Docker container connection issues only when using openvpn in pfsense

zl0ki · August 28, 2023, 1:13pm

Hi all,

ref:
Client/server - Community Version: 24.0.5
Host: Debian 12

I was hoping to get some advice with anyone who has used a similar setup. I use proxmox with pfsense, pihole and docker on separate vms. I’ve got the setup working when not using a vpn.

Some info:

Proxmox bridges:
both using vmbr0 with the second one with a vlan tag.

When I have the firewall set to use no vpn: Docker (subnet 10.77.77.0/24)
Allowing any traffic for any protocol

LAN (10.88.88.0/24)
Allowing any traffic for any protocol

My host docker has:

root@docker:~$ ip route
default via 10.88.88.253 dev ens18 onlink
10.77.77.0/24 dev ens19 proto kernel scope link src 10.77.77.2
10.88.88.0/24 dev ens18 proto kernel scope link src 10.88.88.9
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

/etc/network/interfaces

iface ens18 inet static
        address 10.88.88.9
        netmask 255.255.255.0
        network 10.88.88.0
        broadcast 10.88.88.255
        gateway 10.88.88.253

auto ens19
iface ens19 inet static
    address 10.77.77.2
    netmask 255.255.255.0
    post-up ip route add 10.77.77.0/24 dev ens19 src 10.77.77.2 table rt2
    post-up ip route add default via 10.77.77.253 dev ens19 table rt2
    post-up ip rule add from 10.77.77.2/32 table rt2
    post-up ip rule add to 10.77.77.2/32 table rt2

If I didn’t do the above the 2nd interface wouldn’t auto start and had to manually force it to come up.

My docker container can communicate and resolve e.g:

root@ba337168be75:/# ping google.com
PING google.com (172.217.16.238): 56 data bytes
64 bytes from 172.217.16.238: seq=0 ttl=116 time=8.142 ms

I can access the container using a pc on the 10.88.88.0 subnet. e.g container @ 10.77.77.129:6789
I can naturally ping this address from the pc. One thing to note, I am not able to ping the pc from the container or the docker host even with not using the vpn firewall settings. Not sure why.

When I flip the firewall rules to openvpn, so using this rule instead in pfsense for both lans (DOCKER/LAN):

I am only able to ping 1.1.1.1 from the container and cannot resolve. I cannot not access the containers from the pc.

I’ve looked at guides but i’m struggling to understand my issues. I’ve seen mention of adding an iptables but a lot of it is beyond me at the moment.

zl0ki · September 1, 2023, 12:55am

It turns out that I was forcing everything out the VPN gateway. By setting up two rules one for traffic going through the vpn gateway and another for the local subnet(s) with no gateway specified they could communicate.

This sorted all the issues with DNS I was having and being able to access the docker guis from the desktop.