search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.37k stars 1.38k forks source link

Service in the same machine as the VPN can't tell from src IP when the user sending packets is connected to the VPN #382

Closed gugajazz closed 1 year ago

gugajazz commented 1 year ago

The issue I have this VPN running in a docker container, when i connect to it using ikev2 everything works well and going to "What is my ip" shows me the VPN's IP as expected. I also have a service in a different port in that same computer. When i am connected to the VPN and go to access that service the packets the service receives are from my original IP and not from the VPN's ip or even from a internal IP. It's crucial for me to be able to distinguish when someone is accessing my service after authenticating with the VPN or before, and because of this behavior I am unable.

I have confirmed that all the packages from the connected client show the VPN's IP when going to external IPs, but when going to the same IP as the VPN they show the source IP as coming from the actual client's IP.

I am analyzing the packages with sudo tcpdump -i enp5s0 -n dst port 52443 so the UFW rules shouldn't affect what I'm seeing. This is an example: 20:28:42.043831 IP {theClient'sIP}.7928 > 192.168.1.200.52443: Flags [S], seq 1645898948, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0 In here I would like to see either a local IP or the VPN's IP instead of {theClient'sIP}.

Expected behavior I expected that the service at 52443 would be able to tell by the source address whether the user was connected to the VPN or not, be that because the ip was the same as the VPN or because it was an internal IP.

Logs These are the contents of my ikev2.conf. Maybe the solution is in one of these settings, but I have read everything in these documents https://libreswan.org/man/ipsec.conf.5.html like 5 times and nothing got it to work.

conn ikev2-cp
  left=%defaultroute
  leftcert=myhostnameexample.com
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  rightsourceip=myvpnip # Replaced my actual ip with "myvpnip ".  Also I dont know if this does anything but i tried it.
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.43.10-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  retransmit-timeout=300s
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=yes
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  leftid=@myhostnameexample.com
  modecfgdns="8.8.8.8 8.8.4.4"
  mobike=no

These are my IPTables rules

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.22.0.0/16        anywhere            
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  tcp  --  172.22.0.2           172.22.0.2           tcp dpt:https
MASQUERADE  udp  --  172.22.0.4           172.22.0.4           udp dpt:ipsec-nat-t

MASQUERADE  udp  --  172.22.0.4           172.22.0.4           udp dpt:isakmp
MASQUERADE  tcp  --  172.22.0.3           172.22.0.3           tcp dpt:ms-sql-s

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             anywhere             tcp dpt:51443 to:172.22.0.2:443
DNAT       udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t to:172.22.0.4:4500
DNAT       udp  --  anywhere             anywhere             udp dpt:isakmp to:172.22.0.4:500

Server

Client

Additional context I have read and tried almost everything for countless hours, any help is seriously appreciated and sorry if this is more appropriate for the Libreswan or the Docker ipsec repo. Thanks in advance and thanks for the amazing solution that is this repo.

NetJagaimo commented 1 year ago

@gugajazz Why do you close this issue? I have encountered the same problem. Do you have any solution for it?

gugajazz commented 1 year ago

Sorry, I didn't think anyone else was facing the same issue. Yes I have figured out a solution, i will write here what I did as soon as I have time today :) A quick explanation is that essentially instead of trying to reach the service through the external IP and an open port in the router It works well if we try and reach it using the internal IP of the machine running it (no need for open ports). I will explain better soon though, I hope I can help.