Connect to external vpn

I’m trying to run a container that needs to connect to a openvpn server.

I’m creating a openvpn-client container and I’m trying to route other containers traffic though the vpn container.
I’m following this repo

In the example is used the network_mode: service:[name] option for docker-compose which is not supported by resin.

Is there any other what to route traffic from one container to another that is supported by resin? Any other idea on how to connect to the vpn and let other containers us it.


Hey, you can check out for the docker-compose fields that are supported on resin

Hey Page,

Yes, I did find that docs. That’t why I was asserting that network_mode: service:[name] is not supported by resin.

Have you heard any way or have had the experience of trying to route container traffic through openvpn in a way that is supported by resin?


Hi, @_Page do you have any plans to support network_mode: service:[name] in the foreseeable future?

We are planning to add support for this. We don’t have yet a timeframe for it but it is something we have on our pipeline.

1 Like

Thanks! I found in balena-supervisor repo there is a PR on wip state for a couple of months… I hope that can be used… :slight_smile:

FWIW, my team would also like support for network_mode: service:[name]. We currently have some workaround, but it would be simpler and more reliable support for this network mode would much simplify the solution.

Hi @jotham, would you mind to share your workaround? thanks!

Yep @blackjid. YMMV

in your docker compose, define a network

    driver: bridge
      driver: default
      - subnet:

now any container that you want to be able to communicate through the vpn should be on that network, with a static ip and the vpn also has to be on that network, e.g.

    container_name: vpn
      - NET_ADMIN
    container_name: webserver
      - NET_ADMIN
      # NB if a service is on multiple networks,
      #, balena may
      # constantly restart it if the networks are not in a 'particular' order
      default: # if containers other than vpn need to communicate with this container, however it can't be resolved by the hostname webserver. A fix for this has been merged to balena supervisor but it is not in balenaos yet

now … lets say you have another device on your vpn and you want it to talk to webserver container

you need to route traffic from the vpn container to the webserver container. theres a few ways to do this (e.g. nginx, or ip tables)

with ip tables, add the rule as part of the vpn container startup, e.g.

iptables -t nat -I PREROUTING --src 0/0 --dst "THE VPN INTERFACE IP" -p tcp --dport 443 -j DNAT --to

traffic from any client on your vpn would now reach the webserver container, by forwarding packets destined for 443 on the vpn containers external vpn ip to the webserver container’s ip on the vpn network you created in docker-compose

if you need traffic to go back… you need routes to your webserver container so that vpn traffic is routed back through the vpn container

ip route add <YOUR_VPN_SUBNET> via

Hey!, I’ll give it a try. Thanks!