starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #133] No Internet access when connected to VPN #121

New issue
Closed
opened 2026-03-02 07:27:55 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 07:27:55 +03:00
Owner
Copy link

Originally created by @arabold on GitHub (Apr 5, 2019).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/133

I have a problem that's probably more related to iptables than to the Docker image itself, but hopefully someone can help me on this nonetheless... 🙏

I want to be able to connect my Laptop to my Server running the VPN docker container from within the same Wi-Fi. I'm not going through a NAT nor do I plan to do so. This is more of a VPN inside of a private Wi-Fi network. Once connected to the VPN I want to be able to access my other containers running on the same server as well as use the server as an Internet gateway. My containers are all running on a bridge network.

My Wi-Fi network uses 192.168.0.0/16, the L2TP connection uses 192.168.42.0/24 (might this might be the culprit?)

To achieve the above I have tried two different options so far:

  1. Run the VPN container in the same bridge network. In this case Internet works and I can access other containers. However, I have to use the server's Wi-Fi IP address 192.168.3.130 instead of the VPN-specific 192.168.42.1 to connect to any of the Docker containers. E.g. my web page will only come up when using http://192.168.3.130:3000, but not http://192.168.42.1:3000. That's not really what I want as the IP address might change at any point due to DHCP rules. There seems to be no static host name I could use either.
  2. When I run the VPN container in host network mode, I can use 192.168.42.1 to access other containers as expected. This would be perfect but in this case I lose Internet access on the client laptop. I still have Internet access on the server itself; both from the shell directly as well as from within the container. Just the client can't connect - probably because there're some routing or forwarding rules missing.

Both options would be acceptable for me if I can have a) a static IP address of the server within the VPN (such as 192.168.42.1) through which all other containers are accessible, and b) have access to the Internet.

Any suggestions or ideas?

This is the iptables -L output on my host system when running the VPN container in host mode:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere             udp dpt:l2f policy match dir in pol none
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             multiport dports isakmp,ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere             udp dpt:l2f policy match dir in pol ipsec
DROP       udp  --  anywhere             anywhere             udp dpt:l2f
DROP       udp  --  anywhere             anywhere             udp dpt:l2f policy match dir in pol none
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             multiport dports isakmp,ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere             udp dpt:l2f policy match dir in pol ipsec
DROP       udp  --  anywhere             anywhere             udp dpt:l2f
DROP       udp  --  anywhere             anywhere             udp dpt:l2f policy match dir in pol none
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             multiport dports isakmp,ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere             udp dpt:l2f policy match dir in pol ipsec
DROP       udp  --  anywhere             anywhere             udp dpt:l2f

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.42.0/24      192.168.42.0/24     
ACCEPT     all  --  anywhere             192.168.43.0/24      ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.43.0/24      anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.42.0/24      192.168.42.0/24     
ACCEPT     all  --  anywhere             192.168.43.0/24      ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.43.0/24      anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.42.0/24      192.168.42.0/24     
ACCEPT     all  --  anywhere             192.168.43.0/24      ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.43.0/24      anywhere            
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.20.0.4           tcp dpt:domain
ACCEPT     udp  --  anywhere             172.20.0.4           udp dpt:domain
ACCEPT     tcp  --  anywhere             172.20.0.6           tcp dpt:5984
ACCEPT     tcp  --  anywhere             172.20.0.7           tcp dpt:4000
ACCEPT     tcp  --  anywhere             172.20.0.10          tcp dpt:8883
ACCEPT     tcp  --  anywhere             172.20.0.10          tcp dpt:amqps
ACCEPT     tcp  --  anywhere             172.20.0.10          tcp dpt:https
ACCEPT     tcp  --  anywhere             172.20.0.14          tcp dpt:3000
ACCEPT     tcp  --  anywhere             172.20.0.16          tcp dpt:11002

