Closed BulatSaif closed 3 years ago
I found problem, I have different interface name, ens5
on host and eth0
in docker
Workaround:
version: '3.5'
services:
vpn:
image: hwdsl2/ipsec-vpn-server
container_name: ipsec-vpn-server
restart: always
environment:
- VPN_IPSEC_PSK=psk
- VPN_USER=user
- VPN_PASSWORD=password
ports:
- 500:500/udp
- 4500:4500/udp
privileged: true
network_mode: host
command: bash -c 'sed -i 's/eth0/ens5/' /opt/src/run.sh; sed -i 's/eth+/ens+/' /opt/src/run.sh; /opt/src/run.sh'
Is it possible to add support of --net=host
in /opt/src/run.sh
?
Is it possible to add support of nftables here? https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/b01c7d8951cc9c797791b96ff1bfd46ac336862b/run.sh#L479 Looks like nftables become more and more popular service.
Maybe you can add new container parameter to choose between iptables and nftables? iptables-translate utility may help to convert rules. Thank you!
Checklist Similar issues: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/70 https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/154 https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/183 https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/200
Describe the issue I found several GitHub issues where users wanted to route traffic to another docker container running on the same machine as the VPN container but due Docker's network isolation it is very complicated. The
--net=host
option can be a simple solution for this issue. I tested it. And it works, I can ping containers network from remote and ping remote host from the container.But main VPN functionality is broken. I guess somewhere
MASQUERADE
is absent and I can not access to the internet form remote host.To Reproduce Steps to reproduce the behavior:
Run docker-compose:
Connect to vpn.
Ping container network on vpn server (run some container with network 172.18.0.1 on vpn server, check what you don't have same network in you local pc).
--- 172.18.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 80.944/80.944/80.944/0.000 ms
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 link/ether 0a:ee:ba:da:41:90 brd ff:ff:ff:ff:ff:ff inet 172.31.36.255/20 brd 172.31.47.255 scope global dynamic ens5 valid_lft 2222sec preferred_lft 2222sec inet6 fe80::8ee:baff:feda:4190/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:23:8d:53:d6 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 4: br-fe851b1a50b9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:1b:74:00:6f brd ff:ff:ff:ff:ff:ff inet 172.19.0.1/16 brd 172.19.255.255 scope global br-fe851b1a50b9 valid_lft forever preferred_lft forever inet6 fe80::42:1bff:fe74:6f/64 scope link valid_lft forever preferred_lft forever 14: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 3 link/ppp inet 192.168.42.1 peer 192.168.42.10/32 scope global ppp0 valid_lft forever preferred_lft forever 16: ppp2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 3 link/ppp inet 192.168.42.1 peer 192.168.42.12/32 scope global ppp2 valid_lft forever preferred_lft forever 20: br-55f40ed53bb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:13:9e:26:e0 brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 brd 172.18.255.255 scope global br-55f40ed53bb0 valid_lft forever preferred_lft forever inet6 fe80::42:13ff:fe9e:26e0/64 scope link valid_lft forever preferred_lft forever 22: veth8067ad3@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-55f40ed53bb0 state UP group default link/ether 32:aa:a2:14:3d:23 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::30aa:a2ff:fe14:3d23/64 scope link valid_lft forever preferred_lft forever
ip r
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.36.255 metric 100 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-55f40ed53bb0 proto kernel scope link src 172.18.0.1 172.19.0.0/16 dev br-fe851b1a50b9 proto kernel scope link src 172.19.0.1 linkdown 172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.36.255 172.31.32.1 dev ens5 proto dhcp scope link src 172.31.36.255 metric 100 192.168.42.10 dev ppp0 proto kernel scope link src 192.168.42.1 192.168.42.12 dev ppp2 proto kernel scope link src 192.168.42.1