Open AEGEGE opened 1 year ago
I don't understand the reason for this change. If OVPN_NAT is true
then we need to add the masquerade rules. Your change would add them if OVPN_NAT wasn't true, which makes no sense.
I don't understand the reason for this change. If OVPN_NAT is
true
then we need to add the masquerade rules. Your change would add them if OVPN_NAT wasn't true, which makes no sense.
I think it's because after dialing the VPN, if you want to access other networks, you need to pretend to be a network card recognized by the switch. Otherwise, you will be unable to access other networks, for example: I specify the host network --network host when starting up. When adding network card camouflage, I can access other networks.
I can't access other networks without adding network card camouflage
Yes, so you need to pass OVPN_NAT=true
to your docker command. e.g.:
docker run \
--name openvpn \
--volume /path/on/host:/etc/openvpn \
--detach=true \
-p 1194:1194/udp \
-e "OVPN_SERVER_CN=myserver.mycompany.com" \
-e "LDAP_URI=ldap://ldap.mycompany.com" \
-e "LDAP_BASE_DN=dc=mycompany,dc=com" \
-e "LDAP_BIND_USER_DN=cn=example,dc=mycompany,dc=com" \
-e "LDAP_BIND_USER_PASS=examplepass" \
-e "OVPN_NAT=true" \
--cap-add=NET_ADMIN \
wheelybird/openvpn-ldap-otp:v1.8
Yes, so you need to pass
OVPN_NAT=true
to your docker command. e.g.:--name openvpn \ --volume /path/on/host:/etc/openvpn \ --detach=true \ -p 1194:1194/udp \ -e "OVPN_SERVER_CN=myserver.mycompany.com" \ -e "LDAP_URI=ldap://ldap.mycompany.com" \ -e "LDAP_BASE_DN=dc=mycompany,dc=com" \ -e "LDAP_BIND_USER_DN=cn=example,dc=mycompany,dc=com" \ -e "LDAP_BIND_USER_PASS=examplepass" \ -e "OVPN_NAT=true" \ --cap-add=NET_ADMIN \ wheelybird/openvpn-ldap-otp:v1.8
There is also a scenario where I don’t want VPN to proxy all my networks, which will cause problems with my other links. I just want to access some of my designated networks through VPN -e OVPN_ROUTES="10.3.33.0 255.255.255.0", even if If I want to access this CIDR, I also need to camouflage the network card. I have tested that as long as I change setup_networking.sh, even if -e "OVPN_NAT=false" is added, iptables will be added normally after I start it, and I can access it normally.
If OVPN_NAT is not true, iptables camouflage will not be added