howtos.md

HOWTOs

¤ Enable ipv6 in Docker

# Open this file :
vi /etc/docker/daemon.json

# Add these parameters :
{
  "experimental": true,
  "ip6tables": true
}

# To save and close, press successively these keyboard key : "Escape" ":" "w" "q" "Enter"

# restart docker
sudo systemctl restart docker

¤ Create a docker network with ipv4 and ipv6, named mynet46

docker network create --ipv6 \  
  --subnet=10.2.192.0/24 \  
  --subnet=fd00::a02:c000/120 \
  mynet46

¤ Use mynet46, and customise the network settings to be able to use the VPN from outside

Use these options with docker run :

--cap-add NET_ADMIN --cap-add SYS_MODULE --cap-add SYS_ADMIN \  
  --sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.eth0.proxy_ndp=1 \
  -v /lib/modules:/lib/modules:ro -e Y_FIREWALL_ENABLE=yes \
  -p 500:500/udp -p 4500:4500/udp \  
  --net mynet46 --ip 10.2.192.254 --ip6 fd00::a02:c0fe \  

¤ Use the host Let's Encrypt certificate to identify the VPN server instead of the certificate generated by the container

Use these options with docker run :

-e Y_LOCAL_SELFCERT=no -e Y_SERVER_CERT_CN=www.test.lan \
  -v /etc/letsencrypt/live/www.test.lan/chain.pem:/etc/swanctl/x509ca/chain.pem \
  -v /etc/letsencrypt/live/www.test.lan/cert.pem:/etc/swanctl/x509/cert.pem \
  -v /etc/letsencrypt/live/www.test.lan/privkey.pem:/etc/swanctl/private/privkey.pem \

If you use Podman (rootless), with the above command to mount the certificates, you will get permission issue viewable in swanctl --load-all --noprompt : mapping '/etc/swanctl/private/privkey.pem' failed: Permission denied, skipped.

The solution is to modify the permissions. Or you can remove the -v options and simply copy the certificates to the container and apply new chmod persmission :

myipsec_volume=$(podman inspect myipsec | jq -r '.[].Mounts.[0].Source')
letsencrypt_folder=/etc/letsencrypt/live/www.test.lan
sudo cp $letsencrypt_folder/chain.pem $myipsec_volume/x509ca/chain.pem
sudo cp $letsencrypt_folder/cert.pem $myipsec_volume/x509/cert.pem
sudo cp $letsencrypt_folder/privkey.pem $myipsec_volume/private/privkey.pem
sudo chmod 644 $myipsec_volume/private/privkey.pem
sudo chown $USER $myipsec_volume/private/privkey.pem

# now you can restart the container with :
podman restart myipsec

# or without restart with this :
sudo sed -i 's/certs = serverCert.pem/certs = cert.pem/' $myipsec_volume/conf.d/template.conf
podman exec -it myipsec swanctl --load-all --noprompt

¤ Specify the pool, for remote access client (road warrior)

Use these options with docker run :

-e Y_POOL_IPV4=10.2.200.0/24 -e Y_POOL_IPV6=fd00::a02:c800/120

¤ Get ip addresses from a DHCP server, for remote access client (road warrior)

Use these options with docker run :

-e Y_POOL_DHCP=yes -e Y_DHCP_FORCE=yes -e Y_DCHP_IDENTITY=yes -e Y_DHCP_SERVER=10.2.152.1

¤ Specify username and password for the EAP IKEv2 roadwarrior profile

Use these options with docker run :

-e Y_EAP_USERNAME=carol -e Y_EAP_PASSWORD=StrongPassword

¤ Get EAP authentication from a radius server, for the EAP IKEv2 roadwarrior profile

Use these options with docker run :

