Connect to VPN from docker container

  docker, docker-networking, networking, openvpn, routes

I bumped into the following issue:

On a macOS machine, I use a OpenVPN client to connect to some private cloud resources – it is configured for some specific IP address ranges and works just fine. Creating a Docker container, I get access to the internet, but the trafic for the desired private resources doesn’t go through the VPN routes.

Here is the host routing tabel:

Destination        Gateway            Flags        Netif Expire
default            192.168.2.1        UGSc           en0       
default            link#18            UCSI       bridge1      !      
52.49.XXX.XXX/32   172.27.232.1       UGSc         utun2       
127                127.0.0.1          UCS            lo0       
127.0.0.1          127.0.0.1          UH             lo0       
127.94.0.1         127.94.0.1         UH             lo0       
169.254            link#11            UCS            en0      !       
172.31             172.27.232.1       UGSc         utun2      
192.168.2          link#11            UCS            en0      !
192.168.2.1/32     link#11            UCS            en0      !
192.168.2.1        38:d5:47:b0:a2:18  UHLWIir        en0   1189
192.168.2.189/32   link#11            UCS            en0      !
192.168.2.218      82:86:1:de:ee:60   UHLWIi         en0    849
192.168.2.255      ff:ff:ff:ff:ff:ff  UHLWbI         en0      !
192.168.64         link#18            UC         bridge1      !
192.168.64.6       be.ed.d9.29.7e.10  UHLWIi     bridge1    658
203.XX.XXX         172.27.232.1       UGSc         utun2       
224.0.0/4          link#11            UmCS           en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI         en0       
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI         en0       
255.255.255.255/32 link#11            UCS            en0      !

Here is a traceroute output from the docker container:

traceroute to 172.31.42.166 (172.31.42.166), 30 hops max, 60 byte packets
 1  192.168.64.1 (192.168.64.1)  0.589 ms  0.547 ms  0.534 ms
 2  * * *
 3  * * *
 4  * * *

Here is a traceroute from local machine:

traceroute to 172.31.42.166 (172.31.42.166), 64 hops max, 52 byte packets
 1  172.27.232.1 (172.27.232.1)  71.313 ms  62.834 ms  61.412 ms
 2  * *

Additional info:

Docker Container ifconfig

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:33ff:fe46:42d1  prefixlen 64  scopeid 0x20<link>
        ether 02:42:33:46:42:d1  txqueuelen 0  (Ethernet)
        RX packets 185  bytes 12131 (12.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 51  bytes 5165 (5.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.64.6  netmask 255.255.255.0  broadcast 192.168.64.255
        inet6 fe80::bced:d9ff:fe29:7e10  prefixlen 64  scopeid 0x20<link>
        ether be:ed:d9:29:7e:10  txqueuelen 1000  (Ethernet)
        RX packets 140799  bytes 10988561 (10.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88642  bytes 8820363 (8.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 25  bytes 3456 (3.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25  bytes 3456 (3.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

and netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0

Can someone please tell me why doesn’t the docker container traceroute follow the same 172.27.232.1 vpn gateway?

I mention that I tried to start the docker container with --net host option
I used exactly the same configuration and container on a previous laptop(macOs, docker and openVPN), and it worked flawlessly. What is different now, is the Docker version(v20.10.0) that adds the bridge1 network interface to my routing table – double checked with the old system, and there were no bridge1 entries at all!

Source: Docker Questions

LEAVE A COMMENT