I’m trying Headscale, Headplane and Zitadel in a OVH vps using Incus vms as an alternative to Docker.
The vps has haproxy as a reverse proxy and certificate offloading.
The three applications work separately using public urls but I have a problem with Headplane connecting to Zitadel as the OIDC provider.
Headscale (hs) and Headplane (hp) share an Incus VM as hp needs to write to the config.yaml file of hs.
Zitadek (zz) is in its own Incus VM.
As the OVH vps only has one ipv4 IP address (i don’t use ipv6, as my homelab and isp don’t support it), the two VMs share incusbr0 with their own static IPs configured within the VMs (Ubuntu 24.04) using netplan.
On the vps I’ve turned off UFW (vps still protected by OVH’s Edge Firewall) and incusbr0 firewall turned off with, incus network set incusbr0 ipv4.firewall false
ping, ssh both work between vps host and incus vms, and also between Incus vms
but I have a problem with Curl.
From the vps host curl -vvvv zz.XXXXX.uk works fine…
# curl -vvv https://zz.XXXXX.uk
* Trying 51.NNN.NNN.NNN:443...
* Connected to zz.XXXXX.uk (51.NNN.NNN.NNN) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
etc, etc,etc
From within the hs/hp VM, trying to connect to zz.XXXXX.uk the connection fails.
I need to use an url and not an IP number as this is what hp’s oidc config requires.
# curl -vvvv https://zz.XXXXX.uk
* Host zz.XXXXX.uk:443 was resolved.
* IPv6: (none)
* IPv4: 51.NNN.NNN.NNN
* Trying 51.NNN.NNN.NNN:443...
* connect to 51.NNN.NNN.NNN port 443 from 10.60.209.50 port 55012 failed: Connection refused
I guess this is why, in Docker, all the containers use the same network and traefik sorts out the connectivity with labels!
incus proxy doesn’t work with nat=true as I’ve chosen to use VMs
I’ve run out of ideas, and with all firewalls off, I can’t think what the problem is