I am trying to deploy a VPN server (I choose Openswan flavor) into a systemd-nspawn container on a raspberry pi running Arch Linux. For now I can login into the container, ping, goes outside from within the container (I managed to bring Internet in it).
Here is my systemd config file for my container. (override.conf)
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn \
--quiet --keep-unit --boot --link-journal=try-guest \
-D /usr/lib/machines/%I \
--machine=%I
Edit: I create a openswan.nspawn configuration and refactor the configuration in the override file.
So this file is like this:
[alarm@alarmpi ~]$ sudo cat /etc/systemd/nspawn/openswan.nspawn
[Exec]
Capability=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Network]
Private=yes
VirtualEthernet=yes
Port=udp:500:500
Port=udp:4500:4500
Port=udp:1701:1701
Port=tcp:500:500
Port=tcp:4500:4500
Port=tcp:80:80
My container boot correctly and the different services related to openswan are spwan correctly inside the container:
$ systemctl status [email protected]
● [email protected] - Container openswan
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/[email protected]
└─override.conf
Active: active (running) since lun 2016-07-04 11:36:55 CEST; 1 day 1h ago
Docs: man:systemd-nspawn(1)
Main PID: 15805 (systemd-nspawn)
Status: "Container running."
CGroup: /machine.slice/[email protected]
├─15805 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --private-network --network-veth --capability=CAP_NET_ADMIN --mach
├─init.scope
│ └─15810 /usr/lib/systemd/...
└─system.slice
├─console-getty.service
│ └─15853 /sbin/agetty --no...
├─dbus.service
│ └─15838 /usr/bin/dbus-dae...
├─openswan.service
│ ├─18417 /bin/sh /usr/lib/...
│ ├─18418 logger -s -p daem...
│ ├─18419 /bin/sh /usr/lib/...
│ ├─18420 /bin/sh /usr/lib/...
│ ├─18423 /usr/lib/openswan...
│ ├─18425 _pluto_adns -- <i...
│ └─18426 /usr/lib/openswan...
├─systemd-journald.service
│ └─15824 /usr/lib/systemd/...
├─systemd-logind.service
│ └─15837 /usr/lib/systemd/...
├─systemd-networkd.service
│ └─15839 /usr/lib/systemd/...
├─systemd-resolved.service
│ └─15848 /usr/lib/systemd/...
└─xl2tpd.service
└─15844 /usr/bin/xl2tpd -D
I setup the container with --network-veth.
My question now, is how to actually like in docker "publish" those ports (udp 500/4500/1701) and make them available from outside the container?
Like:
Road warrior --> cloud --> Arch pi --> systemd-nspawn container --
I know this would be trivial to forward traffic using iptables but that's not what I want.
I maybe need to have a bridged setup?
Edit: using the "Port" directive, I am now able to forward traffic inside my container, great! :D
The only problem I am facing now is that pluto is crashing when dealing with the Security Association (ISAKMP) with the following message:
"L2TP-PSK-NAT"[1] 178.50.79.197 #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488 "L2TP-PSK-NAT"[1] 178.50.79.197 #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488
If it ring a bell to someone, please tell me. I will look at the code when I'll have time..
To be continued..
