starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 10:05:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #408] [Support] Accessing the host network and public internet via the IKEv2 VPN #383

New issue
Closed
opened 2026-03-02 08:01:46 +03:00 by kerem · 3 comments
kerem commented 2026-03-02 08:01:46 +03:00
Owner
Copy link

Originally created by @KyleKotowick on GitHub (Nov 27, 2023).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/408

I have a Docker host sitting behind a NAT (UDP 500 and 4500 forwarded to the host). I've set up an IKEv2 VPN like so:

compose.yml

services:
  vpn:
    container_name: ipsec-vpn-server
    image: "hwdsl2/ipsec-vpn-server"
    restart: always
    ports:
      - "500:500/udp"
      - "4500:4500/udp"
    volumes:
      - /lib/modules:/lib/modules:ro
      - ikev2-vpn-data:/etc/ipsec.d
    privileged: true
    environment:
      - VPN_IKEV2_ONLY=yes
      - VPN_CLIENT_NAME=myname
      - VPN_DNS_NAME=vpn.myname.net

volumes:
  ikev2-vpn-data:

I run this on a Windows 11 Professional machine using Docker for WSL2 (docker compose up). The container starts and outputs the following:

PS C:\Users\MyName\Desktop\VPNTest> docker compose up
[+] Building 0.0s (0/0)                                                          docker:default
[+] Running 3/0
 ✔ Network desktop_default          Created                                                0.0s
 ✔ Volume "desktop_ikev2-vpn-data"  Created                                                0.0s
 ✔ Container ipsec-vpn-server       Created                                                0.0s
Attaching to ipsec-vpn-server
ipsec-vpn-server  |
ipsec-vpn-server  | VPN credentials not set by user. Generating random PSK and password...
ipsec-vpn-server  |
ipsec-vpn-server  | Note: Running in IKEv2-only mode via env file option.
ipsec-vpn-server  |       IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled.
ipsec-vpn-server  | Warning: Extension policy revision 0 not supported, missing kernel module?
ipsec-vpn-server  | iptables: No chain/target/match by that name.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | Warning: Extension policy revision 0 not supported, missing kernel module?
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | iptables: Index of insertion too big.
ipsec-vpn-server  | Warning: Extension policy revision 0 not supported, missing kernel module?
ipsec-vpn-server  | iptables: No chain/target/match by that name.
ipsec-vpn-server  |
ipsec-vpn-server  | Starting IPsec service...
ipsec-vpn-server  |
ipsec-vpn-server  | Setting up IKEv2. This may take a few moments...
ipsec-vpn-server  |
ipsec-vpn-server  | ================================================
ipsec-vpn-server  |
ipsec-vpn-server  | IKEv2 setup successful. Details for IKEv2 mode:
ipsec-vpn-server  |
ipsec-vpn-server  | VPN server address: vpn.myname.net
ipsec-vpn-server  | VPN client name: myname
ipsec-vpn-server  |
ipsec-vpn-server  | Client configuration is available inside the
ipsec-vpn-server  | Docker container at:
ipsec-vpn-server  | /etc/ipsec.d/myname.p12 (for Windows & Linux)
ipsec-vpn-server  | /etc/ipsec.d/myname.sswan (for Android)
ipsec-vpn-server  | /etc/ipsec.d/my name.mobileconfig (for iOS & macOS)
ipsec-vpn-server  |
ipsec-vpn-server  | Next steps: Configure IKEv2 clients. See:
ipsec-vpn-server  | https://vpnsetup.net/clients2
ipsec-vpn-server  |
ipsec-vpn-server  | ================================================
ipsec-vpn-server  |
ipsec-vpn-server  | xl2tpd[1]: Not looking for kernel SAref support.
ipsec-vpn-server  | xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
ipsec-vpn-server  | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 5d30aeb368e6 PID:1
ipsec-vpn-server  | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
ipsec-vpn-server  | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
ipsec-vpn-server  | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
ipsec-vpn-server  | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
ipsec-vpn-server  | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

I'm not sure if the iptables complaints or the other Extension policy warnings are expected or a problem. In any case, I copy the myname.p12 file to the client machine (also Windows 11 Pro), run the automated setup script, and it creates the VPN connection. I am then able to connect to the VPN without issue.

However, after connecting to the VPN, the client machine now has no network access. I cannot ping the Docker container (using its assigned IP), I cannot ping the host machine (it responds to pings from other hosts on the local network), and I cannot access/ping anything on the public internet (the Docker host has full public internet access). Is this expected? If so, what would be the appropriate configuration changes to make it so my VPN client can access the Docker host, other machines on the Docker host's local network, and public internet?

