feat: change tun ip cidr

Signed-off-by: yuyicai <yuyicai@hotmail.com>
2025-09-27 03:36:09 +08:00 · 2025-03-05 22:27:43 +08:00
parent 547501fc41
commit a87cbf1e9a
16 changed files with 34 additions and 30 deletions
--- a/README.md
+++ b/README.md
@@ -656,7 +656,7 @@ OK: 8 MiB in 19 packages
 Hello world!/opt/microservices # 
 /opt/microservices # curl authors:9080/health -H "foo: bar"
->>Received request: GET /health from 223.254.0.109:57930
+>>Received request: GET /health from 198.19.0.109:57930
                                                        Hello world!/opt/microservices # 
 /opt/microservices # curl localhost:9080/health
 {"status":"Authors is healthy"}/opt/microservices # exit
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -580,7 +580,7 @@ OK: 8 MiB in 19 packages
 Hello world!/opt/microservices # 
 /opt/microservices # curl authors:9080/health -H "foo: bar"
->>Received request: GET /health from 223.254.0.109:57930
+>>Received request: GET /health from 198.19.0.109:57930
                                                        Hello world!/opt/microservices # 
 /opt/microservices # curl localhost:9080/health
 {"status":"Authors is healthy"}/opt/microservices # exit
--- a/charts/kubevpn/templates/deployment.yaml
+++ b/charts/kubevpn/templates/deployment.yaml
@@ -52,13 +52,13 @@ spec:
            - -c
          env:
            - name: CIDR4
-              value: 223.254.0.0/16
+              value: 198.19.0.0/16
            - name: CIDR6
-              value: efff:ffff:ffff:ffff::/64
+              value: 2001:2::/64
            - name: TunIPv4
-              value: 223.254.0.100/16
+              value: 198.19.0.100/16
            - name: TunIPv6
-              value: efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64
+              value: 2001:2::9999/64
          envFrom:
            - secretRef:
                name: {{ include "kubevpn.fullname" . }}
--- a/cmd/kubevpn/cmds/serve.go
+++ b/cmd/kubevpn/cmds/serve.go
@@ -31,7 +31,7 @@ func CmdServe(_ cmdutil.Factory) *cobra.Command {
 		`)),
 		Example: templates.Examples(i18n.T(`
        # serve node
-        kubevpn serve -L "tcp://:10800" -L "tun://127.0.0.1:8422?net=223.254.0.123/32"
+        kubevpn serve -L "tcp://:10800" -L "tun://127.0.0.1:8422?net=198.19.0.123/32"
 		`)),
 		PreRun: func(*cobra.Command, []string) {
 			util.InitLoggerForServer(config.Debug)
--- a/cmd/kubevpn/cmds/ssh.go
+++ b/cmd/kubevpn/cmds/ssh.go
@@ -26,7 +26,7 @@ import (
 )
 // CmdSSH
-// Remember to use network mask 32, because ssh using unique network CIDR 223.255.0.0/16
+// Remember to use network mask 32, because ssh using unique network CIDR 198.18.0.0/16
 func CmdSSH(_ cmdutil.Factory) *cobra.Command {
 	var sshConf = &pkgssh.SshConfig{}
 	var extraCIDR []string
--- a/cmd/kubevpn/cmds/sshdaemon.go
+++ b/cmd/kubevpn/cmds/sshdaemon.go
@@ -14,7 +14,7 @@ import (
 )
 // CmdSSHDaemon
-// set local tun ip 223.254.0.1/32, remember to use mask 32
+// set local tun ip 198.19.0.1/32, remember to use mask 32
 func CmdSSHDaemon(_ cmdutil.Factory) *cobra.Command {
 	var clientIP string
 	cmd := &cobra.Command{
@@ -24,7 +24,7 @@ func CmdSSHDaemon(_ cmdutil.Factory) *cobra.Command {
 		Long:   templates.LongDesc(i18n.T(`Ssh daemon server`)),
 		Example: templates.Examples(i18n.T(`
        # SSH daemon server
-        kubevpn ssh-daemon --client-ip 223.254.0.123/32
+        kubevpn ssh-daemon --client-ip 198.19.0.123/32
 		`)),
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			err := daemon.StartupDaemon(cmd.Context())
--- a/cmd/kubevpn/cmds/status_test.go
+++ b/cmd/kubevpn/cmds/status_test.go
@@ -29,8 +29,8 @@ func TestPrintProxyAndClone(t *testing.T) {
 						RuleList: []*rpc.ProxyRule{
 							{
 								Headers:       map[string]string{"user": "naison"},
-								LocalTunIPv4:  "223.254.0.103",
+								LocalTunIPv4:  "198.19.0.103",
-								LocalTunIPv6:  "efff:ffff:ffff:ffff:ffff:ffff:ffff:999d",
+								LocalTunIPv6:  "2001:2::999d",
 								CurrentDevice: false,
 								PortMap:       map[int32]int32{8910: 8910},
 							},
@@ -98,8 +98,8 @@ func TestPrintProxy(t *testing.T) {
 						RuleList: []*rpc.ProxyRule{
 							{
 								Headers:       map[string]string{"user": "naison"},
-								LocalTunIPv4:  "223.254.0.103",
+								LocalTunIPv4:  "198.19.0.103",
-								LocalTunIPv6:  "efff:ffff:ffff:ffff:ffff:ffff:ffff:999d",
+								LocalTunIPv6:  "2001:2::999d",
 								CurrentDevice: false,
 								PortMap:       map[int32]int32{8910: 8910},
 							},
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -35,7 +35,10 @@ const (
 	VolumeEnvoyConfig = "envoy-config"
 	VolumeSyncthing   = "syncthing"
-	innerIPv4Pool = "223.254.0.100/16"
+	// innerIPv4Pool is used as tun ip
 	// 198.19.0.0/16 network  is part of the 198.18.0.0/15 (reserved for benchmarking).
