1

I am trying to come up with a solution to bypass the vpn tunnel in the incoming and outgoing docker container.

The VPN I'm using is Mullvad VPN and in the split tunneling section they have addressed how to exclude outgoing traffic for certain ips. This does not work for my docker container as my container's traffic is routed through the tunnel created by Mullvad VPN.

This is my nftables config:

define EXCLUDED_IPS = {
   # An ip to bypass
   1.2.3.4,
}
define CONTAINER_IPS = {
   # Local Proxy
   10.10.5.0/24,
}

table inet excludeTraffic {
  chain excludeOutgoing {
    type route hook output priority 0; policy accept;
    ip daddr $EXCLUDED_IPS ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
  # I have created this chain which is not working
  chain excludeContainerFromTunnel {
    type route hook output priority -5; policy accept;
    ip daddr $CONTAINER_IPS ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

The container's network is bound to 10.10.5.1 and is a bridge network with the subnet of 10.10.5.0/24.

EDIT: output of ip rule:

$ ip rule
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0x6d6f6c65 lookup 1836018789
32766:  from all lookup main
32767:  from all lookup default
Improve this question
4
  • @A.B Added the required changes. Can you look into this?
    – Farhood ET
    Commented Jul 3, 2023 at 4:03
  • I'd need additional information (still while the tunnel is up) to be sure of the various settings. ip -br link; ip -4 -br addr; ip route; ip route show table 1836018789 and also sysctl -ar '\.rp_filter' | grep -v '0 *$' (which might have an empty output if there's nothing to care about).
    – A.B
    Commented Jul 3, 2023 at 5:32
  • @A.B I have created a specific network for this that docker uses (a bridge that binds to a certain ip in the docker [the gateway ip here]). I don't think my issue is that much complex other than I'm trying to mark packets inside my local network.
    – Farhood ET
    Commented Jul 3, 2023 at 6:05
  • At last check, Docker doesn't support nftables. It's managing traffic with iptables, conntrack, bridges, ipvsadm, and routing: github.com/moby/moby/issues/26824
    – BMitch
    Commented Jul 3, 2023 at 13:57

1 Answer 1

Reset to default
0

Have you tried just disabling the vpn ? As I understand having tried something like this before, the adapters traffic on a vpn connection gets consumed, there is not bypassing it via the same adapter. Would be interesting if you could create a virtual adapter however the used the same nic, and then give it membership to the network you're trying to communicate with.

I am assuming you want your machine to be able to connect to the internet as well and the lan, but not to use the VPN route for the one or have it block the other ?

Improve this answer
2
  • I don't want to disable the vpn that's the point. I want to have the vpn running for all of the system processes except that docker container.
    – Farhood ET
    Commented Jun 25, 2023 at 7:57
  • that is going to be the issue. to accomplish this you'd have to find out how to control network device assignment by process, i'm not sure that is possible. I tried something to similiar to this and if the tunnel is up it pushes ALL traffic to it, otherwise the whole point of the vpn would not work. the only way you could do this is with another machine or if a guest machine was using a vpn, so far as I know.
    – MysteriousMadCoder
    Commented Jun 25, 2023 at 19:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .