Goal:
To exchange traffic from a API, running in a docker container on ubuntu 22.04, to a remote endpoint through a VPN tunnel.
The VPN tunnel has been configured using Strongswan directly on the host and is up and running:
Security Associations (1 up, 0 connecting):
vpn-alblas[24]: ESTABLISHED 9 seconds ago, 206.189.100.202[206.189.100.202]...185.121.180.68[185.121.180.68]
vpn-alblas{8}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: ce7ce5a0_i 7776cdd6_o
vpn-alblas{8}: 192.168.200.0/24 === 10.129.20.0/27
The custom network the containers are running on looks like this:
[
{
"Name": "api-network",
"Id": "7088cde099fe3c3665bfebbe1e57ee86aa3022169e536877f690216e6ef1c082",
"Created": "2024-08-26T13:53:12.474275182Z",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.200.0/24",
"Gateway": "192.168.200.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"8a62839d0f665320ec18f68998097bf626c6bd9af98a1f8dbec5f01de90b4f8e": {
"Name": "caddy_server",
"EndpointID": "a38a2d0a0d64443302de74f015d1d2a94455d235e01ce876bf148ff0071e3849",
"MacAddress": "02:42:c0:a8:c8:03",
"IPv4Address": "192.168.200.3/24",
"IPv6Address": ""
},
"ce8d44410523f01209633b812d4063f8866c2c9bdedcc51b17d62ff37fafb1f0": {
"Name": "fastapi_app",
"EndpointID": "2ed03000bc0bf022b23d5664ca47c42cc441389e9b8ad2391aeb86afd65d4489",
"MacAddress": "02:42:c0:a8:c8:02",
"IPv4Address": "192.168.200.2/24",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
When I enter the container using docker exec -it fastapi_app /bin/sh
and run traceroute 10.129.20.2
, the packet reaches the VPN-gateway, but then gets routed onto the public internet instead of through the tunnel:
traceroute to 10.129.20.2 (10.129.20.2), 30 hops max, 60 byte packets
1 ZES-Communications (192.168.200.1) 0.095 ms 0.021 ms 0.015 ms
2 5.101.110.7 (5.101.110.7) 1.746 ms 1.690 ms 1.700 ms
3 143.244.192.34 (143.244.192.34) 1.971 ms 143.244.192.30 (143.244.192.30) 1.717 ms 143.244.192.34 (143.244.192.34) 1.729 ms
4 143.244.224.74 (143.244.224.74) 1.844 ms 143.244.224.82 (143.244.224.82) 2.024 ms 143.244.224.74 (143.244.224.74) 2.044 ms
5 * * *
Upon investigating, I came across the following doc:
https://docs.strongswan.org/docs/5.9/howtos/cloudPlatforms.html
Reading this, it looks like docker containers do not have the required privileges to setup a VPN connection. I tried to add to these privileges by running the container with: docker run --cap-add=NET_ADMIN --cap-add=NET_RAW --device=/dev/net/tun --network api-network -d --name fastapi_app eg-zes-eq-api-fastapi
with no success.
I also tried to MASQUERADE traffic outgoing through api-network, also with no success.
At the moment I am considering to reconfigure the VPN to my internal IP-address instead of the docker subnet. I suspect there is a mismatch due to the fact that strongswan is installed on the host and the containers being on a custom network.
Can anyone confirm or refute this idea and point me in the right direction?
Thanks in advance!