 	// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
 	innerIPv4Pool = "198.19.0.100/16"
 	// 原因：在docker环境中，设置docker的 gateway 和 subnet，不能 inner 的冲突，也不能和 docker的 172.17 冲突
 	// 不然的话，请求会不通的
 	// 解决的问题：在 k8s 中的  名叫 kubernetes 的 service ip 为
@@ -51,10 +54,11 @@ const (
 	//  }
 	//]
 	// 如果不创建 network，那么是无法请求到 这个 kubernetes 的 service 的
-	dockerInnerIPv4Pool = "223.255.0.100/16"
+	dockerInnerIPv4Pool = "198.18.0.100/16"
-	//The IPv6 address prefixes FE80::/10 and FF02::/16 are not routable
+	// 2001:2::/64 network is part of the 2001:2::/48 (reserved for benchmarking)
-	innerIPv6Pool = "efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64"
+	// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
 	innerIPv6Pool = "2001:2::9999/64"
 	DefaultNetDir = "/etc/cni/net.d"
--- a/pkg/core/gvisortunendpoint.go
+++ b/pkg/core/gvisortunendpoint.go
@@ -97,7 +97,7 @@ func (h *gvisorTCPHandler) readFromTCPConnWriteToEndpoint(ctx context.Context, c
 		}
 		h.addRoute(src, conn)
-		// inner ip like 223.254.0.100/102/103 connect each other
+		// inner ip like 198.19.0.100/102/103 connect each other
 		if config.CIDR.Contains(dst) || config.CIDR6.Contains(dst) {
 			log.Tracef("[TUN-RAW] Forward to TUN device, SRC: %s, DST: %s, Length: %d", src.String(), dst.String(), read)
 			util.SafeWrite(h.packetChan, &datagramPacket{
--- a/pkg/core/route.go
+++ b/pkg/core/route.go
@@ -27,9 +27,9 @@ type TCPUDPacket struct {
 }
 // Route example:
-// -L "tcp://:10800" -L "tun://:8422?net=223.254.0.100/16"
+// -L "tcp://:10800" -L "tun://:8422?net=198.19.0.100/16"
-// -L "tun:/10.233.24.133:8422?net=223.254.0.102/16&route=223.254.0.0/16"
+// -L "tun:/10.233.24.133:8422?net=198.19.0.102/16&route=198.19.0.0/16"
-// -L "tun:/127.0.0.1:8422?net=223.254.0.102/16&route=223.254.0.0/16,10.233.0.0/16" -F "tcp://127.0.0.1:10800"
+// -L "tun:/127.0.0.1:8422?net=198.19.0.102/16&route=198.19.0.0/16,10.233.0.0/16" -F "tcp://127.0.0.1:10800"
 type Route struct {
 	ServeNodes []string // -L tun
 	ChainNode  string   // -F tcp
--- a/pkg/daemon/daemon.go
+++ b/pkg/daemon/daemon.go
@@ -99,7 +99,7 @@ func (o *SvrOption) Start(ctx context.Context) error {
 	grpc_health_v1.RegisterHealthServer(svr, health.NewServer())
 	defer cleanup()
 	reflection.Register(svr)
-	// [tun-client] 223.254.0.101 - 127.0.0.1:8422: dial tcp 127.0.0.1:55407: connect: can't assign requested address
+	// [tun-client] 198.19.0.101 - 127.0.0.1:8422: dial tcp 127.0.0.1:55407: connect: can't assign requested address
 	http.DefaultTransport.(*http.Transport).MaxIdleConnsPerHost = 100
 	// startup a http server
 	// With downgrading-capable gRPC server, which can also handle HTTP.
