Problem connecting

[alex-golts]

Hello,

I followed the instructions and when I run the wrapper script I get: Connection established. Welcome to network. After this message the container just hangs there. Is that the expected behaviour? In any case, even though it says "connection established", in practice I am not connected to the VPN. When I run ifconfig I still see my original IP, and not the VPN's IP.

I am running the docker from MacOS. When using a linux PC, I can successfully connect directly from linux_sslvpn F5 client (which doesn't work on Mac, that's why I wanted to try this docker). After connecting on the linux PC, I see that my IP is changed as expected when I run ifconfig. I didn't try running this docker from the linux PC (should I?)

When I run with the debug flag, I get the following "suspicious" lines: 2018-08-29 14:09:48,702 DEBUG (docker.auth) Couldn't find 'auths' or 'HttpHeaders' sections 2018-08-29 14:09:48,702 DEBUG (docker.auth) Config entry for key stackOrchestrator is not auth config

Any ideas?

Thanks, Alex

[MatthiasLohr]

I followed the instructions and when I run the wrapper script I get: Connection established. Welcome to network. After this message the container just hangs there. Is that the expected behaviour?

Yes. It's starting a docker container acting as a router in background. With Ctrl+C you can shut that down.

In any case, even though it says "connection established", in practice I am not connected to the VPN. When I run ifconfig I still see my original IP, and not the VPN's IP.

That's also intended. The container has the IP inside, not on the host system. You have to add routes (please check ./f5fpc-client.py -h) to the container IP to let your computer send data to the destinations reachable in you VPN network.

[alex-golts]

Thanks, that's helpful. I still don't really understand what should I pass as route. Should it be a group of IPs on my host network, or on the network visible in my VPN network that I'm interested to connect to?

I tried both, and still no success in doing SSH to one of the computers in the VPN network.

[MatthiasLohr]

The latter one.

With

sudo ./f5fpc-client.py <VPN_HOST> <USER> -n 10.0.0.0/8

you should be able to connect to hosts with IPs in the 10.0.0.0/8 range within the VPN network. If it doesn't work please check your routes after you are connected.

[alex-golts]

Tried it, and I can see the relevant IP range in the routing table, but still cannot SSH to an IP in this range.

I'm afraid that I don't understand enough about networking to even debug this issue.

Do you know if there is any way to just make everything network related inside the docker a complete mirror of everything network related on the host? I would be happy to get the same behavior as the usual f5fpc linux client, just on Mac. That is, once you run it and connect to the VPN, your actual IP changes (verified by ifconfig). I would like the same to occur when running the docker. That way I'll have an f5fpc client that I can run from Mac and does pretty much the same thing that it does on linux. (because the fact is, that in Linux I'm happy with the official f5fpc client solution).

I think that it should be achievable by using network=host flag when running a docker, but:

1. I don't know how to set it from the python interface that you use
2. I'm not sure that this flag even works in Docker for Mac as it does on Linux.

Anyway, I appreciate your help!

[MatthiasLohr]

The main target of this project is to provide a docker container acting as a router, e.g. for enabling split routing (default route still through your actual gateway).

For your purpose, you could try the following:

docker run --net host -it --rm --privileged matthiaslohr/f5fpc /bin/bash

Then use the f5fpc -s command to connect.

[alex-golts]

Thanks, it worked! I just needed to install openssh inside the container and managed to connect to a computer visible in the VPN network!

[MatthiasLohr]

Glad to read that :)

I updated the documentation in this direction, would be great if you could check for mistakes and completeness. Pull requests for further enhancements are highly welcome!

[alex-golts]

Hi @MatthiasLohr, it's me again :) I've been using this on my mac as we discussed in this issue for a while (from inside the container)...

Recently I happened to try this project from a linux machine as well, and figured out that on linux the gateway mode does work for me, as you suggested. I could indeed connect to ip's visible from the VPN. And I could do that from the host, not just from inside the container.

So, what's new to me is that now I know I only have a problem connecting in gateway mode on Mac OS. I'm running sudo ./f5fpc-vpn.sh gateway -n 10.0.0.0/8 on both linux and mac, and on linux I can then SSH to IPs in that range, but on Mac I get "network is unreachable" error. When I look at the routing table while the container is running, I see the IP range was added. I do see some differences in the routing table info on linux and mac, for example the interface on linux is docker0, but I understand that Docker for Mac is different and so it uses en0.

Maybe you have some ideas on how to solve this issue? I would really love to use the gateway mode as intended, on my mac. It is a lot more convenient than the "workaround" of connecting from inside the container, for various reasons. I assume you tested the gateway functionality on Mac, so it should be possible to make it work?

I think it may have to do with how Docker desktop for Mac networking works compared to how it works in linux. But I couldn't quite figure out what it is exactly.

[MatthiasLohr]

Sorry, I never tested it on Mac, since I don't have one. I'm only using linux machines. So, unfortunately, I have no possibility to try to reproduce your problem.

Basically, a docker container with an ip address is nothing else than another network node. Network nodes can, if they want, operate as router ( = forwarding packets to networks they are connected to). VPN, like F5, creates an attachment to an additional (virtual) network. So, what you need to check is:

• Are packets routed from the host to the container?
• Are packets routed from the container to the VPN?
• Are packets, going out the VPN interface, masquerated (replacing the sender IP address with the container's VPN ip address - otherweise replies can't find their way)
• Are packet replies are coming out of the VPN interface?
• Are they unmasked and routed back to the host?

On of these points are most probably broken. Check your routing tables and use tcpdump to find from where on the packets are missing. Hope that helps.

[alex-golts]

Thanks for your reply. I assumed that you tested on Mac because you mentioned a Mac dependency in the documentation.

Maybe I'll use the coronavirus "time off" to take some course on computer networking, then hopefully I'll understand better some of your suggestions. If I have to guess then I "feel" probably the problem lies with the first bullet you mentioned, and from what I read this may be a core limitation of Docker for Mac. See this for example:

https://docs.docker.com/docker-for-mac/networking/#known-limitations-use-cases-and-workarounds

But it's only my not so educated guess. If I reach a better understanding, I will post here...