I have an OpenVPN server running exposing some private IP addresses, I would like my docker swarm services to access those addresses.

Ideally, there wouldn't be an OpenVPN client "inside" the containers as the images are expected to be deployed in an environment where a VPN will not be necessary.

What I tried so far

I successfully connected a container to my VPN with the dperson/openvpn-client image.

I successfully launched another container using that container as its network using the --net=container:my-vpn-client flag.

Now i'm trying to set up a docker service that will access my private IP addresses and what i found is:

  • I can't run the openVPN client in a service as it cannot be given cap-add: NET_ADMIN. There are open issues with Docker discussing this matter but they are still open.
  • I figured i could have the openVPN client container run "beside" the swarm cluster, but I can't use network_mode: "container:my-vpn-client" as it is not supported and does make sense since i couldn't possibly force an arbitrary container to be present on every node of the swarm without it being a service itself.
  • I tried creating an attachable network (bridge/overlay) and just stick my OpenVPN client container in it and expect magically other members of that network to go through that pipe... and i was disappointed.

So here i am, any idea?

P.S. If it can help, this is mainly to setup some automated tests that will run the services on single docker machine in swarm mode, as in swarm init > stack deploy > run tests > swarm leave. So if there's a "hack" for that... i may be interested ;)

migrated from stackoverflow.com Jun 10 '17 at 16:52

This question came from our site for professional and enthusiast programmers.

I do this exact same thing, on your openvpn docker client you will need to configure NAT

iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -o tun0 -j SNAT --to-source 10.8.0.10
iptables -t nat -A POSTROUTING -d 172.18.0.50/32 -o eth1 -j SNAT --to-source 172.18.0.100

For me, I set this up to run at boot via an iptables-restore

On your docker host, add the following to the /etc/network/interfaces

post-up ip rule add from 172.18.0.0/16 table 200
post-up ip route add 192.168.11.222 via 172.18.0.100 table 200

NB This is what you use where

  • 172.18.0.0 is your docker network
  • 172.18.0.50 is one of your docker containers
  • 172.18.0.100 is your docker openvpn client
  • 192.168.11.222 is the private IP you want your docker clients to be able to access
  • tun0 is the OpenVPN interface of your docker client
  • eth1 is the 172.18.0.0 network interface of your openvpn docker client

Your Answer

 
discard

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.