Update cisco-vpn to use 172.31.0.0/24 container network
Some checks failed
Test / test (push) Has been cancelled
Some checks failed
Test / test (push) Has been cancelled
- Replace 100.100.0.0/24 with 172.31.0.0/24 - Update gateway to 172.31.0.1 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -173,14 +173,14 @@ get_vpn_interface() {
|
||||
|
||||
# Function to get VM's IP on the bridge network (for container routing)
|
||||
get_vm_bridge_ip() {
|
||||
# Get IP from ens3 (main adapter with 100.100.0.x)
|
||||
# Get IP from container network (172.31.0.x)
|
||||
ip addr show ens3 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1
|
||||
}
|
||||
|
||||
# Function to get container gateway IP
|
||||
get_container_gateway() {
|
||||
# The container bridge is at 100.100.0.1
|
||||
echo "100.100.0.1"
|
||||
# The container bridge gateway
|
||||
echo "172.31.0.1"
|
||||
}
|
||||
|
||||
# Function to get VPN tunnel IP
|
||||
@@ -316,10 +316,10 @@ setup_forwarding() {
|
||||
# Enable IP forwarding
|
||||
run_cmd "Enabling IP forwarding" sudo sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
# NAT masquerade for traffic from container network (100.100.0.0/24) going through VPN
|
||||
# NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN
|
||||
# This is the ONLY masquerade rule needed - source-based, not destination-based
|
||||
if ! sudo iptables -t nat -C POSTROUTING -s 100.100.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
|
||||
run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 100.100.0.0/24 -o "$vpn_iface" -j MASQUERADE
|
||||
if ! sudo iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
|
||||
run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
|
||||
else
|
||||
log DEBUG "NAT masquerade for container network already exists"
|
||||
fi
|
||||
@@ -338,14 +338,14 @@ setup_forwarding() {
|
||||
fi
|
||||
|
||||
# Accept forwarding from container network
|
||||
if ! sudo iptables -C FORWARD -s 100.100.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 100.100.0.0/24 -j ACCEPT
|
||||
if ! sudo iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (from container network) already exists"
|
||||
fi
|
||||
|
||||
if ! sudo iptables -C FORWARD -d 100.100.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 100.100.0.0/24 -j ACCEPT
|
||||
if ! sudo iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (to container network) already exists"
|
||||
fi
|
||||
@@ -365,8 +365,8 @@ setup_forwarding() {
|
||||
fi
|
||||
|
||||
# Also allow container network through ciscovpn chain
|
||||
if ! sudo iptables -C ciscovpn -s 100.100.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 100.100.0.0/24 -j ACCEPT
|
||||
if ! sudo iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
|
||||
fi
|
||||
else
|
||||
log DEBUG "ciscovpn chain does not exist (yet)"
|
||||
|
||||
Reference in New Issue
Block a user