Closed carbon-lab closed 1 year ago
@carbon-lab Hello! The IPsec VPN (Libreswan) is listening on the Docker container's internal IP address (172.17.0.2
in your case), which is normal. The Docker host should have IPTables rules in place (created automatically by Docker) that are responsible for forwarding the incoming UDP 500 and 4500 traffic to the Docker container.
For example, on the Docker host, you might see:
# sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.2 udp dpt:4500
0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.2 udp dpt:500
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:172.17.0.2:4500
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:172.17.0.2:500
If these rules are missing, there may be an issue with your Docker installation. On the other hand, if the rules are there, try enabling Libreswan logs in the container: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs
Then re-connect the client and check the logs. If no new logs appear, then the connection attempt most likely did not reach the Docker container.
@carbon-lab Please try the suggestions above. If you have additional information feel free to reply here.
I have tried to enable the Libreswan logs in the container. But when I tried to check the log file /var/log/auth.log
after I tried connect to my container, I cannot find that file. And I still cannot connect to my server.
By the way, I can use netcat to send and receive data from my docker host on port 500 and 4500 by UDP.
Checklist
Describe the issue The processes in docker are listening IP address
172.17.0.2
but not0.0.0.0
. So they cannot receive the udp data come from client whose target address is a public IP address but not172.17.0.2
. I have tried to use netcat tool to test my network. This is the result:To Reproduce Create a docker container and check its listen address.
Expected behavior I expect the listening address of docker container is
0.0.0.0
but not172.17.0.2
.Logs Enable logs, check VPN status, and add error logs to help explain the problem, if applicable.
Server (please complete the following information)
Client (please complete the following information)
Additional context Nothing.