kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.77k stars 2.39k forks source link

How to run in --net=host mode? #684

Open thesocialproxy opened 2 years ago

thesocialproxy commented 2 years ago

I have followed the quick start in the readme file, everything worked perfectly, I was able to connect a client to the server. However, for my need, I need to run in host networking mode, which I have been trying to do for the last 2 days unsuccessfully.

These are the commands I ran on a default 5$ Digital Ocean droplet (with all ports open):

OVPN_DATA="ovpn-data-example"
docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -u udp://digitalocean-public-IP(eth1 IP)
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

Finally:

root@host:~/test# docker run -v $OVPN_DATA:/etc/openvpn --net=host --cap-add=NET_ADMIN kylemanna/openvpn
Checking IPv6 Forwarding
Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'
Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
Sat Nov 27 00:40:24 2021 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Sat Nov 27 00:40:24 2021 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Sat Nov 27 00:40:24 2021 Diffie-Hellman initialized with 2048 bit key
Sat Nov 27 00:40:24 2021 CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem
Sat Nov 27 00:40:24 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 27 00:40:24 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 27 00:40:24 2021 ROUTE_GATEWAY PUBLIC-IP/255.255.240.0 IFACE=eth0 HWADDR=6e:2d:3f:71:f5:7d
Sat Nov 27 00:40:24 2021 TUN/TAP device tun0 opened
Sat Nov 27 00:40:24 2021 TUN/TAP TX queue length set to 100
Sat Nov 27 00:40:24 2021 /sbin/ip link set dev tun0 up mtu 1500
Sat Nov 27 00:40:24 2021 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Sat Nov 27 00:40:24 2021 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
Sat Nov 27 00:40:24 2021 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Sat Nov 27 00:40:24 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Nov 27 00:40:24 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Nov 27 00:40:24 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Nov 27 00:40:24 2021 UDPv4 link remote: [AF_UNSPEC]
Sat Nov 27 00:40:24 2021 GID set to nogroup
Sat Nov 27 00:40:24 2021 UID set to nobody
Sat Nov 27 00:40:24 2021 MULTI: multi_init called, r=256 v=256
Sat Nov 27 00:40:24 2021 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Sat Nov 27 00:40:24 2021 Initialization Sequence Completed

Then on the client I am running:

root@ubuntu:/etc/openvpn# openvpn --config /etc/openvpn/CLIENTNAME.ovpn
Sat Nov 27 00:41:43 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Sat Nov 27 00:41:43 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Sat Nov 27 00:41:43 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]PUBLIC-IP:1194
Sat Nov 27 00:41:43 2021 UDP link local: (not bound)
Sat Nov 27 00:41:43 2021 UDP link remote: [AF_INET]PUBLIC-IP:1194

At this point nothing happens, I am not getting any response from either end, and the client gives up after 60 seconds.

Any idea what is wrong?

sxyandapp commented 1 year ago

--net=host模式时,确实无法访问其他机器,最终使用普通模式实现(虽然多了一次nat)