[strongSwan] rightsubnet=0.0.0.0/0 cause interface listening TCP port fail to work

[Tu Robin]

I use a VPN server with public IP as gateway to bridge clients communication. I recently found that if I use rightsubnet=0.0.0.0/0 on client linux, it will also make the docker listening TCP port fail to work on interface.

For example, my client's IP is 10.10.8.229, I have a docker nginx mapping 0.0.0.0:1080->80/tcp and this works fine when vpn tunnel doesn't up. And I could telnet to 10.10.8.229 1080 port.  But when VPN tunnel is setup, I couldn't access this nginx service anymore, I couldn't telnet to this 1080 port anymore . I can only telnet 127.0.0.1 1080 to this service. Only if I chage rightsubnet=0.0.0.0/0 to a narrowed down one like 192.168.1.0/24 will the TCP listen restore to work.

But I need to set rightsubnet=0.0.0.0/0 to make all clients forward trafic to VPN server so that client can talk to client. Just wonder how to make such service keep working.

VPN server (101.231.59.100)：
 server's ipsec.conf

config setup
  # strictcrlpolicy=yes
  uniqueids=never
conn %default
  left=%any
  leftsubnet=0.0.0.0/0
  right=%any
  fragmentation=yes
conn ikev2_cert
  keyexchange=ikev2
  ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024
  rightauth=pubkey
  rightid=@client
  rightcert=clientcert.pem
  rightsourceip=10.100.100.0/24
  rightdns=192.168.1.172
  auto=add



VPN client: ipsec.conf

conn pvpn
  keyexchange=ikev2
  left=%any
  leftid=@client
  leftcert=client.pem
  leftsourceip=%config
  leftfirewall=yes
  right=101.231.59.100
#  rightsubnet=192.168.1.0/24,10.100.100.0/24
  rightsubnet=0.0.0.0/0
  auto=add
conn local-net
  leftsubnet=10.10.8.0/24
  rightsubnet=10.10.8.0/24
  authby=never
  type=pass
  auto=route

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201228/0b1d4331/attachment.html>