search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.47k stars 1.39k forks source link

VPN客户侧登录后不能访问谷歌的问题 #296

Closed hedahong closed 2 years ago

hedahong commented 2 years ago

VPN客户侧登录后不能访问谷歌的问题

问题描述 我发现 我的VPN客户侧,vpn连接后(无论window10 还是iPhone 拨VPN),不能访问谷歌(宿主机可以),进一步排查,发现 docker容器内系统 根本就没法访问谷歌,问题出在哪呢?请大佬帮忙看下。

重现步骤

  1. 在docker的宿主机shell命令行,执行如下CMD: 
    root@OpenWrt:~# ping www.google.com
PING www.google.com (172.217.13.196): 56 data bytes
........

    (为了排除是DNS的相关问题,故用ip来测试访问谷歌)

2.测试docker的宿主机是否能访问谷歌,执行如下CMD:

root@OpenWrt:~# curl 172.217.13.196
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
root@OpenWrt:~#

说明宿主机访问谷歌正常的(虽然被301了,证明是通的~)

3.测试docer容器能否访问Internet 和 谷歌,执行如下CMD:

3.1.先进入容器Shell环境

root@OpenWrt:~# docker exec -it ipsec-vpn-server env TERM=xterm bash -l
e0b04f43bf7c:/opt/src#

3.2.测试容器内能否访问Internet,执行如下CMD:

e0b04f43bf7c:/opt/src# curl http://cip.cc
IP      : 115.171.xxx.xxx
地址    : 中国  北京
运营商  : 电信
......
e0b04f43bf7c:/opt/src#

说明容器内,访问外网正常的~

3.3.测试容器内能否访问谷歌,执行如下CMD:

e0b04f43bf7c:/opt/src# curl 172.217.13.196
curl: (28) Failed to connect to 172.217.13.196 port 80 after 32016 ms: Operation timed out
e0b04f43bf7c:/opt/src#

超时了,说明不通!!! 问下大佬,是什么原因? 貌似我的docker容器里的流量没被 宿主机的ShadowSocksR撸住?

补充信息:

