docker-ikev2-vpn-server icon indicating copy to clipboard operation
docker-ikev2-vpn-server copied to clipboard
verified publisher icon gaomd

Docs: Why priviledged

Open iBobik opened this issue 9 years ago • 4 comments

Just a question (maybe to answer by README): Why it needs --priviledge option? Any way how to give necessary permissions but not everything?

iBobik avatar Apr 15 '17 09:04 iBobik

Probably due to the need to use port 500 for IKEv2

Nebukad93 avatar Apr 18 '17 14:04 Nebukad93

And it is not enough to use port mapping?

Honza Pobořil https://honza.poboril.cz

    1. 2017 v 16:04, Nebukad93 [email protected]:

Probably due to the need to use port 500 for IKEv2

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gaomd/docker-ikev2-vpn-server/issues/35#issuecomment-294854873, or mute the thread https://github.com/notifications/unsubscribe-auth/AAlfWEUeK6z7PzXzbbCDuzMcxAfUspVDks5rxML1gaJpZM4M-TDl.

iBobik avatar Apr 18 '17 14:04 iBobik

Below commands (in bin/start-vpn) need privileged, but you can do these on host.

sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv6.conf.eth0.proxy_ndp=1

Below commands (also in bin/start-vpn) need NET_ADMIN, --cap-add=NET_ADMIN should be enough.

iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fd6a:6ce3:c8d8:7caa::/64 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
ip6tables -t nat -A POSTROUTING -s fd6a:6ce3:c8d8:7caa::/64 -o eth0 -j MASQUERADE

techotaku avatar Aug 20 '17 18:08 techotaku

Yes, the --cap-add=NET_ADMIN is enough

Nebukad93 avatar Aug 20 '17 22:08 Nebukad93