我在带有 WSL2 后端的 Windows 上使用 Docker Desktop,在以下情况下,我很难尝试通过 VPN 访问服务器:
- OpenVPN在容器中运行
- 我想从主机访问目标机器
最初我通过使用在 kali 容器中运行的 Squid 服务和端口转发来实现它,但这只适用于 http 协议,我正在寻找一种访问任何tcp/udp 端口。我稍微简化了一下设置:
docker-compose.yml
version: '3.8'
services:
kali:
container_name: kali
image:
kalilinux/kali-rolling
volumes:
- ./:/home
init: true
working_dir: /home
entrypoint:
- /bin/bash
- -c
- |
echo -e "deb http://http.kali.org/kali kali-rolling main non-free contrib \n" > /etc/apt/sources.list
echo -e "deb-src http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
apt update && apt -y upgrade
apt -y install openvpn easy-rsa iputils-ping
openvpn --config hackthebox.ovpn &
tail -f /dev/null
cap_add:
- NET_ADMIN
- SYS_ADMIN
privileged: true
devices:
- /dev/net/tun
network_mode: "host"
kali 容器:ifconfig
br-21b9e8a770b9: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.28.5.254 netmask 255.255.0.0 broadcast 172.28.255.255
ether 02:42:0d:f8:23:b6 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:a9:da:8c:34 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.65.3 netmask 255.255.255.0 broadcast 192.168.65.255
inet6 fe80::c82d:d9ff:fe28:3807 prefixlen 64 scopeid 0x20<link>
ether ca:2d:d9:28:38:07 txqueuelen 1000 (Ethernet)
RX packets 37253 bytes 3124174 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33146 bytes 10826245 (10.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 255 bytes 22963 (22.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 255 bytes 22963 (22.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
services1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.65.6 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::d08e:fcff:febe:a3fc prefixlen 64 scopeid 0x20<link>
ether d2:8e:fc:be:a3:fc txqueuelen 0 (Ethernet)
RX packets 29271 bytes 10527650 (10.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 36592 bytes 3034717 (2.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.16.6 netmask 255.255.254.0 destination 10.10.16.6
inet6 fe80::f8e5:b93f:5628:3207 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:4::1004 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 480 (480.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
kali 容器:ip 路由
default via 192.168.65.1 dev eth0
10.10.10.0/23 via 10.10.16.1 dev tun0
10.10.16.0/23 dev tun0 proto kernel scope link src 10.10.16.6
10.129.0.0/16 via 10.10.16.1 dev tun0
127.0.0.0/8 dev lo scope host
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.28.0.0/16 dev br-21b9e8a770b9 proto kernel scope link src 172.28.5.254 linkdown
192.168.65.0/24 dev eth0 scope link mtu 1500
192.168.65.1 dev eth0 scope link
192.168.65.7 dev services1 scope link
主机:ipconfig
Windows IP Configuration
Unknown adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Unknown adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter vEthernet (Default Switch):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::3a4b:54a4:f001:498d%44
IPv4 Address. . . . . . . . . . . : 172.28.240.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.56.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.169.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Unknown adapter OpenVPN Connect DCO Adapter:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f847:5bea:8065:9893%23
IPv4 Address. . . . . . . . . . . : 192.168.0.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
Ethernet adapter VMware Network Adapter VMnet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.30.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter VMware Network Adapter VMnet8:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.229.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter vEthernet (WSL):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e467:e782:25dc:d628%66
IPv4 Address. . . . . . . . . . . : 172.28.96.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
主持人:路线
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.28.96.0 255.255.240.0 On-link 172.28.96.1 5256
172.28.96.1 255.255.255.255 On-link 172.28.96.1 5256
172.28.111.255 255.255.255.255 On-link 172.28.96.1 5256
172.28.240.0 255.255.240.0 On-link 172.28.240.1 271
172.28.240.1 255.255.255.255 On-link 172.28.240.1 271
172.28.255.255 255.255.255.255 On-link 172.28.240.1 271
192.168.0.0 255.255.255.0 On-link 192.168.0.104 291
192.168.0.104 255.255.255.255 On-link 192.168.0.104 291
192.168.0.255 255.255.255.255 On-link 192.168.0.104 291
192.168.30.0 255.255.255.0 On-link 192.168.30.1 291
192.168.30.1 255.255.255.255 On-link 192.168.30.1 291
192.168.30.255 255.255.255.255 On-link 192.168.30.1 291
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.169.0 255.255.255.0 On-link 192.168.169.1 281
192.168.169.1 255.255.255.255 On-link 192.168.169.1 281
192.168.169.255 255.255.255.255 On-link 192.168.169.1 281
192.168.229.0 255.255.255.0 On-link 192.168.229.1 291
192.168.229.1 255.255.255.255 On-link 192.168.229.1 291
192.168.229.255 255.255.255.255 On-link 192.168.229.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.169.1 281
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.0.104 291
224.0.0.0 240.0.0.0 On-link 172.28.96.1 5256
224.0.0.0 240.0.0.0 On-link 172.28.240.1 271
224.0.0.0 240.0.0.0 On-link 192.168.30.1 291
224.0.0.0 240.0.0.0 On-link 192.168.229.1 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.169.1 281
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.0.104 291
255.255.255.255 255.255.255.255 On-link 172.28.96.1 5256
255.255.255.255 255.255.255.255 On-link 172.28.240.1 271
255.255.255.255 255.255.255.255 On-link 192.168.30.1 291
255.255.255.255 255.255.255.255 On-link 192.168.229.1 291
===========================================================================
因此目标机器是 10.10.10.100,我能够从 kali 容器 ping 机器,并正在寻找使用此设置从主机执行此操作的方法。
最初我尝试通过修改 iptables 使用默认 Bridge 网络来实现,最近我切换到了network: Host
模式。我尝试在 Host 上设置路由规则,但我不确定这是否有意义,我对这类东西还不熟悉。
route add 10.10.0.0 mask 255.255.0.0 172.28.96.1
或者
route add 10.10.0.0 mask 255.255.0.0 172.28.240.1
但没有看到它影响产出
tracert 10.10.10.100
有没有办法从主机访问 tun0 接口?
我已经花了几天时间解决这个问题,我看到的最相似的问题的解决方案是这个:
https://github.com/jpetazzo/pipework/issues/35#issuecomment-36668067
我怀疑这可能是正确设置路由规则的问题。
还:
- 如果 Windows 上的 Docker 有问题,那么我也可以在 Linux 上运行 Docker,只要设法使其正常工作即可。
- Docker Desktop 4.29 版
network: host
作为 Beta 功能支持 Windows 上的模式,我已启用它