-e Y_EAP_REMOTE_AUTH=eap-radius -e Y_RADIUS_ENABLE=yes \
  -e Y_RADIUS_SERVER=radius.server.lan -e Y_RADIUS_SECRET=StrongRadiusSecret \
  -e Y_RADIUS_PORT_AUTH=1812 -e Y_RADIUS_PORT_ACCT=1813

¤ Specify id and secret for the PSK IKEv2 roadwarrior profile

Use these options with docker run :

-e Y_PSK_REMOTE_ID=10.9.8.7 -e Y_PSK_SECRET=StrongSecret

¤ Specify CN and password for the RSA Certificate IKEv2 roadwarrior profile

Use these options with docker run :

-e Y_CERT_CN=carol.laptop.lan -e Y_CERT_PASSWORD=StrongPassword

¤ Activate the PSK IKEv2 Site to Site profile

Use these options with docker run :

-e Y_S2S_PSK_ENABLE=yes -e Y_S2S_PSK_REMOTE_ADDRS=10.9.8.7 \  
  -e Y_S2S_PSK_LOCAL_ID=192.168.7.6 -e Y_S2S_PSK_REMOTE_ID=10.9.8.7 \  
  -e Y_S2S_PSK_SECRET=StrongSecret \  
  -e Y_S2S_PSK_LOCAL_TS=10.2.0.0/16,fd00::a02:101/112 \  
  -e Y_S2S_PSK_REMOTE_TS=10.1.0.0/16,fd00::a01:101/112 \

¤ Activate the IKEv1 roadwarrior profile : Xauth PSK and Xauth RSA

They are disabled by default. Use these options with docker run :

-e Y_XAUTH_PSK_ENABLE=yes -e Y_XAUTH_RSA_ENABLE=yes

¤ Specify credentials for the Xauth PSK IKEv1 roadwarrior profile

Use these options with docker run :

-e Y_XAUTH_PSK_ENABLE=yes \  
  -e Y_XAUTH_PSK_REMOTE_ID=carol -e Y_XAUTH_PSK_SECRET=StrongSecret \  
  -e Y_XAUTH_PSK_USERNAME=carol -e Y_XAUTH_PSK_PASSWORD=StrongPassword

¤ Show credentials

docker logs myipsec | grep "CRED_"

¤ Show CA

docker exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem

¤ Copy client p12 file from the container to your Documents folder

docker cp myipsec:/etc/swanctl/pkcs12/clientCert.p12 ~/Documents/

¤ Show strongSwan log

docker exec -it myipsec swanctl --log

¤ Show strongSwan table 220

# docker exec -it myipsec ip rule show
docker exec -it myipsec ip route show table 220

¤ tcpdump

# usefull option : -i interfaceName, ip6
docker exec -it myipsec tcpdump

¤ add NDP entry

docker exec -it myipsec ip -6 neigh add proxy <ip> dev <interface>

¤ Start container automatically on system boot

docker update --restart=unless-stopped myipsec

¤ Start container automatically on system boot with custom host commands, to add routes for example

cat > /etc/systemd/system/myipsec.service <<EOL
[Unit]
Description=ye3ipsec container
PartOf=docker.service
After=docker.service

[Service]
ExecStartPre=-/sbin/ip route del 10.1.0.0/16 via 10.2.192.254
ExecStartPre=-/sbin/ip -6 route del fd00::a01:101/112 via fd00::a02:c0fe
ExecStart=/usr/bin/docker start -a myipsec
ExecStop=/usr/bin/docker stop -t 2 myipsec
ExecStartPost=-/sbin/ip route add 10.1.0.0/16 via 10.2.192.254
ExecStartPost=-/sbin/ip -6 route add fd00::a01:101/112 via fd00::a02:c0fe

[Install]
WantedBy=multi-user.target
EOL

# reload
systemctl daemon-reload
# check presence
systemctl list-unit-files | grep -i myipsec
# enable
systemctl enable myipsec
# restart
systemctl restart myipsec
 # status
systemctl status myipsec

Use Docker restart policies or service unit, but don't use both.