Originally created by @KyleKotowick on GitHub (Nov 27, 2023). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/408 I have a Docker host sitting behind a NAT (UDP 500 and 4500 forwarded to the host). I've set up an IKEv2 VPN like so: `compose.yml` ``` services: vpn: container_name: ipsec-vpn-server image: "hwdsl2/ipsec-vpn-server" restart: always ports: - "500:500/udp" - "4500:4500/udp" volumes: - /lib/modules:/lib/modules:ro - ikev2-vpn-data:/etc/ipsec.d privileged: true environment: - VPN_IKEV2_ONLY=yes - VPN_CLIENT_NAME=myname - VPN_DNS_NAME=vpn.myname.net volumes: ikev2-vpn-data: ``` I run this on a Windows 11 Professional machine using Docker for WSL2 (`docker compose up`). The container starts and outputs the following: ``` PS C:\Users\MyName\Desktop\VPNTest> docker compose up [+] Building 0.0s (0/0) docker:default [+] Running 3/0 ✔ Network desktop_default Created 0.0s ✔ Volume "desktop_ikev2-vpn-data" Created 0.0s ✔ Container ipsec-vpn-server Created 0.0s Attaching to ipsec-vpn-server ipsec-vpn-server | ipsec-vpn-server | VPN credentials not set by user. Generating random PSK and password... ipsec-vpn-server | ipsec-vpn-server | Note: Running in IKEv2-only mode via env file option. ipsec-vpn-server | IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes are disabled. ipsec-vpn-server | Warning: Extension policy revision 0 not supported, missing kernel module? ipsec-vpn-server | iptables: No chain/target/match by that name. ipsec-vpn-server | iptables: Index of insertion too big. ipsec-vpn-server | iptables: Index of insertion too big. ipsec-vpn-server | iptables: Index of insertion too big. ipsec-vpn-server | Warning: Extension policy revision 0 not supported, missing kernel module? ipsec-vpn-server | iptables: Index of insertion too big. ipsec-vpn-server | iptables: Index of insertion too big. ipsec-vpn-server | Warning: Extension policy revision 0 not supported, missing kernel module? ipsec-vpn-server | iptables: No chain/target/match by that name. ipsec-vpn-server | ipsec-vpn-server | Starting IPsec service... ipsec-vpn-server | ipsec-vpn-server | Setting up IKEv2. This may take a few moments... ipsec-vpn-server | ipsec-vpn-server | ================================================ ipsec-vpn-server | ipsec-vpn-server | IKEv2 setup successful. Details for IKEv2 mode: ipsec-vpn-server | ipsec-vpn-server | VPN server address: vpn.myname.net ipsec-vpn-server | VPN client name: myname ipsec-vpn-server | ipsec-vpn-server | Client configuration is available inside the ipsec-vpn-server | Docker container at: ipsec-vpn-server | /etc/ipsec.d/myname.p12 (for Windows & Linux) ipsec-vpn-server | /etc/ipsec.d/myname.sswan (for Android) ipsec-vpn-server | /etc/ipsec.d/my name.mobileconfig (for iOS & macOS) ipsec-vpn-server | ipsec-vpn-server | Next steps: Configure IKEv2 clients. See: ipsec-vpn-server | https://vpnsetup.net/clients2 ipsec-vpn-server | ipsec-vpn-server | ================================================ ipsec-vpn-server | ipsec-vpn-server | xl2tpd[1]: Not looking for kernel SAref support. ipsec-vpn-server | xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp) ipsec-vpn-server | xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 5d30aeb368e6 PID:1 ipsec-vpn-server | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. ipsec-vpn-server | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 ipsec-vpn-server | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 ipsec-vpn-server | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 ipsec-vpn-server | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 ``` I'm not sure if the `iptables` complaints or the other `Extension policy` warnings are expected or a problem. In any case, I copy the `myname.p12` file to the client machine (also Windows 11 Pro), run the automated setup script, and it creates the VPN connection. I am then able to connect to the VPN without issue. However, after connecting to the VPN, the client machine now has no network access. I cannot ping the Docker container (using its assigned IP), I cannot ping the host machine (it responds to pings from other hosts on the local network), and I cannot access/ping anything on the public internet (the Docker host has full public internet access). Is this expected? If so, what would be the appropriate configuration changes to make it so my VPN client can access the Docker host, other machines on the Docker host's local network, and public internet?
kerem closed this issue 2026-03-02 08:01:46 +03:00
kerem commented 2026-03-02 08:01:47 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 27, 2023):

@KyleKotowick Hello! Docker for Windows is not currently supported in this project. It has not been tested on that platform.

