integration with ngrok requiring plan with IP restrictions (i.e.pro or enterprise)
integration with ngrok requiring plan with IP restrictions (i.e.pro or enterprise)
Hello,
DVLS gateway will not start the ngrok TCP agent and log file says it is because the ngrok 'account is not authorized for IP restrictions'. I'm using the 'personal' paid subscription account which doesn't include the IP restrictions feature, and have no other need for this feature beyond being able to use RDM with gateway, as RPD connections from RDM do not work without the gateway supporting TCP connections.
Seems like DVLS gateway is starting the ngrok agent with the 'allow-cidr' parameter https://ngrok.com/docs/http/ip-restrictions/ ,but this is redundant if the "AllowCdirs' value in the gateway.json file is simply 0.0.0.0/0, and has the undesirable side effect of requiring and more expensive ngrok subscription.
Could you make DVLS gateway work without requiring an ngrok plan that include the 'ip restrictions' feature pls? I imagine this would be as simple as excluding the allow-cidr parameter when starting the ngrok agent whenever the value of AllowCdirs in the gateway.json file is 0.0.0.0/0
Please let me know if you would like any additional info.
Thanks
Joe
All Comments (6)
Hello,
Thank you for opening this thread.
This is a known issue that we can't easily fix by simply removing the parameter from the default configuration.
When a subscription is authorized for IP restrictions, the configuration must include either "AllowCidrs" or "DenyCidrs"; otherwise, the ngrok server will reject the tunnel. Conversely, if the subscription plan does not include this feature, these fields must not be provided, as you noted.
This creates a contradiction, and we can't predict whether to include "AllowCidrs" by default or not.
(Ideally, the ngrok server would allow premium plans to not include the "AllowCidrs" or "DenyCidrs" parameters at all and assume the "0.0.0.0/0" allow CIDR by default, but I understand it was not okay on their side.)
However, we have implemented a workaround where the tunnel is automatically reopened without the IP restriction parameters when we detect the "account is not authorized for IP restrictions" error. This should ensure a smooth experience.
This patch is part of v2024.1.0 and newer versions:
https://github.com/Devolutions/devolutions-gateway/blob/master/CHANGELOG.md#202410-2024-02-26
Can you confirm that you are using a recent version of the Devolutions Gateway?
If the error persists even with one of the latest versions, can you send us the service logs?
If everything is working as expected, you should see the following INFO-level trace:
Detected a ngrok free plan subscription. IP restriction rules are disabled.
Thank you.
Best regards,
Benoit Cortier
Hi Benoit,
Thanks for your assistance with this. I have updated to latest 2024.2.1, but the issue persists. Log file contents are below.
Pls let me know if you would like more info.
Joe
2024-06-06T17:21:35.403518Z INFO devolutions_gateway::service: version="2024.2.1"
2024-06-06T17:21:35.403919Z INFO devolutions_gateway::service: JRL file doesn't exist (path: C:\ProgramData\Devolutions\Gateway\jrl.json). Starting with an empty JRL (JWT Revocation List).
2024-06-06T17:21:35.403965Z INFO devolutions_gateway::ngrok: Connecting to ngrok service
2024-06-06T17:21:35.696775Z INFO devolutions_gateway::ngrok: Detected a ngrok free plan subscription. IP restriction rules are disabled.
2024-06-06T17:21:35.696861Z INFO devolutions_gateway: devolutions-gateway service started
2024-06-06T17:21:35.696913Z INFO devolutions_gateway::ngrok: Open ngrok tunnel… name="http-endpoint"
2024-06-06T17:21:35.696915Z INFO devolutions_gateway::ngrok: Open ngrok tunnel… name="tcp-endpoint"
2024-06-06T17:21:35.835254Z INFO devolutions_gateway::ngrok: HTTP ngrok tunnel started url="https://devolutionsgateway.domain.com"
2024-06-06T17:21:35.938664Z ERROR devolutions_gateway::service: A task failed error="TCP tunnel listen: rpc error response:\nYour account is not authorized to use ip restrictions.\nUpgrade to a Pro or Enterprise plan at: https://dashboard.ngrok.com/billing/subscription\n\nERR_NGROK_ERR_NGROK_9017"
2024-06-06T17:22:06.180916Z INFO ngrok_http{client=1.2.3.4:56119}:request{method=GET path=/jet/diagnostics/clock}: devolutions_gateway::middleware::log: duration=33.9µs status=200 OK
2024-06-06T17:22:23.036123Z INFO ngrok_http{client=1.2.3.4:56134}:request{method=GET path=/jet/rdp}: devolutions_gateway::middleware::log: duration=78.8µs status=101 Switching Protocols
2024-06-06T17:22:23.160344Z INFO ngrok_http{client=1.2.3.4:56134}:request{method=GET path=/jet/rdp}:fwd{session_id="e4c6c7d3-d59e-4eec-b76e-6ae201e6d4a6" session_id="e4c6c7d3-d59e-4eec-b76e-6ae201e6d4a6" target="tcp://10.1.1.80:3389" target="tcp://10.1.1.80:3389"}: devolutions_gateway::rdp_extension: RDP-TLS forwarding
Hello Joe,
Thank you for sending me these logs. I found out why the fallback mechanism didn’t take effect in your case: the mechanism was not implemented for TCP listeners. We were assuming it wasn’t possible to have a subscription including TCP listeners without also including the IP restrictions.
This is visible in the logs: the error is only raised for the TCP listener, and not for the HTTP listener which is working as expected.
This bug is patched and will be released soon: https://github.com/Devolutions/devolutions-gateway/pull/881
I’ll let you know when the next version is available.
Until the release is available, it should be possible for you to remove the "AllowCidrs" key from the configuration file "gateway.json" manually. However, if you ever pay for enabling IP restrictions in your subscription, you’ll have to add it back.
Best regards,
Benoit Cortier
Thanks Benoit, removing "AllowCidrs" from the gateway.json file was a sufficient workaround.
Joe
Hi Joe,
Happy to hear that!
FYI: we also released Devolutions Gateway v2024.2.3 which handles this case more gracefully without having to modify the configuration manually. You should not be bothered with this anymore.
Best regards,
Benoit Cortier
Thanks Benoit. Confirmed issue is resolved in 2024.2.3
Joe