Connect to VPN from docker container

0

I bumped into the following issue:

On a macOS machine, I use a OpenVPN client to connect to some private cloud resources - it is configured for some specific IP address ranges and works just fine. Creating a Docker container, I get access to the internet, but the trafic for the desired private resources doesn’t go through the VPN routes.

Here is the host routing tabel:

Destination Gateway Flags Netif Expire
default 192.168.2.1 UGSc en0
default link#18 UCSI bridge1 !
52.49.XXX.XXX/32 172.27.232.1 UGSc utun2
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
127.94.0.1 127.94.0.1 UH lo0
169.254 link#11 UCS en0 !
172.31 172.27.232.1 UGSc utun2
192.168.2 link#11 UCS en0 !
192.168.2.1/32 link#11 UCS en0 !
192.168.2.1 38:d5:47:b0:a2:18 UHLWIir en0 1189
192.168.2.189/32 link#11 UCS en0 !
192.168.2.218 82:86:1:de:ee:60 UHLWIi en0 849
192.168.2.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
192.168.64 link#18 UC bridge1 !
192.168.64.6 be.ed.d9.29.7e.10 UHLWIi bridge1 658
203.XX.XXX 172.27.232.1 UGSc utun2
224.0.0/4 link#11 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
255.255.255.255/32 link#11 UCS en0 !

Here is a traceroute output from the docker container:

traceroute to 172.31.42.166 (172.31.42.166), 30 hops max, 60 byte packets
1 192.168.64.1 (192.168.64.1) 0.589 ms 0.547 ms 0.534 ms
2 * * *

Here is a traceroute from local machine:

traceroute to 172.31.42.166 (172.31.42.166), 64 hops max, 52 byte packets
1 172.27.232.1 (172.27.232.1) 71.313 ms 62.834 ms 61.412 ms
2 * *

Additional info:

Docker Container ifconfig

        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:33ff:fe46:42d1  prefixlen 64  scopeid 0x20<link>
        ether 02:42:33:46:42:d1  txqueuelen 0  (Ethernet)
        RX packets 185  bytes 12131 (12.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 51  bytes 5165 (5.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.64.6  netmask 255.255.255.0  broadcast 192.168.64.255
        inet6 fe80::bced:d9ff:fe29:7e10  prefixlen 64  scopeid 0x20<link>
        ether be:ed:d9:29:7e:10  txqueuelen 1000  (Ethernet)
        RX packets 140799  bytes 10988561 (10.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88642  bytes 8820363 (8.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 25  bytes 3456 (3.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25  bytes 3456 (3.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

and netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0

Can someone please tell me why doesn’t the docker container traceroute follow the same 172.27.232.1 vpn gateway?

I mention that I tried to start the docker container with --net host option I used exactly the same configuration and container on a previous laptop(macOs, docker and openVPN), and it worked flawlessly. What is different now, is the Docker version(v20.10.0 - preview) that adds the bridge1 network interface to my routing table - double checked with the old system, and there were no bridge1 entries at all!

1 Like