ilteoood
commented
6 months ago To be honest that's the first time I hear this scenario. Can you provide some logs and the container configuration you are using?
Closed jeffe210 closed 6 months ago
ilteoood
commented
6 months ago To be honest that's the first time I hear this scenario. Can you provide some logs and the container configuration you are using?
jeffe210
commented
6 months ago Hopefully I can help give some info without going overboard (let me know if I miss anything):
uname -a output: Linux synology 4.4.59+ #25556 SMP PREEMPT Tue May 2 17:23:42 CST 2023 x86_64 GNU/Linux synology_geminilake_220+
OPENVPN_OPTS:
Chose: us-chi.prod.surfshark.com_udp.ovpn Do not forget to expose the ports for attached container web ui access Creating TUN device /dev/net/tun mknod: /dev/net/tun: File exists Enabling IP MASQUERADE using IP Tables iptables: Failed to initialize nft: Protocol not supported
root@synology:/usr/sbin# iptables -V iptables v1.6.0
root@synology:/usr/sbin# docker exec -it SurfShark-1.7.2 sh /vpn # iptables -V iptables: Failed to initialize nft: Protocol not supported
/vpn # curl icanhazip.com 149.34.240.99
From outside the container I'm getting my actual public IP, so I know the tunnel is up and running. I can also ping the container from my workstation too. When I run a tcpdump on the Synology I see the packets bound for icanhazip.com going to the container IP and also a traceroute from my workstation shows it as the next hop, so I know data is getting that far. I'm thinking it's an issue with iptables not being able to do masquerading and NAT, but I can't get additional logs or things to try.
jeffe210
commented
6 months ago Doing some more testing and it's definitely the iptables part. I set up the container exactly the same way on an RPi3 that I had lying around with the same environmental variables and a macvlan bridge set up. This time I see "Enabling IP MASQUERADE using IP Tables" in the logs and when I set up a static route from my workstation to the container IP it works and I see the VPN IP instead of my public IP.
I don't think this issue is related to your container as I think the issue is that the Synology I have runs too old of a version of iptables (1.6.0) and I need to find a version that has nf_tables in it (or roll back the container iptables version to a legacy version).
That being said, it works really well as a gateway for sending random routes to and doing split tunneling!
ilteoood
commented
6 months ago I never had a synology, but if you have the chance to create your own container, what if you try to forcefully install an old version of iptable inside the container? Version 1.8.4 or before, just to see how it behaves
So I am trying to figure out if I'm using the container wrong, or there's an issue with it running on my Synology. I downloaded the container, I have it connected to a macvlan bridge and can ping it from an IP that it gets on my LAN. When I view the logs I see that it connects to the internet, pulls in the ovpn bundle and connects just fine to SurfShark and when I drop into an sh prompt I can curl "icanhazip.com" and get a SurfShark backed IP, so I know all that works as intended.
What I want to do though is route traffic from my LAN through it for certain routes. I can easily set those routes on my gateway, or any of my devices to make the container the next hop, and doing a tcpdump I can see traffic makes it to the container, but after that it doesn't seen to actually tunnel the traffic through. I tried to enable Masquerading by setting ENABLE_MASQUERADE to "true" but that doesn't seem to work and I also get an iptables error from within the container stating "Failed to initialize nft: Protocol not supported"
Am I attempting to use this container in a way it wasn't designed or am I doing something wrong?