--- a/pkg/dev/docker_utils.go
+++ b/pkg/dev/docker_utils.go
@@ -90,7 +90,7 @@ func RunLogsSinceNow(name string, follow bool) error {
 }
 // CreateNetwork
-// docker create kubevpn-traffic-manager --labels owner=config.ConfigMapPodTrafficManager --subnet 223.255.0.0/16 --gateway 223.255.0.100
+// docker create kubevpn-traffic-manager --labels owner=config.ConfigMapPodTrafficManager --subnet 198.18.0.0/16 --gateway 198.18.0.100
 func CreateNetwork(ctx context.Context, name string) (string, error) {
 	args := []string{
 		"network",
--- a/pkg/inject/exchange.go
+++ b/pkg/inject/exchange.go
@@ -79,7 +79,7 @@ func AddContainer(spec *corev1.PodSpec, c util.PodRouteConfig) {
 		},
 		Command: []string{"/bin/sh", "-c"},
 		// https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.2
-		// for curl -g -6 [efff:ffff:ffff:ffff:ffff:ffff:ffff:999a]:9080/health or curl 127.0.0.1:9080/health hit local PC
+		// for curl -g -6 [2001:2::999a]:9080/health or curl 127.0.0.1:9080/health hit local PC
 		// output chain
 		// iptables -t nat -A OUTPUT -o lo ! -p icmp -j DNAT --to-destination ${LocalTunIPv4}
 		// ip6tables -t nat -A OUTPUT -o lo ! -p icmp -j DNAT --to-destination ${LocalTunIPv6}
--- a/pkg/util/networkpolicy_windows.go
+++ b/pkg/util/networkpolicy_windows.go
@@ -96,7 +96,7 @@ func decode(in []byte) ([]byte, error) {
 // AddAllowFirewallRule
 // for ping local tun device ip, if not add this firewall, can not ping local tun IP on windows
 func AddAllowFirewallRule(ctx context.Context) {
-	// netsh advfirewall firewall add rule name=kubevpn-traffic-manager dir=in action=allow enable=yes remoteip=223.254.0.100/16,efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64,LocalSubnet
+	// netsh advfirewall firewall add rule name=kubevpn-traffic-manager dir=in action=allow enable=yes remoteip=198.19.0.100/16,2001:2::9999/64,LocalSubnet
 	cmd := exec.CommandContext(ctx, "netsh", []string{
 		"advfirewall",
 		"firewall",
--- a/pkg/util/util_test.go
+++ b/pkg/util/util_test.go
@@ -65,8 +65,8 @@ func TestName(t *testing.T) {
 func TestPing(t *testing.T) {
 	defer util.Run()()
-	SrcIP := net.ParseIP("223.254.0.102").To4()
+	SrcIP := net.ParseIP("198.19.0.102").To4()
-	DstIP := net.ParseIP("223.254.0.100").To4()
+	DstIP := net.ParseIP("198.19.0.100").To4()
 	icmpLayer := layers.ICMPv4{
 		TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
--- a/pkg/webhook/pods.go
+++ b/pkg/webhook/pods.go
@@ -72,7 +72,7 @@ func (h *admissionReviewHandler) handleCreate(ar v1.AdmissionReview) *v1.Admissi
 		return &v1.AdmissionResponse{UID: ar.Request.UID, Allowed: true}
 	}
 	// if create pod kubevpn-traffic-manager, just ignore it
-	// because 223.254.0.100 is reserved
+	// because 198.19.0.100 is reserved
 	if x, _, _ := net.ParseCIDR(value); config.RouterIP.Equal(x) {
 		return &v1.AdmissionResponse{UID: ar.Request.UID, Allowed: true}
 	}
@@ -163,7 +163,7 @@ func (h *admissionReviewHandler) handleDelete(ar v1.AdmissionReview) *v1.Admissi
 		return &v1.AdmissionResponse{Allowed: true}
 	}
 	// if delete pod kubevpn-traffic-manager, just ignore it
-	// because 223.254.0.100 is reserved
+	// because 198.19.0.100 is reserved
 	if x, _, _ := net.ParseCIDR(value); config.RouterIP.Equal(x) {
 		return &v1.AdmissionResponse{Allowed: true}
 	}