12

I have an OpenVPN server running exposing some private IP addresses, I would like my docker swarm services to access those addresses.

Ideally, there wouldn't be an OpenVPN client "inside" the containers as the images are expected to be deployed in an environment where a VPN will not be necessary.

What I tried so far

I successfully connected a container to my VPN with the dperson/openvpn-client image.

I successfully launched another container using that container as its network using the --net=container:my-vpn-client flag.

Now i'm trying to set up a docker service that will access my private IP addresses and what i found is:

  • I can't run the openVPN client in a service as it cannot be given cap-add: NET_ADMIN. There are open issues with Docker discussing this matter but they are still open.
  • I figured i could have the openVPN client container run "beside" the swarm cluster, but I can't use network_mode: "container:my-vpn-client" as it is not supported and does make sense since i couldn't possibly force an arbitrary container to be present on every node of the swarm without it being a service itself.
  • I tried creating an attachable network (bridge/overlay) and just stick my OpenVPN client container in it and expect magically other members of that network to go through that pipe... and i was disappointed.

So here i am, any idea?

P.S. If it can help, this is mainly to setup some automated tests that will run the services on single docker machine in swarm mode, as in swarm init > stack deploy > run tests > swarm leave. So if there's a "hack" for that... i may be interested ;)

Improve this question
0

1 Answer 1

Reset to default
1

I do this exact same thing, on your openvpn docker client you will need to configure NAT

iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -o tun0 -j SNAT --to-source 10.8.0.10
iptables -t nat -A POSTROUTING -d 172.18.0.50/32 -o eth1 -j SNAT --to-source 172.18.0.100

For me, I set this up to run at boot via an iptables-restore

On your docker host, add the following to the /etc/network/interfaces

post-up ip rule add from 172.18.0.0/16 table 200
post-up ip route add 192.168.11.222 via 172.18.0.100 table 200

NB This is what you use where

  • 172.18.0.0 is your docker network
  • 172.18.0.50 is one of your docker containers
  • 172.18.0.100 is your docker openvpn client
  • 192.168.11.222 is the private IP you want your docker clients to be able to access
  • tun0 is the OpenVPN interface of your docker client
  • eth1 is the 172.18.0.0 network interface of your openvpn docker client
Improve this answer
1
  • An excellent response ... upvoted. Notice how there are two issues to be dealt with: (1) ensuring that the traffic is routed to the proper place, and (2) ensuring that the software running in the Docker environment knows that the route exists. You may also need to tell OpenVPN how to route the traffic, using a ccr file as though you were dealing with a local network. As with all TCP/IP routing, "traceroute is your bestest friend, as is tcpdump or WireShark."
    – Mike Robinson
    Commented Aug 21, 2018 at 14:48

You must log in to answer this question.