starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #382] Service in the same machine as the VPN can't tell from src IP when the user sending packets is connected to the VPN #354

New issue
Closed
opened 2026-03-02 08:01:36 +03:00 by kerem · 2 comments
kerem commented 2026-03-02 08:01:36 +03:00
Owner
Copy link

Originally created by @gugajazz on GitHub (May 22, 2023).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/382

The issue
I have this VPN running in a docker container, when i connect to it using ikev2 everything works well and going to "What is my ip" shows me the VPN's IP as expected.
I also have a service in a different port in that same computer. When i am connected to the VPN and go to access that service the packets the service receives are from my original IP and not from the VPN's ip or even from a internal IP.
It's crucial for me to be able to distinguish when someone is accessing my service after authenticating with the VPN or before, and because of this behavior I am unable.

I have confirmed that all the packages from the connected client show the VPN's IP when going to external IPs, but when going to the same IP as the VPN they show the source IP as coming from the actual client's IP.

I am analyzing the packages with sudo tcpdump -i enp5s0 -n dst port 52443 so the UFW rules shouldn't affect what I'm seeing.
This is an example: 20:28:42.043831 IP {theClient'sIP}.7928 > 192.168.1.200.52443: Flags [S], seq 1645898948, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0
In here I would like to see either a local IP or the VPN's IP instead of {theClient'sIP}.

Expected behavior
I expected that the service at 52443 would be able to tell by the source address whether the user was connected to the VPN or not, be that because the ip was the same as the VPN or because it was an internal IP.

Logs
These are the contents of my ikev2.conf. Maybe the solution is in one of these settings, but I have read everything in these documents https://libreswan.org/man/ipsec.conf.5.html like 5 times and nothing got it to work.

conn ikev2-cp
  left=%defaultroute
  leftcert=myhostnameexample.com
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  rightsourceip=myvpnip # Replaced my actual ip with "myvpnip ".  Also I dont know if this does anything but i tried it.
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.43.10-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  retransmit-timeout=300s
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=yes
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  leftid=@myhostnameexample.com
  modecfgdns="8.8.8.8 8.8.4.4"
  mobike=no

These are my IPTables rules

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.22.0.0/16        anywhere            
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  tcp  --  172.22.0.2           172.22.0.2           tcp dpt:https
MASQUERADE  udp  --  172.22.0.4           172.22.0.4           udp dpt:ipsec-nat-t

MASQUERADE  udp  --  172.22.0.4           172.22.0.4           udp dpt:isakmp
MASQUERADE  tcp  --  172.22.0.3           172.22.0.3           tcp dpt:ms-sql-s

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             anywhere             tcp dpt:51443 to:172.22.0.2:443
DNAT       udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t to:172.22.0.4:4500
DNAT       udp  --  anywhere             anywhere             udp dpt:isakmp to:172.22.0.4:500

Server

  • OS: Ubuntu

Client

  • OS: Windows 10
  • VPN mode: IKEv2

Additional context
I have read and tried almost everything for countless hours, any help is seriously appreciated and sorry if this is more appropriate for the Libreswan or the Docker ipsec repo.
Thanks in advance and thanks for the amazing solution that is this repo.

Originally created by @gugajazz on GitHub (May 22, 2023). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/382 **The issue** I have this VPN running in a docker container, when i connect to it using ikev2 everything works well and going to "What is my ip" shows me the VPN's IP as expected. I also have a service in a different port in that same computer. When i am connected to the VPN and go to access that service the packets the service receives are from my original IP and not from the VPN's ip or even from a internal IP. It's crucial for me to be able to distinguish when someone is accessing my service after authenticating with the VPN or before, and because of this behavior I am unable. I have confirmed that all the packages from the connected client show the VPN's IP when going to external IPs, but when going to the same IP as the VPN they show the source IP as coming from the actual client's IP. I am analyzing the packages with `sudo tcpdump -i enp5s0 -n dst port 52443` so the UFW rules shouldn't affect what I'm seeing. This is an example: `20:28:42.043831 IP {theClient'sIP}.7928 > 192.168.1.200.52443: Flags [S], seq 1645898948, win 64240, options [mss 1420,nop,wscale 8,nop,nop,sackOK], length 0` In here I would like to see either a local IP or the VPN's IP instead of {theClient'sIP}. **Expected behavior** I expected that the service at 52443 would be able to tell by the source address whether the user was connected to the VPN or not, be that because the ip was the same as the VPN or because it was an internal IP. **Logs** These are the contents of my ikev2.conf. Maybe the solution is in one of these settings, but I have read everything in these documents https://libreswan.org/man/ipsec.conf.5.html like 5 times and nothing got it to work. ``` conn ikev2-cp left=%defaultroute leftcert=myhostnameexample.com leftsendcert=always leftsubnet=0.0.0.0/0 rightsourceip=myvpnip # Replaced my actual ip with "myvpnip ". Also I dont know if this does anything but i tried it. leftrsasigkey=%cert right=%any rightid=%fromcert rightaddresspool=192.168.43.10-192.168.43.250 rightca=%same rightrsasigkey=%cert narrowing=yes dpddelay=30 retransmit-timeout=300s dpdaction=clear auto=add ikev2=insist rekey=no pfs=yes ikelifetime=24h salifetime=24h encapsulation=yes leftid=@myhostnameexample.com modecfgdns="8.8.8.8 8.8.4.4" mobike=no ``` These are my IPTables rules ``` Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.22.0.0/16 anywhere MASQUERADE all -- 172.17.0.0/16 anywhere MASQUERADE tcp -- 172.22.0.2 172.22.0.2 tcp dpt:https MASQUERADE udp -- 172.22.0.4 172.22.0.4 udp dpt:ipsec-nat-t MASQUERADE udp -- 172.22.0.4 172.22.0.4 udp dpt:isakmp MASQUERADE tcp -- 172.22.0.3 172.22.0.3 tcp dpt:ms-sql-s Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere DNAT tcp -- anywhere anywhere tcp dpt:51443 to:172.22.0.2:443 DNAT udp -- anywhere anywhere udp dpt:ipsec-nat-t to:172.22.0.4:4500 DNAT udp -- anywhere anywhere udp dpt:isakmp to:172.22.0.4:500 ``` **Server** - OS: Ubuntu **Client** - OS: Windows 10 - VPN mode: IKEv2 **Additional context** I have read and tried almost everything for countless hours, any help is seriously appreciated and sorry if this is more appropriate for the Libreswan or the Docker ipsec repo. Thanks in advance and thanks for the amazing solution that is this repo.
kerem closed this issue 2026-03-02 08:01:36 +03:00
kerem commented 2026-03-02 08:01:37 +03:00
Author
Owner
Copy link

@NetJagaimo commented on GitHub (May 25, 2023):

@gugajazz
Why do you close this issue?
I have encountered the same problem. Do you have any solution for it?

<!-- gh-comment-id:1562548275 --> @NetJagaimo commented on GitHub (May 25, 2023): @gugajazz Why do you close this issue? I have encountered the same problem. Do you have any solution for it?
kerem commented 2026-03-02 08:01:37 +03:00
Author
Owner
Copy link

@gugajazz commented on GitHub (May 25, 2023):

Sorry, I didn't think anyone else was facing the same issue.
Yes I have figured out a solution, i will write here what I did as soon as I have time today :)
A quick explanation is that essentially instead of trying to reach the service through the external IP and an open port in the router It works well if we try and reach it using the internal IP of the machine running it (no need for open ports).
I will explain better soon though, I hope I can help.

<!-- gh-comment-id:1562560454 --> @gugajazz commented on GitHub (May 25, 2023): Sorry, I didn't think anyone else was facing the same issue. Yes I have figured out a solution, i will write here what I did as soon as I have time today :) A quick explanation is that essentially instead of trying to reach the service through the external IP and an open port in the router It works well if we try and reach it using the internal IP of the machine running it (no need for open ports). I will explain better soon though, I hope I can help.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#354
No description provided.