  1. 宿主机是 x86-64 OpenWrt R20.12.12 / LuCI Master (git-20.343.54716-6fc079f)
  2. 宿主机能访问谷歌,是用的 OpenWrt自带的插件 'ShadowSocksR Plus+'
  3. ShadowSocksR 运行模式 用'全局模式'试过了,也不行。
  4. docker容器参考信息 如下:
{
   "Path": "\/opt\/src\/run.sh",
   "ProcessLabel": "",
   "ResolvConfPath": "\/opt\/docker_root\/containers\/e0b04f43bf7c4452636a8beb89aff449525a4dba82e5009e9699850d9743112b\/resolv.conf",
   "NetworkSettings": {
     "LinkLocalIPv6Address": "",
     "SandboxID": "462b9f3ec61f7d21527b02ba069fa4ff8a2fbbda27e62f8c33a67a0a86162ce1",
     "HairpinMode": false,
     "Networks": {
       "bridge": {
         "NetworkID": "2b8d1b8b928eb4fc0afc288dc49844f48c03a806991eed052330cdc729237442",
         "IPAddress": "172.17.0.2",
         "MacAddress": "02:42:ac:11:00:02",
         "IPPrefixLen": 16,
         "IPv6Gateway": "",
         "Gateway": "172.17.0.1",
         "GlobalIPv6PrefixLen": 0,
         "EndpointID": "86dfbcc9a012913871074b9176d05c347e0ba756b8c9b6bc555f2e288a0ddf11",
         "GlobalIPv6Address": ""
       }
     },
     "Ports": {
       "4500\/udp": [
         {
           "HostIp": "0.0.0.0",
           "HostPort": "4500"
         }
       ],
       "500\/udp": [
         {
           "HostIp": "0.0.0.0",
           "HostPort": "500"
         }
       ]
     },
     "Bridge": "",
     "MacAddress": "02:42:ac:11:00:02",
     "IPv6Gateway": "",
     "IPPrefixLen": 16,
     "IPAddress": "172.17.0.2",
     "EndpointID": "86dfbcc9a012913871074b9176d05c347e0ba756b8c9b6bc555f2e288a0ddf11",
     "SandboxKey": "\/var\/run\/docker\/netns\/462b9f3ec61f",
     "Gateway": "172.17.0.1",
     "GlobalIPv6PrefixLen": 0,
     "LinkLocalIPv6PrefixLen": 0,
     "GlobalIPv6Address": ""
   },
   "ExecIDs": [
     "9a05392e6c4965bdb7df4c14339140534c1555d458e1fcc3e6020adaff56b810",
     "7dbc9d4e4f81e0fd486bcdad96a0e323ed46f006a22794da0cca3ec973cd9cc0"
   ],
   "MountLabel": "",
   "HostsPath": "\/opt\/docker_root\/containers\/e0b04f43bf7c4452636a8beb89aff449525a4dba82e5009e9699850d9743112b\/hosts",
   "LogPath": "\/opt\/docker_root\/containers\/e0b04f43bf7c4452636a8beb89aff449525a4dba82e5009e9699850d9743112b\/e0b04f43bf7c4452636a8beb89aff449525a4dba82e5009e9699850d9743112b-json.log",
   "RestartCount": 0,
   "Config": {
     "AttachStdout": false,
     "Labels": {
       "org.opencontainers.image.version": "alpine-latest",
       "org.opencontainers.image.documentation": "https:\/\/github.com\/hwdsl2\/docker-ipsec-vpn-server",
       "org.opencontainers.image.authors": "Lin Song <linsongui@gmail.com>",
       "org.opencontainers.image.source": "https:\/\/github.com\/hwdsl2\/docker-ipsec-vpn-server",
       "org.opencontainers.image.revision": "99f649a4",
       "maintainer": "Lin Song <linsongui@gmail.com>",
       "org.opencontainers.image.description": "Docker image to run an IPsec VPN server, with IPsec\/L2TP, Cisco IPsec and IKEv2.",
       "org.opencontainers.image.title": "IPsec VPN Server on Docker",
       "org.opencontainers.image.created": "2022-06-08T04:34:12Z",
       "org.opencontainers.image.url": "https:\/\/github.com\/hwdsl2\/docker-ipsec-vpn-server"
     },
     "User": "",
     "AttachStdin": false,
     "Tty": false,
     "WorkingDir": "\/opt\/src",
     "AttachStderr": false,
     "OpenStdin": false,
     "Cmd": [
       "\/opt\/src\/run.sh"
     ],
     "Image": "hwdsl2\/ipsec-vpn-server",
     "Hostname": "e0b04f43bf7c",
     "ExposedPorts": {
       "4500\/udp": [
       ],
       "500\/udp": [
       ]
     },
     "Domainname": "",
     "Env": [
       "VPN_IPSEC_PSK=xxx",
