1

I need to understand how to make two docker containers work with a scenario like this:

There is a branch office with a router and a client. The network is 192.168.190.0/24 and the addresses are 1 and 57.

There is somewhere else a VM facing on the internet with public IP X.Y.Z.K and the docker environment installed on top. Inside there are two containers. The first one is a web server facing only on a private network with address 192.168.80.2. The other container has connection on the private network with address 192.168.80.44 and exposes its 1194 port on the other network interface to the public IP.

I need to be able to make 192.168.190.57 open the pages on 192.168.80.2.

The VPN part works fine (the router connects and is pingable from the client) and I don't need help on that.

This is a mockup for my docker-compose file.

version: '2'
services:

  openvpn:
    image: mycompany/openvpn
    restart: 'always'
    cap_add:
      - NET_ADMIN
    ports:
      - '1194:1194/udp'
    networks:
      nat:
      private_net:
          ipv4_address: '192.168.80.44'

  coredns:
    image: 'nginx'
    restart: 'always'
    links:
      - openvpn:private_net_vpn
    networks:
      private_net:
        ipv4_address: '192.168.80.2'

networks:
  private_net:
    internal: true
    ipam:
      config:
        - subnet: '192.168.80.0/24'
  nat:

Scenario described before

Robert Uppey Senior
  • 31
  • 1
  • 4
  • What image of openvpn are you using ? Did you tried the web proxy method described here https://hub.docker.com/r/dperson/openvpn-client/ – vx3r Sep 09 '19 at 06:55
  • If you look closely to the scheme in the image you could see that the docker container for the VPN is a server, not a client. I don't think that image would work for me. – Robert Uppey Senior Sep 09 '19 at 07:25
  • ok, do you have this entry in ```push 'route 192.168.80.0 255.255.255.0'``` in your openvpn server configuration file ? – vx3r Sep 09 '19 at 07:51
  • Yes, I do. 192.168.190.57 can ping the VPN server as well. Moreover, the VPN server can ping 192.168.80.2. – Robert Uppey Senior Sep 09 '19 at 13:11
  • can you ```traceroute``` web server from vpn client ? also try to ```curl```, ping may be blocked on container – vx3r Sep 10 '19 at 01:15
  • No, I was not able. No protocol at all (icmp, tcp, udp) worked the way it was configured. But I figured it out. More on my own answer below. – Robert Uppey Senior Sep 10 '19 at 07:04

1 Answers1

2

At the end I discovered the issue.

By default if you define a network internal: true it means that some iptables rules will be enacted to block all the containers on the lan segment from getting out of it.

At the beginning I thought it was just the route from, let's say, 192.168.80.2 to 192.168.80.1 (the ip assigned to the host machine for that lan segment) and then to the internet. Reading carefully all the iptables rules I found that the forwarding is also disabled.

Removing the internal: true allowed the container to route through the VPN as expected at the cost of allowing the web server to access directly the public internet.

Robert Uppey Senior
  • 31
  • 1
  • 4