Connection no network

[775118134]

hi~ Cloud host:

in container：

Cloud host:

192.168.0.36

docker container softether ：

eth0 172.20.30.2 tap_soft 192.168.32.1

remote vpn client

docker-compose.yml

version: '3'
services:
  softether:
    image: cenk1cenk2/softether-vpnsrv:latest
    container_name: softether
    restart: always
    networks:
      soft_network:
        ipv4_address: 172.20.30.2
    devices:
      - /dev/net/tun
    environment:
      - TZ=Asia/Shanghai
      - LOG_LEVEL=trace
      - SERVER_MODE=dhcp
      - SERVER_CIDR_ADDRESS=192.168.32.0/24
      - DHCP_SERVER_LEASE=12h
      - DHCP_SERVER_SEND_GATEWAY=true
      - DHCP_SERVER_GATEWAY=192.168.32.1
      - DHCP_SERVER_FORWARDING_ZONE=127.0.0.11
      - SOFTETHER_TAP_INTERFACE=soft
      - SOFTETHER_DEFAULT_HUB=VPN
    ports:
      - 443:1443/tcp     # softether
      - 992:992/tcp       # softether alternative
      - 5555:5555/tcp     # softether alternative
      - 1194:1194/udp     # openvpn
      - 500:500/udp       # l2tp IPSec IKE
      - 4500:4500/udp     # l2tp IPSec
      - 1701:1701/tcp     # l2tp
    volumes:
      - ./conf:/conf
      - ./hooks:/docker.init.d:ro
      - ./server_log:/etc/softether/server_log
      - ./security_log:/etc/softether/security_log
      - ./packet_log:/etc/softether/packet_log
    cap_add:
      - SETGID
      - SETUID
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
networks:
  soft_network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.30.0/24
          gateway: 172.20.30.1

dnsmasq.conf

# Comment out the port=0 so dnsmasq can provide dns services to clients
# port=0
interface=tap_soft
dhcp-range=tap_soft,192.168.32.10,192.168.32.200,255.255.255.0,12h
dhcp-option=tap_soft,3,192.168.32.1
# set option 6 to announce itself as the DNS server
dhcp-option=tap_soft,6,192.168.32.1
# Use option 121 to announce to *nix vpn clients various routes you want routed through the VPN to allow split tunnel
dhcp-option=tap_soft,121,192.168.0.0/24,192.168.32.1,192.168.10.0/24,192.168.32.1
# use option 249 to announce to windows vpn clients the same routes as 121
dhcp-option=tap_soft,249,192.168.0.0/24,192.168.32.1,192.168.10.0/24,192.168.32.1
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/4cde5ceb-4fc1-4f9a-82e9-13f6b38d930c
dhcp-option=vendor:MSFT,2,1i

conf-dir=/etc/dnsmasq.d

runtime log:

The docker docker-softether-vpnsrv container 172.20.30.2 is deployed on the cloud host 192.168.0.36, and the 1443 port is connected through the softether client ssl protocol. It is now connected and assigned the IP address 192.168.32.53, but it can only communicate with the container 172.20. 30.2 Communication, I cannot access the host, LAN, or Internet. Can you help me see how to modify it?

[cenk1cenk2]

Dear @775118134,

Thank you for really detailed explanation and providing everything that has relevance.

You can give a try to add a post-configuration hook to add the post-routing routes for the other pushed routes.

This can be an executable file (i.e. a bash script or whatever) to get executed just before the services start as something that is mentioned below. https://github.com/cenk1cenk2/docker-softether-vpnsrv?tab=readme-ov-file#hooks

By default, it only does the configuration for the given CIDR range that it distributes the VPN IP addresses to just NAT the connection as seen in the logs.

But you can use this "hook" to add your own rules for routing the traffic for the other IP ranges through that given gateway address.

I do not think I can help you with the exact commands but something like below might help you: https://serverfault.com/questions/267580/linux-routing-traffic-between-two-networks-with-iptables

[775118134]

Thank you for your reply Tried a variety of methods including network_mode: "host" or network_mode: "bridge", the local network bridge uses the bridge of the existing physical network adapter or the bridge of the new tap device, dnsmasq or VDHCP (secureNat Dhcp), none of them work, all are blocked in just It ends when the client ip 192.168.32.10 reaches tap_soft 192.168.32.1. It cannot access the host, nor the LAN and the Internet. From the current situation, I can probably guess that eth0 in the container is an Ethernet interface with an IP address of 172.20.30.2 and can access the Internet; tap_soft is a virtual Ethernet interface with an IP address of 192.168.32.1 and cannot access the Internet. The iptables routing table has no effect (I I am not very familiar with iptables and have tried many methods but none worked), I have a headache and I don’t know how to modify it. . .

[cenk1cenk2]

Sorry to hear that. When I do local network access from with this, I do put the container to host network mode, SERVER_MODE to bridge so that the upstream which is my router is the one that distrubutes the IP addresses.

Where here in the sample screenshot ens19 is my upstream interface of the host machine and all the routes are already available for other networks because the ip address and dhcp boot parameters are not provided through the container with dnsmasq and i just let the router that has the ownership of 192.168.50.0/24 address in the picture distrubute the ip addresses. So in the end I just treat anything connecting through this interface like any other device that is already in the network.

With bridge network mode in docker and dhcp mode on the SERVER_MODE I had no chance to get the internal routing right. The SERVER_MODE dhcp is mostly intended for direct internet access does work with docker bridge mode. That is just a more straightforward configuration as the screenshots below.

Sorry for the screenshots instead of text since I was on mobile.

[775118134]

grateful Modify dhcp to be the same as your configuration without any other modifications. After starting and running, you still cannot access the host, the LAN, and the Internet. Check that the lan adapter is empty. Is it the same reason? The current situation is that it can only be traced to 10.10.10.1. . .

Looking forward to your help, thank you

[cenk1cenk2]

In the given configuration only internet should be accessible with dhcp mode. I am not sure about the lan adapter part, where in the top it seems to pick up the correct soft interface.

Are host is able to forward packets? https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux. This would be my dummy check.

The only reason I can think of again is with the other issues where I do not know what to do with nftables shipping with newer distros instead of the legacy iptables. But I can see that you are using the legacy one still.

[775118134]

The host machine supports Looking inside the container, it seems that tun is not supported. I don’t know if this is the reason. Looking at your source code, I don't see nftables being used. My container uses cenko1cenk2/softether-vpnsrv:latest. My startup method is docker-compose up, I don’t know why. sad

Can you take some of your time while I prepare a remote server? Can you give me your private communication method? Sent to you, please help me to check it, thank you

[775118134]

Thank you very much, I will roll back the version to v4.42-9798-rtm and it will be fine. I'll look into the specific cause later when I have time.

[775118134]

Now I have another headache, the cascade connection is invalid. . .