diff --git a/README.md b/README.md index 941e060..1ee100a 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ Please make sure your docker service has been enabled ipv6 support, if not yet, ```json { "ipv6": true, - "fixed-cidr-v6": "2001:db8:1::/64", + "fixed-cidr-v6": "2001:0DB8:1::/64", "experimental": true, "ip6tables": true } @@ -83,6 +83,8 @@ then, restart your docker service: sudo systemctl restart docker.service ``` +Please note that the `fixed-cidr-v6` network segment and `subnet` in compose file should belong to same larger network segment, but side by side with each other. + --- ## References diff --git a/docker-compose.yml.sample b/docker-compose.yml.sample index 642dce4..d6fa396 100644 --- a/docker-compose.yml.sample +++ b/docker-compose.yml.sample @@ -33,4 +33,4 @@ networks: enable_ipv6: true ipam: config: - - subnet: fda9:4efe:7e3b::/48 \ No newline at end of file + - subnet: 2001:0DB8::/112 \ No newline at end of file diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2759d31..06fa441 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -24,20 +24,17 @@ if [[ ! -f "/etc/ocserv/ocserv.conf" ]]; then max-clients = 100 max-same-clients = 0 - # disable ssl3 tls1.0 tls1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2" device = vpns ipv4-network = 172.20.0.0/24 ipv4-netmask = 255.255.255.0 - ipv6-network = fda9:4efe:7e3b:03ea::/48 - ipv6-subnet-prefix = 64 - ping-leases = false + ipv6-network = 2001:db8:2::/64 + ipv6-subnet-prefix = 112 route = 172.20.0.0/24 - route = fda9:4efe:7e3b:03ea::/48 - route = default + route = 2001:db8:2::/64 no-route = 10.0.0.0/8 no-route = 100.64.0.0/10 no-route = 169.254.0.0/16 @@ -68,27 +65,27 @@ if [[ ! -f "/etc/ocserv/ocserv.conf" ]]; then dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 - try-mtu-discovery = true - # uncomment below if you are using haproxy + # Uncomment if you are using haproxy # listen-proxy-proto = true - # Uncomment this to enable compression negotiation (LZS, LZ4). - compression = true - - # Set the minimum size under which a packet will not be compressed. - # That is to allow low-latency for VoIP packets. The default size - # is 256 bytes. Modify it if the clients typically use compression - # as well of VoIP with codecs that exceed the default value. - no-compress-limit = 256 - - # if you want to support older version cisco clients, uncomment the following line - # dtls-legacy = true - # cisco-client-compat = true + # Uncomment to enable compression negotiation (LZS, LZ4) + # And set minimum under a packet will not be compressed. + # Compression is designed to save bandwidth, but it can be + # bring a little latency. The default size is 256 bytes, + # to avoid latency for VoIP packets. Modify it if the clients + # typically use compression as well of VoIP with codecs that + # exceed the default value. + # compression = true + # no-compress-limit = 256 + + # Change below to true if you want to support older version cisco clients + dtls-legacy = false + cisco-client-compat = false + ping-leases = false match-tls-dtls-ciphers = true - dtls-legacy = false use-occtl = true log-level = 1 @@ -208,7 +205,10 @@ fi # if you want to specific translate ip, uncomment the following line, -j MASQUERADE is dynamic way # iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source $(hostname -I) iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j MASQUERADE -ip6tables -t nat -A POSTROUTING -s fda9:4efe:7e3b:03ea::/48 -j MASQUERADE +iptables -I FORWARD -s 172.20.0.0/24 -j ACCEPT +iptables -I FORWARD -d 172.20.0.0/24 -j ACCEPT +ip6tables -I FORWARD -s 2001:db8:2::/64 -j ACCEPT +ip6tables -I FORWARD -d 2001:db8:2::/64 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Enable TUN device