       "VPN_USER=xxx",
       "VPN_PASSWORD=xxx",
       "VPN_ADDL_USERS=xxxx",
       "VPN_ADDL_PASSWORDS=xxx xxx",
       "VPN_DNS_SRV1=192.168.31.1",
       "VPN_DNS_SRV2=192.168.31.2",
       "PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin",
       "SWAN_VER=4.7",
       "IMAGE_VER=2022-06-08T04:34:12Z"
     ],
     "StdinOnce": false
   },
   "Mounts": [
     {
       "Name": "ikev2-vpn-data",
       "Type": "volume",
       "Source": "\/opt\/docker_root\/volumes\/ikev2-vpn-data\/_data",
       "RW": true,
       "Mode": "z",
       "Destination": "\/etc\/ipsec.d",
       "Driver": "local",
       "Propagation": ""
     },
     {
       "Type": "bind",
       "Source": "\/lib\/modules",
       "Mode": "ro",
       "Destination": "\/lib\/modules",
       "RW": false,
       "Propagation": "rprivate"
     }
   ],
   "Id": "e0b04f43bf7c4452636a8beb89aff449525a4dba82e5009e9699850d9743112b",
   "Platform": "linux",
   "HostConfig": {
     "PidMode": "",
     "MemorySwap": 0,
     "ConsoleSize": [
       0,
       0
     ],
     "IOMaximumIOps": 0,
     "DnsOptions": [
     ],
     "CpuPeriod": 0,
     "OomScoreAdj": 0,
     "BlkioWeight": 0,
     "ShmSize": 67108864,
     "Privileged": true,
     "PortBindings": {
       "4500\/udp": [
         {
           "HostIp": "",
           "HostPort": "4500"
         }
       ],
       "500\/udp": [
         {
           "HostIp": "",
           "HostPort": "500"
         }
       ]
     },
     "CpuShares": 0,
     "Dns": [
       "192.168.31.4"
     ],
     "CpuQuota": 0,
     "DnsSearch": [
     ],
     "NanoCpus": 0,
     "CpuCount": 0,
     "Isolation": "",
     "Cgroup": "",
     "ContainerIDFile": "",
     "AutoRemove": false,
     "UTSMode": "",
     "IOMaximumBandwidth": 0,
     "VolumeDriver": "",
     "CpuPercent": 0,
     "KernelMemory": 0,
     "CpuRealtimePeriod": 0,
     "OomKillDisable": false,
     "Binds": [
       "ikev2-vpn-data:\/etc\/ipsec.d",
       "\/lib\/modules:\/lib\/modules:ro"
     ],
     "KernelMemoryTCP": 0,
     "MemoryReservation": 0,
     "Runtime": "runc",
     "RestartPolicy": {
       "Name": "always",
       "MaximumRetryCount": 0
     },
     "PublishAllPorts": false,
     "Devices": [
     ],
     "CpusetMems": "",
     "CpusetCpus": "",
     "CpuRealtimeRuntime": 0,
     "ReadonlyRootfs": false,
     "UsernsMode": "",
     "Memory": 0,
     "CgroupParent": "",
     "IpcMode": "private",
     "LogConfig": {
       "Config": [
       ],
       "Type": "json-file"
     },
     "BlkioWeightDevice": [
     ],
     "NetworkMode": "default"
   },
   "GraphDriver": {
     "Name": "vfs"
   },
   "State": {
     "Pid": 12608,
     "FinishedAt": "2022-06-09T18:34:42.497711346Z",
     "StartedAt": "2022-06-09T18:35:08.655620281Z",
     "Error": "",
     "Running": true,
     "Paused": false,
     "OOMKilled": false,
     "Status": "running",
     "ExitCode": 0,
     "Restarting": false,
     "Dead": false
   },
   "Driver": "vfs",
   "Name": "\/ipsec-vpn-server",
   "Args": [
   ],
   "HostnamePath": "\/opt\/docker_root\/containers\/e0b04f43bf7c4452636a8beb89aff449525a4dba82e5009e9699850d9743112b\/hostname",
   "Created": "2022-06-09T16:33:09.249569408Z",
   "AppArmorProfile": "",
   "Image": "sha256:376376b57ee1de0f5a2e1c3f44baa2b0c518777b6ee55beeeeda4c626362c53b"
 }
hwdsl2 commented 2 years ago

@hedahong 你好!我对 OpenWrt 系统不熟悉。根据你的描述,我觉得很可能是 Docker 容器的流量没有经过宿主机上的 ShadowSocksR 插件,就是说绕过了该插件。对于该问题的解决方案,我也不太清楚。你可以在网上相关的论坛问一下,或者搜索相关文档。

xianren78 commented 2 years ago

image ssrp+ 访问控制里加上docker0接口