VPN server into systemd-nspawn machine

I am trying to deploy a VPN server (I choose Openswan flavor) into a systemd-nspawn container on a raspberry pi running Arch Linux. For now I can login into the container, ping, goes outside from within the container (I managed to bring Internet in it). Here is my systemd config file for my container. (override.conf) [Service] ExecStart= ExecStart=/usr/bin/systemd-nspawn \ --quiet --keep-unit --boot --link-journal=try-guest \ -D /usr/lib/machines/%I \ --machine=%I Edit: I create a openswan.nspawn configuration and refactor the configuration in the override file. So this file is like this: [alarm@alarmpi ~]$ sudo cat /etc/systemd/nspawn/openswan.nspawn [Exec] Capability=CAP_NET_ADMIN CAP_NET_BIND_SERVICE [Network] Private=yes VirtualEthernet=yes Port=udp:500:500 Port=udp:4500:4500 Port=udp:1701:1701 Port=tcp:500:500 Port=tcp:4500:4500 Port=tcp:80:80 My container boot correctly and the different services related to openswan are spwan correctly inside the container: $ systemctl status systemd-nspawn@openswan.service ● systemd-nspawn@openswan.service - Container openswan Loaded: loaded (/usr/lib/systemd/system/systemd-nspawn@.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/systemd-nspawn@openswan.service.d └─override.conf Active: active (running) since lun 2016-07-04 11:36:55 CEST; 1 day 1h ago Docs: man:systemd-nspawn(1) Main PID: 15805 (systemd-nspawn) Status: "Container running." CGroup: /machine.slice/systemd-nspawn@openswan.service ├─15805 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --private-network --network-veth --capability=CAP_NET_ADMIN --mach ├─init.scope │ └─15810 /usr/lib/systemd/... └─system.slice ├─console-getty.service │ └─15853 /sbin/agetty --no... ├─dbus.service │ └─15838 /usr/bin/dbus-dae... ├─openswan.service │ ├─18417 /bin/sh /usr/lib/... │ ├─18418 logger -s -p daem... │ ├─18419 /bin/sh /usr/lib/... │ ├─18420 /bin/sh /usr/lib/... │ ├─18423 /usr/lib/openswan... │ ├─18425 _pluto_adns -- I setup the container with --network-veth. > > My question now, is how to actually like in docker "publish" those > ports (udp 500/4500/1701) and make them available from outside the > container? > > Like: > > Road warrior --> cloud --> Arch pi --> systemd-nspawn container -- > > I know this would be trivial to forward traffic using iptables but > that's not what I want. > > I maybe need to have a bridged setup? Edit: using the "Port" directive, I am now able to forward traffic inside my container, great! :D The only problem I am facing now is that pluto is crashing when dealing with the Security Association (ISAKMP) with the following message: "L2TP-PSK-NAT" 178.50.79.197 #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488 "L2TP-PSK-NAT" 178.50.79.197 #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488 If it ring a bell to someone, please tell me. I will look at the code when I'll have time.. To be continued..