search

wheelybird / openvpn-server-ldap-otp

A dockerised OpenVPN server using LDAP for authentication, with optional 2FA via Google Authenticator
MIT License
171 stars 72 forks source link

change setup_networking.sh OVPN_NAT is not true add iptables #76

Open AEGEGE opened 1 year ago

AEGEGE commented 1 year ago

If OVPN_NAT is not true, iptables camouflage will not be added

wheelybird commented 1 year ago

I don't understand the reason for this change. If OVPN_NAT is true then we need to add the masquerade rules. Your change would add them if OVPN_NAT wasn't true, which makes no sense.

AEGEGE commented 1 year ago

I don't understand the reason for this change. If OVPN_NAT is true then we need to add the masquerade rules. Your change would add them if OVPN_NAT wasn't true, which makes no sense.

I think it's because after dialing the VPN, if you want to access other networks, you need to pretend to be a network card recognized by the switch. Otherwise, you will be unable to access other networks, for example: I specify the host network --network host when starting up. When adding network card camouflage, I can access other networks. image

I can't access other networks without adding network card camouflage image

wheelybird commented 1 year ago

Yes, so you need to pass OVPN_NAT=true to your docker command. e.g.:


docker run \
           --name openvpn \
           --volume /path/on/host:/etc/openvpn \
           --detach=true \
           -p 1194:1194/udp \
           -e "OVPN_SERVER_CN=myserver.mycompany.com" \
           -e "LDAP_URI=ldap://ldap.mycompany.com" \
           -e "LDAP_BASE_DN=dc=mycompany,dc=com" \
           -e "LDAP_BIND_USER_DN=cn=example,dc=mycompany,dc=com" \
           -e "LDAP_BIND_USER_PASS=examplepass" \
           -e "OVPN_NAT=true" \
           --cap-add=NET_ADMIN \
           wheelybird/openvpn-ldap-otp:v1.8
AEGEGE commented 1 year ago

Yes, so you need to pass OVPN_NAT=true to your docker command. e.g.:

           --name openvpn \
           --volume /path/on/host:/etc/openvpn \
           --detach=true \
           -p 1194:1194/udp \
           -e "OVPN_SERVER_CN=myserver.mycompany.com" \
           -e "LDAP_URI=ldap://ldap.mycompany.com" \
           -e "LDAP_BASE_DN=dc=mycompany,dc=com" \
           -e "LDAP_BIND_USER_DN=cn=example,dc=mycompany,dc=com" \
           -e "LDAP_BIND_USER_PASS=examplepass" \
           -e "OVPN_NAT=true" \
           --cap-add=NET_ADMIN \
           wheelybird/openvpn-ldap-otp:v1.8

There is also a scenario where I don’t want VPN to proxy all my networks, which will cause problems with my other links. I just want to access some of my designated networks through VPN -e OVPN_ROUTES="10.3.33.0 255.255.255.0", even if If I want to access this CIDR, I also need to camouflage the network card. I have tested that as long as I change setup_networking.sh, even if -e "OVPN_NAT=false" is added, iptables will be added normally after I start it, and I can access it normally.