<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<div style="text-align:left;line-height:1.75;font-size:14px">I use a VPN server with public IP as gateway to bridge clients communication. I recently found that if I use rightsubnet=0.0.0.0/0 on client linux, it will also make the docker listening TCP port
fail to work on interface.</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px">For example, my client's IP is 10.10.8.229, I have a docker nginx mapping 0.0.0.0:1080->80/tcp and this works fine when vpn tunnel doesn't up. And I could telnet to 10.10.8.229 1080 port. But when
VPN tunnel is setup, I couldn't access this nginx service anymore, I couldn't telnet to this 1080 port anymore . I can only telnet 127.0.0.1 1080 to this service. Only if I chage rightsubnet=0.0.0.0/0 to a narrowed down one like 192.168.1.0/24 will the TCP
listen restore to work. </div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px">But I need to set rightsubnet=0.0.0.0/0 to make all clients forward trafic to VPN server so that client can talk to client. Just wonder how to make such service keep working.</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px">VPN server (101.231.59.100)£º</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> server's ipsec.conf</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px">config setup</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> # strictcrlpolicy=yes</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> uniqueids=never</div>
<div style="text-align:left;line-height:1.75;font-size:14px">conn %default</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> left=%any</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> leftsubnet=0.0.0.0/0</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> right=%any</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> fragmentation=yes</div>
<div style="text-align:left;line-height:1.75;font-size:14px">conn ikev2_cert</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> keyexchange=ikev2</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightauth=pubkey</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightid=@client</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightcert=clientcert.pem</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightsourceip=10.100.100.0/24</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightdns=192.168.1.172</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> auto=add</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px">VPN client: ipsec.conf</div>
<div style="text-align:left;line-height:1.75;font-size:14px"><br>
</div>
<div style="text-align:left;line-height:1.75;font-size:14px">conn pvpn</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> keyexchange=ikev2</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> left=%any</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> leftid=@client</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> leftcert=client.pem</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> leftsourceip=%config</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> leftfirewall=yes</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> right=101.231.59.100</div>
<div style="text-align:left;line-height:1.75;font-size:14px"># rightsubnet=192.168.1.0/24,10.100.100.0/24</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightsubnet=0.0.0.0/0</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> auto=add</div>
<div style="text-align:left;line-height:1.75;font-size:14px">conn local-net</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> leftsubnet=10.10.8.0/24</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> rightsubnet=10.10.8.0/24
</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> authby=never</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> type=pass</div>
<div style="text-align:left;line-height:1.75;font-size:14px"> auto=route</div>
<br>
</div>
</body>
</html>