From 7b874169cb884a7c7242a7c622b479b4d09a1aca Mon Sep 17 00:00:00 2001 From: alexz Date: Fri, 16 Jan 2026 23:26:26 +0000 Subject: [PATCH] Update cisco-vpn to use 172.31.0.0/24 container network - Replace 100.100.0.0/24 with 172.31.0.0/24 - Update gateway to 172.31.0.1 Co-Authored-By: Claude Opus 4.5 --- apps/rego-tunnel/shared/cisco-vpn | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/apps/rego-tunnel/shared/cisco-vpn b/apps/rego-tunnel/shared/cisco-vpn index c221743..df82e77 100755 --- a/apps/rego-tunnel/shared/cisco-vpn +++ b/apps/rego-tunnel/shared/cisco-vpn @@ -173,14 +173,14 @@ get_vpn_interface() { # Function to get VM's IP on the bridge network (for container routing) get_vm_bridge_ip() { - # Get IP from ens3 (main adapter with 100.100.0.x) + # Get IP from container network (172.31.0.x) ip addr show ens3 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1 } # Function to get container gateway IP get_container_gateway() { - # The container bridge is at 100.100.0.1 - echo "100.100.0.1" + # The container bridge gateway + echo "172.31.0.1" } # Function to get VPN tunnel IP @@ -316,10 +316,10 @@ setup_forwarding() { # Enable IP forwarding run_cmd "Enabling IP forwarding" sudo sysctl -w net.ipv4.ip_forward=1 - # NAT masquerade for traffic from container network (100.100.0.0/24) going through VPN + # NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN # This is the ONLY masquerade rule needed - source-based, not destination-based - if ! sudo iptables -t nat -C POSTROUTING -s 100.100.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then - run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 100.100.0.0/24 -o "$vpn_iface" -j MASQUERADE + if ! sudo iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then + run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE else log DEBUG "NAT masquerade for container network already exists" fi @@ -338,14 +338,14 @@ setup_forwarding() { fi # Accept forwarding from container network - if ! sudo iptables -C FORWARD -s 100.100.0.0/24 -j ACCEPT 2>/dev/null; then - run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 100.100.0.0/24 -j ACCEPT + if ! sudo iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then + run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT else log DEBUG "Forward rule (from container network) already exists" fi - if ! sudo iptables -C FORWARD -d 100.100.0.0/24 -j ACCEPT 2>/dev/null; then - run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 100.100.0.0/24 -j ACCEPT + if ! sudo iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then + run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT else log DEBUG "Forward rule (to container network) already exists" fi @@ -365,8 +365,8 @@ setup_forwarding() { fi # Also allow container network through ciscovpn chain - if ! sudo iptables -C ciscovpn -s 100.100.0.0/24 -j ACCEPT 2>/dev/null; then - run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 100.100.0.0/24 -j ACCEPT + if ! sudo iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then + run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT fi else log DEBUG "ciscovpn chain does not exist (yet)"