Connect to external vpn

blackjid · August 21, 2018, 9:17pm

I’m trying to run a container that needs to connect to a openvpn server.

I’m creating a openvpn-client container and I’m trying to route other containers traffic though the vpn container.
I’m following this repo https://github.com/dperson/openvpn-client/blob/master/docker-compose.yml

In the example is used the network_mode: service:[name] option for docker-compose which is not supported by resin.

Is there any other what to route traffic from one container to another that is supported by resin? Any other idea on how to connect to the vpn and let other containers us it.

thanks

_Page · August 21, 2018, 9:41pm

Hey, you can check out https://docs.resin.io/reference/supervisor/docker-compose/#supported-fields for the docker-compose fields that are supported on resin

blackjid · August 21, 2018, 10:15pm

Hey Page,

Yes, I did find that docs. That’t why I was asserting that network_mode: service:[name] is not supported by resin.

Have you heard any way or have had the experience of trying to route container traffic through openvpn in a way that is supported by resin?

thanks!

blackjid · October 31, 2018, 12:58pm

Hi, @_Page do you have any plans to support network_mode: service:[name] in the foreseeable future?
thanks

agherzan · November 7, 2018, 6:59pm

We are planning to add support for this. We don’t have yet a timeframe for it but it is something we have on our pipeline.

blackjid · November 7, 2018, 7:18pm

Thanks! I found in balena-supervisor repo there is a PR on wip state for a couple of months… I hope that can be used… https://github.com/balena-io/balena-supervisor/pull/631

jotham · April 9, 2019, 4:27pm

FWIW, my team would also like support for network_mode: service:[name]. We currently have some workaround, but it would be simpler and more reliable support for this network mode would much simplify the solution.

blackjid · April 9, 2019, 6:40pm

Hi @jotham, would you mind to share your workaround? thanks!

jotham · April 9, 2019, 10:25pm

Yep @blackjid. YMMV

in your docker compose, define a network

networks:
  vpn-network:
    driver: bridge
    ipam:
      driver: default
      config:
      - subnet: 176.16.238.0/24
        gateway: 176.16.238.1

now any container that you want to be able to communicate through the vpn should be on that network, with a static ip and the vpn also has to be on that network, e.g.

  vpn:
    container_name: vpn
    ....
    cap_add:
      - NET_ADMIN
    networks:
      vpnbr:
        ipv4_address: 176.16.238.2
  webserver:
    container_name: webserver
    cap_add:
      - NET_ADMIN
    networks:
      # NB if a service is on multiple networks,
      # https://github.com/balena-io/balena-supervisor/issues/824, balena may
      # constantly restart it if the networks are not in a 'particular' order
      vpnbr:
        ipv4_address: 176.16.238.3
      default: # if containers other than vpn need to communicate with this container, however it can't be resolved by the hostname webserver. A fix for this has been merged to balena supervisor but it is not in balenaos yet

now … lets say you have another device on your vpn and you want it to talk to webserver container

you need to route traffic from the vpn container to the webserver container. theres a few ways to do this (e.g. nginx, or ip tables)

with ip tables, add the rule as part of the vpn container startup, e.g.

iptables -t nat -I PREROUTING --src 0/0 --dst "THE VPN INTERFACE IP" -p tcp --dport 443 -j DNAT --to 176.16.238.3

traffic from any client on your vpn would now reach the webserver container, by forwarding packets destined for 443 on the vpn containers external vpn ip to the webserver container’s ip on the vpn network you created in docker-compose

if you need traffic to go back… you need routes to your webserver container so that vpn traffic is routed back through the vpn container

ip route add <YOUR_VPN_SUBNET> via 176.16.238.2

blackjid · April 22, 2019, 1:22pm

Hey!, I’ll give it a try. Thanks!