VPN server can't access itself externally

0
votes

I'm using softether VPN on docker, through a Google cloud ubuntu machine. When I connect in my computer to its client and get my external IP, I get the VPN's IP, therefore Google cloud machine's IP.

When I try to connect other machines that are blocked by the Google cloud's firewall, I can access. Also when I'm trying to reach a service on the Google cloud's machine internally it works, but when I try to access the google cloud's machine externally through the VPN (which is in the FW white list) I cannot access.

The same phenomenon happens on AWS too. I also tried open vpn and it didn't work too.

This is my docker compose file for the softether VPN:

version: '3'

services:
  softether:
    image: siomiz/softethervpn
# with host mode - maybe the services on vpn host is not accessible, like http, etc..
    privileged: true
    cap_add:
      - NET_ADMIN
#    network_mode: host
# with normal mode - you cant add any local bridge, but every service on vpn host is accessible
    ports:
      - '500:500/udp'
      - '4500:4500/udp'
      - '1701:1701/tcp'
      - '5555:5555/tcp'
    environment:
      - PSK=${PSK}
      - USERS=${USERS}
    restart: unless-stopped

Google firewall rule:

enter image description here

Again, I can access to the machine's service via the browser using the internal IP, but not the external. I made sure:

  1. the FW rule is in the same network
  2. it's ingress rule
  3. the external IP is correct
  4. I can reach to other services on other machines (via different rules)
  5. My external IP address is changing while using the VPN from my computer

Any ideas?

1
dockernetworkinggoogle-cloud-platformvpnfirewall

1 Answers

0
votes

After some thought (and discussion with others) I now believe that this is entirely something else.

What you're trying is to my knowledge technically impossible so I'm changing this answer completely leaving old one at the bottom.

You have a host VM (in Compute Engine) running your container that acts as a VPN but it's behind NAT. You can make machines from the Internet (outside your VPC at least) connect succesfully to you VPN. It's NAT'ed by design:

If the network interface has an external IP address assigned to it, Google Cloud automatically performs one-to-one NAT for packets whose sources match the interface's primary internal IP address because the network interface meets the Google Cloud internet access requirements. The existence of an external IP address on an interface always takes precedence and always performs one-to-one NAT, without using Cloud NAT.

What that mean that there's no actual external IP attached to your VM's ethernet interface (you can check it with ifconfig or ip address commands`).

So - when you try to connect (from the inside if the VPC that your VPN server is in) to itself (but using it's external nat'ed address) you won't be able to due to the routing isues.

GCP's NAT that all connections from outside go through won't "know" where to send packets that come from the inside if you VPC** - I talked with someone that was experimenting with this on a few router and the result was the same - no connection (using simple words).

If you want to connect to your VPN container from inside the VPC - use it's internal address. I don't know any way around it.

If you want to secure your VPN server in GCP consider using IAP for this. . . .

-.-.-.-.-.-.-.- __ O L D ______ A N S W E R __ -.-.-.-.-.-.-.-

Your compose file looks OK, I'd only suggest you may try changing the apostrophe character for a quote one:

    ports:
      - "500:500/udp"
      - "4500:4500/udp"
      - "1701:1701/tcp"
      - "5555:5555/tcp"

If that doesn't work check the connectivity to your Jenkins VM;

  • can you SSH into it via public IP from other machines ?
  • check the VM's internal firewall settings;
  • does your container runs ? (sudo docker ps)
  • check if the internal OS firewall ports are open;

You can also check open ports with a nmap utility - see my other answer on how to use nmap.

And if that doesn't help go through this to see how to run SoftEther VPN in a container.