Web terminal behind NAT

:hugs: Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

I need to run a web terminal connecting to a runner behind NAT.

I enabled allow_local_requests_from_web_hooks_and_services.
I can run normal pipeline.
If the runner is on the same network of gitlab it works, but when runner is in another network and gitlab cannot contact it directly I get “Connection failure” opening the web terminal.
Runner is always able to connect to gitlab.

On runner i configured advertise_address with ip address of runner. I tried also omitting it.

Steps to reproduce

Configuration

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners

Versions

  • GitLab v17.3.1-ee
  • GitLab Runner:17.2.1 (9882d9c7)

If it’s basic NAT and you have control of the network then you could try port forwarding, if it’s a complex NAT or CGNAT then look into a wireguard VPN solution.

Tailscale
Twingate
Build your own VPN gateway

One of the key point of a runner is to execute command on a remote machine behind NAT without modify nothing on network.

Adding port forward or doing/requesting modification to corporate firewall is often a pain in the ass.

NAT could be easily bypassed with a reverse ssh tunnel. At the end is only a command to add to pipeline.

It would have been nice if was included in web terminal.

On documentation the sentence “Ensure that advertise_address is a public IP address, unless you have enabled the application setting, allow_local_requests_from_web_hooks_and_services” is misleading. Let it be understood if you do not have a public ip address you can do it anyway enabling that parameter.