreamDialerFunc: unknown, unknown: error #0: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{"Code":0,"Msg":"","Op":"worker.(Worker).upstreamDialerFunc","Wrapped":{}},"id":"e_tK5frbFWLh","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:15.869910022+07:00"}
{"id":"Q7zgFswHgV","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{},"id":"e_RuLzPCvu3A","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:15.869700965+07:00"}
{"@level":"error","@message":"encountered an error sending an error event","@timestamp":"2023-08-16T10:25:21.884712+07:00","error:":"event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n"}
{"@level":"error","@message":"event.WriteError: event.(Eventer).writeError: event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n","@timestamp":"2023-08-16T10:25:21.884900+07:00"}
{"@level":"error","@message":"event.WriteError: unable to write error: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","@timestamp":"2023-08-16T10:25:21.884931+07:00"}
{"id":"fNeH1Nq4VQ","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{},"id":"e_qNDkp8Rblc","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:21.884676644+07:00"}
{"id":"SytZxVTTOw","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"worker.(Worker).upstreamDialerFunc: unknown, unknown: error #0: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{"Code":0,"Msg":"","Op":"worker.(Worker).upstreamDialerFunc","Wrapped":{}},"id":"e_StLFf2sULf","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:21.884964295+07:00"}
{"@level":"error","@message":"encountered an error sending an error event","@timestamp":"2023-08-16T10:25:28.370404+07:00","error:":"event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n"}
{"@level":"error","@message":"event.WriteError: event.(Eventer).writeError: event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n","@timestamp":"2023-08-16T10:25:28.370451+07:00"}
{"@level":"error","@message":"event.WriteError: unable to write error: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","@timestamp":"2023-08-16T10:25:28.370667+07:00"}
{"id":"V6W0MdcrzN","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"worker.(Worker).upstreamDialerFunc: unknown, unknown: error #0: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{"Code":0,"Msg":"","Op":"worker.(Worker).upstreamDialerFunc","Wrapped":{}},"id":"e_HuS9JETN2G","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:28.370872917+07:00"}
{"id":"6J6EqAnnIx","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{},"id":"e_UeJ2C8vxEm","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:28.370353464+07:00"}
{"@level":"error","@message":"encountered an error sending an error event","@timestamp":"2023-08-16T10:25:34.635825+07:00","error:":"event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n"}
{"@level":"error","@message":"event.WriteError: event.(Eventer).writeError: event.(Eventer).retrySend: failed to send event: 2 errors occurred:\n\t* event.(Eventer).retrySend: event not processed by enough 'filter' and 'sink' nodes\n\t* context deadline exceeded\n\n","@timestamp":"2023-08-16T10:25:34.635885+07:00"}
{"@level":"error","@message":"event.WriteError: unable to write error: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","@timestamp":"2023-08-16T10:25:34.635928+07:00"}
{"id":"JZZ1ulAmuj","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"worker.(Worker).upstreamDialerFunc: unknown, unknown: error #0: (nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{"Code":0,"Msg":"","Op":"worker.(Worker).upstreamDialerFunc","Wrapped":{}},"id":"e_Yqbir9vptP","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:34.635990945+07:00"}
{"id":"L495J6SfMI","source":"https://hashicorp.com/boundary/alpha/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.Dial) unable to dial to server: (nodeenrollment.protocol.Dial) unable to dial to server: dial tcp: lookup 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud: i/o timeout","error_fields":{},"id":"e_c6DE9JxwLZ","version":"v0.1","op":"worker.(Worker).upstreamDialerFunc"},"datacontentype":"application/cloudevents","time":"2023-08-16T10:25:34.635778475+07:00"}

what is the problem with the worker ?

Judging by this:

…it looks like your worker can’t contact HCP Boundary. Does the worker have outbound access to your HCP Boundary cluster?

From my mikrotik firewall rules there none blocking outbound connection to HCP Boundary cluster. It should have outbound access to HCP Boundary cluster. I don’t know what wrong with it can you help me ?

It could be a DNS issue. If you log into a shell on that VM, are you able to resolve the hostname 7527a139-3b7d-431c-9af6-579ba36ed920.proxy.boundary.hashicorp.cloud?

I tried to ping it and didn’t get any reply.

Did the hostname resolve when you pinged it?

Nope. I try using
nc -w 3 -z 71279ad8-7778-78cd-0a60-a9fa7bbd3681.proxy.boundary.hashicorp.cloud 9202 and echo $?
Sometimes it resulting with 0 sometimes it resulting with 1.
Right now the situation is i’m using ingress and egress worker. I manage to make all the worker work but when i tried it on Boundary Desktop and connect to it, it produce an error connection reset by peer (computer in the same network) but when i try it from computer outside the network it say connection reset by host. I cant find the source of the problem.

Update, i manage to fix it by changing some firewall rules. I have a new question when accessing target machine by ssh is it normal there is a delay type between 2-3 seconds ? is this occur because of poor connection or something else ?

Late to this thread here, but is this delay in accessing your target noticed in the Desktop client, or via the cli?