Giter Site home page Giter Site logo

Comments (5)

siomiz avatar siomiz commented on August 16, 2024 2

It probably wants more permissions to run (on 16.10's kernel) now?
https://unix.stackexchange.com/questions/390184/dmesg-read-kernel-buffer-failed-permission-denied

Can you try --privileged instead of --cap-add NET_ADMIN?

from softethervpn.

ctkcoding avatar ctkcoding commented on August 16, 2024 1

I am having a similar issue where afer the key and user setup it fails when running this off the alpine dockerfile. Here is the error I got
`# Creating user(s): user8071

[initial setup OK]

dmesg: klogctl: Operation not permitted`

from softethervpn.

unoexperto avatar unoexperto commented on August 16, 2024

I digged more. Ran sudo /usr/lib/NetworkManager/nm-l2tp-service --debug. Here is what I get

nm-l2tp[15142] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[15142] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[15142] <info>  ipsec enable flag: yes
** Message: Check port 1701
connection
	id : "Raf Server" (s)
	uuid : "60c04ee3-c9d9-4a34-9404-de26661cb366" (s)
	interface-name : NULL (sd)
	type : "vpn" (s)
	permissions : ["user:expert:"] (s)
	autoconnect : FALSE (s)
	autoconnect-priority : 0 (sd)
	timestamp : 0 (sd)
	read-only : FALSE (sd)
	zone : NULL (sd)
	master : NULL (sd)
	slave-type : NULL (sd)
	autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
	secondaries : [] (s)
	gateway-ping-timeout : 0 (sd)
	metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
	lldp : -1 (sd)


ipv6
	method : "auto" (s)
	dns : [] (s)
	dns-search : [] (s)
	dns-options : NULL (sd)
	dns-priority : 0 (sd)
	addresses : ((GPtrArray*) 0x2509280) (s)
	gateway : NULL (sd)
	routes : ((GPtrArray*) 0x2519a60) (s)
	route-metric : -1 (sd)
	ignore-auto-routes : FALSE (sd)
	ignore-auto-dns : FALSE (sd)
	dhcp-hostname : NULL (sd)
	dhcp-send-hostname : TRUE (sd)
	never-default : FALSE (sd)
	may-fail : TRUE (sd)
	dad-timeout : -1 (sd)
	dhcp-timeout : 0 (sd)
	ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_DISABLED) (s)
	addr-gen-mode : 1 (sd)


ipv4
	method : "auto" (s)
	dns : [] (s)
	dns-search : [] (s)
	dns-options : NULL (sd)
	dns-priority : 0 (sd)
	addresses : ((GPtrArray*) 0x2519940) (s)
	gateway : NULL (sd)
	routes : ((GPtrArray*) 0x2519920) (s)
	route-metric : -1 (sd)
	ignore-auto-routes : FALSE (sd)
	ignore-auto-dns : FALSE (sd)
	dhcp-hostname : NULL (sd)
	dhcp-send-hostname : TRUE (sd)
	never-default : FALSE (sd)
	may-fail : TRUE (sd)
	dad-timeout : -1 (sd)
	dhcp-timeout : 0 (sd)
	dhcp-client-id : NULL (sd)
	dhcp-fqdn : NULL (sd)


vpn
	service-type : "org.freedesktop.NetworkManager.l2tp" (s)
	user-name : "expert" (s)
	persistent : FALSE (sd)
	data : ((GHashTable*) 0x251ad80) (s)
	secrets : ((GHashTable*) 0x251ade0) (s)
	timeout : 0 (sd)


nm-l2tp[15142] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
Loading config setup
Loading conn '60c04ee3-c9d9-4a34-9404-de26661cb366'
found netkey IPsec stack
nm-l2tp[15142] <info>  Spawned ipsec up script with PID 15225.
initiating Main Mode IKE_SA 60c04ee3-c9d9-4a34-9404-de26661cb366[1] to 5.79.121.6
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.5[500] to 5.79.121.6[500] (148 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 192.168.1.5[500] to 5.79.121.6[500] (148 bytes)
nm-l2tp[15142] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[15142] <info>  Terminating ipsec script with PID 15225.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '60c04ee3-c9d9-4a34-9404-de26661cb366' failed
nm-l2tp[15142] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:15142): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

from softethervpn.

siomiz avatar siomiz commented on August 16, 2024

Note that Ubuntu (MATE) 16.10 had reached its EOL on July 2017.

If it's working for your Android devices I believe it has something to do with IPsec client on Ubuntu side.
Can you try OpenVPN instead (you just save the docker log as .ovpn file for import)?
Also, can you try the SoftEtherVPN official binary for server and check if your problem is indeed caused by this image? (This image actually tests IPsec connectivity.)

As for port 1701: "Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside" but I had a problem with old iOS if 1701/tcp (not /udp) was closed.

from softethervpn.

unoexperto avatar unoexperto commented on August 16, 2024

@siomiz Unfortunately I still can't make it work. What's worse is that behaviour is unpredictable. On fresh Ubuntu 10.04 it worked. I was able to connect to 1701 via localhost and via one of IP4 addressed. After cleaning up IPTABLES rules and reinstalling this container I lost ability to connect via external IP address, but still could connect via localhost. After fighting with it more (removing and adding docker container) it stopped working completely. Could you suggest what to do to ever make it work ?

Here is how I install it:

docker run -d --name vpn --restart always --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -e USERS="username:password" -e PSK="something" siomiz/softethervpn

on start I see following message in the log of the container:

dmesg: read kernel buffer failed: Operation not permitted

My iptables rules

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     all  --  192.168.42.0/24      192.168.42.0/24     
5    ACCEPT     all  --  0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
6    ACCEPT     all  --  192.168.43.0/24      0.0.0.0/0           
7    DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
8    DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
10   DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
12   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
13   DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain DOCKER (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:6379
2    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.3           tcp dpt:15672
3    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.3           tcp dpt:5672
4    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:5432
5    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:5432
6    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.6           tcp dpt:5555
7    ACCEPT     udp  --  0.0.0.0/0            172.17.0.6           udp dpt:4500
8    ACCEPT     tcp  --  0.0.0.0/0            172.17.0.6           tcp dpt:1701
9    ACCEPT     udp  --  0.0.0.0/0            172.17.0.6           udp dpt:1194
10   ACCEPT     udp  --  0.0.0.0/0            172.17.0.6           udp dpt:500

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination         
1    DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
2    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
2    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Help!

from softethervpn.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.