当 OpenVPN 在 Docker 容器中运行时,通过 VPN 从主机访问远程服务器

当 OpenVPN 在 Docker 容器中运行时,通过 VPN 从主机访问远程服务器

我在带有 WSL2 后端的 Windows 上使用 Docker Desktop,在以下情况下,我很难尝试通过 VPN 访问服务器:

  1. OpenVPN在容器中运行
  2. 我想从主机访问目标机器

最初我通过使用在 kali 容器中运行的 Squid 服务和端口转发来实现它,但这只适用于 http 协议,我正在寻找一种访问任何tcp/udp 端口​​。我稍微简化了一下设置:

docker-compose.yml

version: '3.8'

services:
  kali:
    container_name: kali
    image:
      kalilinux/kali-rolling
    volumes:
      - ./:/home
    init: true
    working_dir: /home
    entrypoint:
      - /bin/bash
      - -c
      - |
        echo -e "deb http://http.kali.org/kali kali-rolling main non-free contrib \n" > /etc/apt/sources.list
        echo -e "deb-src http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
        apt update && apt -y upgrade
        apt -y install openvpn easy-rsa iputils-ping
        openvpn --config hackthebox.ovpn &
        tail -f /dev/null
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    privileged: true
    devices:
      - /dev/net/tun
    network_mode: "host"

kali 容器:ifconfig

br-21b9e8a770b9: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.28.5.254  netmask 255.255.0.0  broadcast 172.28.255.255
        ether 02:42:0d:f8:23:b6  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:a9:da:8c:34  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.65.3  netmask 255.255.255.0  broadcast 192.168.65.255
        inet6 fe80::c82d:d9ff:fe28:3807  prefixlen 64  scopeid 0x20<link>
        ether ca:2d:d9:28:38:07  txqueuelen 1000  (Ethernet)
        RX packets 37253  bytes 3124174 (2.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33146  bytes 10826245 (10.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 255  bytes 22963 (22.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 255  bytes 22963 (22.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

services1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.65.6  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::d08e:fcff:febe:a3fc  prefixlen 64  scopeid 0x20<link>
        ether d2:8e:fc:be:a3:fc  txqueuelen 0  (Ethernet)
        RX packets 29271  bytes 10527650 (10.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36592  bytes 3034717 (2.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.16.6  netmask 255.255.254.0  destination 10.10.16.6
        inet6 fe80::f8e5:b93f:5628:3207  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef:4::1004  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)  
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 480 (480.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

kali 容器:ip 路由

default via 192.168.65.1 dev eth0
10.10.10.0/23 via 10.10.16.1 dev tun0
10.10.16.0/23 dev tun0 proto kernel scope link src 10.10.16.6
10.129.0.0/16 via 10.10.16.1 dev tun0
127.0.0.0/8 dev lo scope host
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.28.0.0/16 dev br-21b9e8a770b9 proto kernel scope link src 172.28.5.254 linkdown       
192.168.65.0/24 dev eth0 scope link mtu 1500
192.168.65.1 dev eth0 scope link
192.168.65.7 dev services1 scope link

主机:ipconfig

Windows IP Configuration


Unknown adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Unknown adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::3a4b:54a4:f001:498d%44
   IPv4 Address. . . . . . . . . . . : 172.28.240.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.56.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.169.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Unknown adapter OpenVPN Connect DCO Adapter:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::f847:5bea:8065:9893%23
   IPv4 Address. . . . . . . . . . . : 192.168.0.104
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.30.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.229.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e467:e782:25dc:d628%66
   IPv4 Address. . . . . . . . . . . : 172.28.96.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

主持人:路线

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.104     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      172.28.96.0    255.255.240.0         On-link       172.28.96.1   5256
      172.28.96.1  255.255.255.255         On-link       172.28.96.1   5256
   172.28.111.255  255.255.255.255         On-link       172.28.96.1   5256
     172.28.240.0    255.255.240.0         On-link      172.28.240.1    271
     172.28.240.1  255.255.255.255         On-link      172.28.240.1    271
   172.28.255.255  255.255.255.255         On-link      172.28.240.1    271
      192.168.0.0    255.255.255.0         On-link     192.168.0.104    291
    192.168.0.104  255.255.255.255         On-link     192.168.0.104    291
    192.168.0.255  255.255.255.255         On-link     192.168.0.104    291
     192.168.30.0    255.255.255.0         On-link      192.168.30.1    291
     192.168.30.1  255.255.255.255         On-link      192.168.30.1    291
   192.168.30.255  255.255.255.255         On-link      192.168.30.1    291
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    281
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    281
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    281
    192.168.169.0    255.255.255.0         On-link     192.168.169.1    281
    192.168.169.1  255.255.255.255         On-link     192.168.169.1    281
  192.168.169.255  255.255.255.255         On-link     192.168.169.1    281
    192.168.229.0    255.255.255.0         On-link     192.168.229.1    291
    192.168.229.1  255.255.255.255         On-link     192.168.229.1    291
  192.168.229.255  255.255.255.255         On-link     192.168.229.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.169.1    281
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link     192.168.0.104    291
        224.0.0.0        240.0.0.0         On-link       172.28.96.1   5256
        224.0.0.0        240.0.0.0         On-link      172.28.240.1    271
        224.0.0.0        240.0.0.0         On-link      192.168.30.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.229.1    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.169.1    281
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    281
  255.255.255.255  255.255.255.255         On-link     192.168.0.104    291
  255.255.255.255  255.255.255.255         On-link       172.28.96.1   5256
  255.255.255.255  255.255.255.255         On-link      172.28.240.1    271
  255.255.255.255  255.255.255.255         On-link      192.168.30.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.229.1    291
===========================================================================

因此目标机器是 10.10.10.100,我能够从 kali 容器 ping 机器,并正在寻找使用此设置从主机执行此操作的方法。

最初我尝试通过修改 iptables 使用默认 Bridge 网络来实现,最近我切换到了network: Host模式。我尝试在 Host 上设置路由规则,但我不确定这是否有意义,我对这类东西还不熟悉。

route add 10.10.0.0 mask 255.255.0.0 172.28.96.1

或者

route add 10.10.0.0 mask 255.255.0.0 172.28.240.1

但没有看到它影响产出 tracert 10.10.10.100

有没有办法从主机访问 tun0 接口?

我已经花了几天时间解决这个问题,我看到的最相似的问题的解决方案是这个:
https://github.com/jpetazzo/pipework/issues/35#issuecomment-36668067
我怀疑这可能是正确设置路由规则的问题。

还:

  • 如果 Windows 上的 Docker 有问题,那么我也可以在 Linux 上运行 Docker,只要设法使其正常工作即可。
  • Docker Desktop 4.29 版network: host作为 Beta 功能支持 Windows 上的模式,我已启用它

相关内容