The error messages you encountered, such as:

Warning: Extension policy revision 0 not supported, missing kernel module?

This indicates that your Docker host (Docker for WSL2 on Windows 11 in this case) is missing the IPTables policy extension. A workaround was added earlier to this Docker image for this type of issues, see commit 5e1a69f. For the relevant IPTables rules in the image, refer to:
github.com/hwdsl2/docker-ipsec-vpn-server@b1ee97978f/run.sh (L543-L573)

The issue you described (no internet after connecting to the VPN) is likely caused by IPTables problems in the Docker container. You may check the current IPTables rules using:

docker exec -it ipsec-vpn-server iptables -nvL
docker exec -it ipsec-vpn-server iptables -nvL -t nat

Post the output of these commands here. I can take a look but may not find a solution.

<!-- gh-comment-id:1828465554 --> @hwdsl2 commented on GitHub (Nov 27, 2023): @KyleKotowick Hello! Docker for Windows is not currently supported in this project. It has not been tested on that platform. The error messages you encountered, such as: ``` Warning: Extension policy revision 0 not supported, missing kernel module? ``` This indicates that your Docker host (Docker for WSL2 on Windows 11 in this case) is missing the IPTables `policy` extension. A workaround was added earlier to this Docker image for this type of issues, see commit 5e1a69f. For the relevant IPTables rules in the image, refer to: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/b1ee97978f61b7552e73039e47ed8e8f5f06d905/run.sh#L543-L573 The issue you described (no internet after connecting to the VPN) is likely caused by IPTables problems in the Docker container. You may check the current IPTables rules using: ``` docker exec -it ipsec-vpn-server iptables -nvL docker exec -it ipsec-vpn-server iptables -nvL -t nat ``` Post the output of these commands here. I can take a look but may not find a solution.
kerem commented 2026-03-02 08:01:47 +03:00
Author
Owner
Copy link

@KyleKotowick commented on GitHub (Nov 27, 2023):

I switched to a Linux host and, as expected, everything works well. I'm able to connect to the VPN with my Windows 11 Pro laptop and access both the local network and public internet via the VPN.

I've followed the instructions for Android 14 though (native IKEv2 VPN client), to set it up on my phone, and am having issues. It is able to connect but cannot access the internet. I'm just getting a "No Internet" error page in Chrome for Android. Note that I created two clients on the VPN server (one for laptop, one for phone). Any thoughts as to why this works on the laptop but not the Android phone?

<!-- gh-comment-id:1828799084 --> @KyleKotowick commented on GitHub (Nov 27, 2023): I switched to a Linux host and, as expected, everything works well. I'm able to connect to the VPN with my Windows 11 Pro laptop and access both the local network and public internet via the VPN. I've followed the instructions for Android 14 though (native IKEv2 VPN client), to set it up on my phone, and am having issues. It is able to connect but cannot access the internet. I'm just getting a "No Internet" error page in Chrome for Android. Note that I created two clients on the VPN server (one for laptop, one for phone). Any thoughts as to why this works on the laptop but not the Android phone?
kerem commented 2026-03-02 08:01:47 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Nov 28, 2023):

@KyleKotowick Try the strongSwan Android VPN client (instructions). Some customized Android versions have a broken VPN implementation, resulting in no Internet while connected to the VPN. For more details, refer to this recent issue https://github.com/hwdsl2/setup-ipsec-vpn/issues/1495#issuecomment-1825989402.

I'm closing this issue as you are now using a Linux host which no longer has the original issue. If you have additional information or findings feel free to continue to reply here.

<!-- gh-comment-id:1828849878 --> @hwdsl2 commented on GitHub (Nov 28, 2023): @KyleKotowick Try the strongSwan Android VPN client ([instructions](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#android)). Some customized Android versions have a broken VPN implementation, resulting in no Internet while connected to the VPN. For more details, refer to this recent issue https://github.com/hwdsl2/setup-ipsec-vpn/issues/1495#issuecomment-1825989402. I'm closing this issue as you are now using a Linux host which no longer has the original issue. If you have additional information or findings feel free to continue to reply here.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#383
No description provided.