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere
Originally created by @arabold on GitHub (Apr 5, 2019). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/133 I have a problem that's probably more related to `iptables` than to the Docker image itself, but hopefully someone can help me on this nonetheless... :pray: I want to be able to connect my Laptop to my Server running the VPN docker container from within the same Wi-Fi. I'm _not_ going through a NAT nor do I plan to do so. This is more of a VPN inside of a private Wi-Fi network. Once connected to the VPN I want to be able to access my other containers running on the same server as well as use the server as an Internet gateway. My containers are all running on a bridge network. My Wi-Fi network uses 192.168.0.0/16, the L2TP connection uses 192.168.42.0/24 (might this might be the culprit?) To achieve the above I have tried two different options so far: 1. Run the VPN container in the same _bridge_ network. In this case Internet works and I can access other containers. However, I have to use the server's Wi-Fi IP address 192.168.3.130 instead of the VPN-specific 192.168.42.1 to connect to _any_ of the Docker containers. E.g. my web page will only come up when using http://192.168.3.130:3000, but not http://192.168.42.1:3000. That's not really what I want as the IP address might change at any point due to DHCP rules. There seems to be no static host name I could use either. 2. When I run the VPN container in _host_ network mode, I can use 192.168.42.1 to access other containers as expected. This would be perfect but in this case I lose Internet access on the client laptop. I still have Internet access on the server itself; both from the shell directly as well as from within the container. Just the client can't connect - probably because there're some routing or forwarding rules missing. Both options would be acceptable for me if I can have a) a static IP address of the server within the VPN (such as 192.168.42.1) through which all other containers are accessible, and b) have access to the Internet. Any suggestions or ideas? This is the `iptables -L` output on my _host_ system when running the VPN container in `host` mode: ``` Chain INPUT (policy ACCEPT) target prot opt source destination DROP udp -- anywhere anywhere udp dpt:l2f policy match dir in pol none DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere multiport dports isakmp,ipsec-nat-t ACCEPT udp -- anywhere anywhere udp dpt:l2f policy match dir in pol ipsec DROP udp -- anywhere anywhere udp dpt:l2f DROP udp -- anywhere anywhere udp dpt:l2f policy match dir in pol none DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere multiport dports isakmp,ipsec-nat-t ACCEPT udp -- anywhere anywhere udp dpt:l2f policy match dir in pol ipsec DROP udp -- anywhere anywhere udp dpt:l2f DROP udp -- anywhere anywhere udp dpt:l2f policy match dir in pol none DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere multiport dports isakmp,ipsec-nat-t ACCEPT udp -- anywhere anywhere udp dpt:l2f policy match dir in pol ipsec DROP udp -- anywhere anywhere udp dpt:l2f Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.42.0/24 192.168.42.0/24 ACCEPT all -- anywhere 192.168.43.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.43.0/24 anywhere DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.42.0/24 192.168.42.0/24 ACCEPT all -- anywhere 192.168.43.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.43.0/24 anywhere DROP all -- anywhere anywhere ctstate INVALID ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.42.0/24 192.168.42.0/24 ACCEPT all -- anywhere 192.168.43.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.43.0/24 anywhere DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- anywhere 172.20.0.4 tcp dpt:domain ACCEPT udp -- anywhere 172.20.0.4 udp dpt:domain ACCEPT tcp -- anywhere 172.20.0.6 tcp dpt:5984 ACCEPT tcp -- anywhere 172.20.0.7 tcp dpt:4000 ACCEPT tcp -- anywhere 172.20.0.10 tcp dpt:8883 ACCEPT tcp -- anywhere 172.20.0.10 tcp dpt:amqps ACCEPT tcp -- anywhere 172.20.0.10 tcp dpt:https ACCEPT tcp -- anywhere 172.20.0.14 tcp dpt:3000 ACCEPT tcp -- anywhere 172.20.0.16 tcp dpt:11002 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere ```
kerem closed this issue 2026-03-02 07:27:55 +03:00
kerem commented 2026-03-02 07:27:56 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Apr 11, 2019):

@arabold Hello! Due to the way Docker networking works and isolation among Docker containers, in the normal "bridge" network mode I think it is not possible to access services on your other Docker containers (such as http://192.168.42.1:3000) using your VPN server's internal IP 192.168.42.1.

For the "host" network mode (which is not recommended because in this mode the Docker image may modify the IPTables on your host), I think your issue might be caused by the Docker image assuming eth+ for your server's default network interface. But you are using Wi-Fi on your Docker host so it's probably wlan0 or wlan+. To fix... Save a copy of your existing IPTables rules: iptables-save -c > iptables-rules.tmp, then edit iptables-rules.tmp and replace all eth+ with wlan+, on the relevant lines (see [1]). Finally, save the file and restore IPTables rules: iptables-restore -c < iptables-rules.tmp.

[1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/run.sh#L305-L323

<!-- gh-comment-id:481971899 --> @hwdsl2 commented on GitHub (Apr 11, 2019): @arabold Hello! Due to the way Docker networking works and isolation among Docker containers, in the normal "bridge" network mode I think it is not possible to access services on your other Docker containers (such as `http://192.168.42.1:3000`) using your VPN server's internal IP 192.168.42.1. For the "host" network mode (which is not recommended because in this mode the Docker image may modify the IPTables on your host), I think your issue might be caused by the Docker image assuming `eth+` for your server's default network interface. But you are using Wi-Fi on your Docker host so it's probably `wlan0` or `wlan+`. To fix... Save a copy of your existing IPTables rules: `iptables-save -c > iptables-rules.tmp`, then edit `iptables-rules.tmp` and replace all `eth+` with `wlan+`, on the relevant lines (see [1]). Finally, save the file and restore IPTables rules: `iptables-restore -c < iptables-rules.tmp`. [1] https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/run.sh#L305-L323
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#121
No description provided.