Use host OpenVPN to create an additional tunnel

Hello,

My goal is to create an additionnal OpenVPN tunnel to my own OVPN server. I want to share this connection to 2 other containers running. 1 of these container need to also have access to host LAN.
Right now, using OpenVPN in a docker container as part of a docker-compose is very inconvenient in BalenaOS. I didn’t find a good solution to share the tunnel to others services. (I tried the network: service and multiple other solutions… )

However, the host already make use of OpenVPN for supervisor tunnel etc… and I found that by running a new instance of openvpn on the host through ssh (openvpn --config my_client.ovpn), I can successfully create a new tunnel and by using the network=host mode in the compose file, every containers can share this connection.

The my_client.ovpn file is persistent in /etc/openvpn (shared by resin-data I think) but everytime I reboot the computer, the tunnel disappears (obvisously).
I tried to find a way to create a new service to start up this tunnel at start but since system is read-only I can’t…

Is there a possibility to configure a new OVPN connection and make it permanent ? (through systems-connections?)
Otherwise it would be nice to :

  • have hostapps made by users that can run on host
  • create new services in systemd
  • add a openvpn tunnel directly in systems-connections file

If you have another solutions to make this working, I’m all hears !!

Thanks

Hi,
I believe you are one step from what you are trying to achieve. Using network_mode: host lets you manipulate the host OS’s network stack from within the container so starting an OpenVPN client within such container will actually create the connection on the host. Basically what you need to do is

  • Switch all containers in your docker-compose to host networking
  • Run the OpenVPN client within one of the containers (I believe it also needs to either be privileged or have the NET_ADMIN capability to create the network interface)
    If the OpenVPN client within the container creates a connection this one should be available on the host OS and all the containers as well.
    Please let us know whether this is what you were looking for.