-e NORDVPN_ALLOW_PEER_LOCAL still blocks access to LAN resources #24
Description
While troubleshooting with Claud.ai found that even through the variable is set to allow lan network access it is denied in iptables inside the container.
docker exec meshnet iptables -L -v -n
docker exec meshnet iptables -t nat -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 100.113.47.236 0.0.0.0/0 tcp dpt:49111 /* nordvpn */
1 84 ACCEPT all -- * * 100.113.47.236 0.0.0.0/0 /* nordvpn */
0 0 ACCEPT all -- * * 100.106.142.166 0.0.0.0/0 /* nordvpn */
1 60 ACCEPT all -- * * 100.64.0.0/10 0.0.0.0/0 ctstate RELATED,ESTABLISHED ctorigsrc 100.106.142.166 /* nordvpn */
0 0 DROP all -- * * 100.64.0.0/10 0.0.0.0/0 /* nordvpn */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 296 ACCEPT all -- * * 100.113.47.236 0.0.0.0/0 /* nordvpn-exitnode-transient */
0 0 DROP all -- * * 100.64.0.0/10 169.254.0.0/16 /* nordvpn-exitnode-transient */**
0 0 DROP all -- * * 100.64.0.0/10 192.168.0.0/16 /* nordvpn-exitnode-transient */**
0 0 DROP all -- * * 100.64.0.0/10 172.16.0.0/12 /* nordvpn-exitnode-transient */**
0 0 DROP all -- * * 100.64.0.0/10 10.0.0.0/8 /* nordvpn-exitnode-transient */
3 156 ACCEPT all -- * * 0.0.0.0/0 100.64.0.0/10 ctstate RELATED,ESTABLISHED /* nordvpn-exitnode-permanent */
0 0 DROP all -- * * 0.0.0.0/0 100.64.0.0/10 /* nordvpn-exitnode-permanent */
0 0 DROP all -- * * 100.64.0.0/10 0.0.0.0/0 /* nordvpn-exitnode-permanent */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 76 MASQUERADE all -- * * 100.113.47.236 !100.64.0.0/10
/* nordvpn */EditFound the problem! NordVPN has set up restrictive iptables rules that are explicitly blocking meshnet traffic to private networks:
Local Peers:
Nickname: phone
Status: connected
OS: android
Distribution: 31
Allow Incoming Traffic: enabled
Allow Routing: enabled
Allow Local Network Access: enabled
Allow Sending Files: enabled
docker run -d \
--name meshnet \
--hostname meshnet \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
-e NORDVPN_TOKEN="<redacted>" \
-e NORDVPN_NICKNAME=container \
-e NORDVPN_ALLOW_PEER_FILESHARE \
-e NORDVPN_ALLOW_PEER_ROUTING \
-e NORDVPN_ALLOW_PEER_LOCAL \
-e NORDVPN_ALLOW_PEER_REMOTE \
-e NORDVPN_HEALTHCHECK_URL="<redacted>" \
-e NORDVPN_HEALTHCHECK_INTERVAL="3600" \
-e NORDVPN_MESHNET_DEBUG=1 \
-v /dvr/meshnet:/root/Downloads \
--restart=on-failure:10 \
--health-cmd="curl -fs --fail-early --no-keepalive --no-progress-meter <redacted> || exit 1" \
--health-interval=1h \
--health-timeout 10s \
--health-retries 6 \
ghcr.io/mattstechinfo/meshnet:latest
/etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1