我想通过 Docker 容器内配置的 VPN运行扫描。我正在使用镜像,容器正确启动。在另一个 Docker 容器内运行 Nuclei 扫描时,它可以通过以下命令通过 VPN 正确运行:docker run --rm --net=container:vpn projectdiscovery/nuclei:latest -l targets.txt
。但是,我现在想在本地(Docker 之外)执行 Nuclei,我想使用选项-i
来选择网络接口。我的目标是运行类似以下内容的程序:
nuclei -i wg0 -l targets.txt
VPN 容器创建了wg0
接口,但只能在 docker 内部访问。当我执行ip a
命令时,我看不到该wg0
接口。我如何从 Docker 容器外部访问该接口?
以下是 VPN 的 Docker Compose 配置:
vpn:
image: thrnz/docker-wireguard-pia
container_name: vpn
volumes:
# Auth token is stored here
- pia:/pia
# If enabled, the forwarded port is dumped to /pia-shared/port.dat for potential use in other containers
- pia-shared:/pia-shared
# If the kernel module isn't available, mounting the tun device may be necessary for userspace implementations
#devices:
- /dev/net/tun:/dev/net/tun
cap_add:
- NET_ADMIN
# SYS_MODULE might not be needed with a 5.6+ kernel?
- SYS_MODULE
environment:
# The following env vars are required:
- LOC=spain
- USER=${PIA_USERNAME}
- PASS=${PIA_PASSWORD}
# The rest are optional:
# - LOCAL_NETWORK=192.168.1.0/24
#- KEEPALIVE=25
#- VPNDNS=8.8.8.8,8.8.4.4
#- PORT_FORWARDING=1
sysctls:
# The wg-quick script tries to set this when setting up routing, however this requires running the container
# with the --privileged flag set. Setting it here instead if needed means the container can be run with lower
# privileges. This only needs setting if strict reverse path filtering (rp_filter=1) is used.
- net.ipv4.conf.all.src_valid_mark=1
# May as well disable ipv6. Should be blocked anyway.
- net.ipv6.conf.default.disable_ipv6=1
- net.ipv6.conf.all.disable_ipv6=1
- net.ipv6.conf.lo.disable_ipv6=1
# The container has no recovery logic. Use a healthcheck to catch disconnects.
healthcheck:
test: ping -c 1 www.google.com || exit 1
interval: 30s
timeout: 10s
retries: 3
restart: always
1
--net=host
除非 (a) 你用它运行(因此它共享主机命名空间)并且 (b) 使用额外的权限运行它(--cap-add net_admin
应该足够),否则容器无法将接口注入主机。–
|