[Support] Accessing the host network and public internet via the IKEv2 VPN

[KyleKotowick]

I have a Docker host sitting behind a NAT (UDP 500 and 4500 forwarded to the host). I've set up an IKEv2 VPN like so:

compose.yml

services:
  vpn:
    container_name: ipsec-vpn-server
    image: "hwdsl2/ipsec-vpn-server"
    restart: always
    ports:
      - "500:500/udp"
      - "4500:4500/udp"
    volumes:
      - /lib/modules:/lib/modules:ro
      - ikev2-vpn-data:/etc/ipsec.d
    privileged: true
    environment:
      - VPN_IKEV2_ONLY=yes
      - VPN_CLIENT_NAME=myname
      - VPN_DNS_NAME=vpn.myname.net

volumes:
  ikev2-vpn-data:

I run this on a Windows 11 Professional machine using Docker for WSL2 (docker compose up). The container starts and outputs the following:

PS C:\Users\MyName\Desktop\VPNTest> docker compose up
[+] Building 0.0s (0/0)                                                          docker:default
[+] Running 3/0
 ✔ Network desktop_default          Created                                                0.0s
 ✔ Volume "desktop_ikev2-vpn-data"  Created                                                0.0s
 ✔ Container ipsec-vpn-server       Created                                                0.0s
Attaching to ipsec-vpn-server
ipsec-vpn-server  |
ipsec-vpn-server  | VPN credentials not set by user. Generating random PSK and password...
ipsec-vpn-server  |
ipsec-vpn-server  | Note: Running in IKEv2-only mode via env file option.
ipsec-vpn-server  |       IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled.
ipsec-vpn-server  | Warning: Extension policy revision 0 not supported, missing kernel module?
ipsec-vpn-server  | iptables: No chain/target/match by that name.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | Warning: Extension policy revision 0 not supported, missing kernel module?
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | Warning: Extension policy revision 0 not supported, missing kernel module?
ipsec-vpn-server  | iptables: No chain/target/match by that name.
ipsec-vpn-server  |
ipsec-vpn-server  | Starting IPsec service...
ipsec-vpn-server  |
ipsec-vpn-server  | Setting up IKEv2. This may take a few moments...
ipsec-vpn-server  |
ipsec-vpn-server  | ================================================
ipsec-vpn-server  |
ipsec-vpn-server  | IKEv2 setup successful. Details for IKEv2 mode:
ipsec-vpn-server  |
ipsec-vpn-server  | VPN server address: vpn.myname.net
ipsec-vpn-server  | VPN client name: myname
ipsec-vpn-server  |
ipsec-vpn-server  | Client configuration is available inside the
ipsec-vpn-server  | Docker container at:
ipsec-vpn-server  | /etc/ipsec.d/myname.p12 (for Windows & Linux)
ipsec-vpn-server  | /etc/ipsec.d/myname.sswan (for Android)
ipsec-vpn-server  | /etc/ipsec.d/my name.mobileconfig (for iOS & macOS)
ipsec-vpn-server  |
ipsec-vpn-server  | Next steps: Configure IKEv2 clients. See:
ipsec-vpn-server  | https://vpnsetup.net/clients2
ipsec-vpn-server  |
ipsec-vpn-server  | ================================================
ipsec-vpn-server  |
ipsec-vpn-server  | xl2tpd[1]: Not looking for kernel SAref support.
ipsec-vpn-server  | xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
ipsec-vpn-server  | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 5d30aeb368e6 PID:1
ipsec-vpn-server  | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
ipsec-vpn-server  | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
ipsec-vpn-server  | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
ipsec-vpn-server  | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
ipsec-vpn-server  | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

I'm not sure if the iptables complaints or the other Extension policy warnings are expected or a problem. In any case, I copy the myname.p12 file to the client machine (also Windows 11 Pro), run the automated setup script, and it creates the VPN connection. I am then able to connect to the VPN without issue.

However, after connecting to the VPN, the client machine now has no network access. I cannot ping the Docker container (using its assigned IP), I cannot ping the host machine (it responds to pings from other hosts on the local network), and I cannot access/ping anything on the public internet (the Docker host has full public internet access). Is this expected? If so, what would be the appropriate configuration changes to make it so my VPN client can access the Docker host, other machines on the Docker host's local network, and public internet?

[hwdsl2]

@KyleKotowick Hello! Docker for Windows is not currently supported in this project. It has not been tested on that platform.

The error messages you encountered, such as:

Warning: Extension policy revision 0 not supported, missing kernel module?

This indicates that your Docker host (Docker for WSL2 on Windows 11 in this case) is missing the IPTables policy extension. A workaround was added earlier to this Docker image for this type of issues, see commit 5e1a69f. For the relevant IPTables rules in the image, refer to: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/b1ee97978f61b7552e73039e47ed8e8f5f06d905/run.sh#L543-L573

The issue you described (no internet after connecting to the VPN) is likely caused by IPTables problems in the Docker container. You may check the current IPTables rules using:

docker exec -it ipsec-vpn-server iptables -nvL
docker exec -it ipsec-vpn-server iptables -nvL -t nat

Post the output of these commands here. I can take a look but may not find a solution.

[KyleKotowick]

I switched to a Linux host and, as expected, everything works well. I'm able to connect to the VPN with my Windows 11 Pro laptop and access both the local network and public internet via the VPN.

I've followed the instructions for Android 14 though (native IKEv2 VPN client), to set it up on my phone, and am having issues. It is able to connect but cannot access the internet. I'm just getting a "No Internet" error page in Chrome for Android. Note that I created two clients on the VPN server (one for laptop, one for phone). Any thoughts as to why this works on the laptop but not the Android phone?

[hwdsl2]

@KyleKotowick Try the strongSwan Android VPN client (instructions). Some customized Android versions have a broken VPN implementation, resulting in no Internet while connected to the VPN. For more details, refer to this recent issue https://github.com/hwdsl2/setup-ipsec-vpn/issues/1495#issuecomment-1825989402.

I'm closing this issue as you are now using a Linux host which no longer has the original issue. If you have additional information or findings feel free to continue to reply here.