Docker containers to use IPSEChost vpn on host

roguerunner · October 15, 2019, 10:15pm

Hi

I am new to Docker and my setup is relatively simple however I am running into issues when connecting via VPN

The host box is ubuntu - This is running Shrew VPN client to build an IPSEC tunnel to remote Firewall

I have a couple of docker containers on this host. They are not natively running any VPN. The idea is to let Docker containers transparently use VPN on host machine when they build outbound connection.

Trying a simple curl to 1.1.1.1 from within a Docker container - WORKS (withOUT vpn running on Host machine):

(base) root@dev-ro:/home/rohan# tcpdump -nn -i any host 1.1.1.1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

15:12:44.023437 IP 172.17.0.2.40872 > 1.1.1.1.80: Flags [S], seq 3021748130, win 29200, options [mss 1460,sackOK,TS val 3523585699 ecr 0,nop,wscale 7], length 0

15:12:44.023475 IP 10.79.130.200.40872 > 1.1.1.1.80: Flags [S], seq 3021748130, win 29200, options [mss 1460,sackOK,TS val 3523585699 ecr 0,nop,wscale 7], length 0

15:12:44.033546 IP 1.1.1.1.80 > 10.79.130.200.40872: Flags [S.], seq 1368295106, ack 3021748131, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0

15:12:44.033577 IP 1.1.1.1.80 > 172.17.0.2.40872: Flags [S.], seq 1368295106, ack 3021748131, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0

15:12:44.033582 IP 1.1.1.1.80 > 172.17.0.2.40872: Flags [S.], seq 1368295106, ack 3021748131, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0

15:12:44.033612 IP 172.17.0.2.40872 > 1.1.1.1.80: Flags [.], ack 1, win 229, length 0

15:12:44.033627 IP 10.79.130.200.40872 > 1.1.1.1.80: Flags [.], ack 1, win 229, length 0

15:12:44.033706 IP 172.17.0.2.40872 > 1.1.1.1.80: Flags [P.], seq 1:73, ack 1, win 229, length 72: HTTP: HEAD / HTTP/1.1

15:12:44.033723 IP 10.79.130.200.40872 > 1.1.1.1.80: Flags [P.], seq 1:73, ack 1, win 229, length 72: HTTP: HEAD / HTTP/1.1

15:12:44.043065 IP 1.1.1.1.80 > 10.79.130.200.40872: Flags [.], ack 73, win 29, length 0

Trying the same curl to 1.1.1.1 from within a Docker container FAILS (WITH vpn running on Host machine):

(base) root@dev-ro:/home/rohan# tcpdump -nn -i any host 1.1.1.1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

15:10:48.822224 IP 172.17.0.2.40862 > 1.1.1.1.80: Flags [S], seq 3291520496, win 29200, options [mss 1460,sackOK,TS val 3523470500 ecr 0,nop,wscale 7], length 0

15:10:48.961451 IP 1.1.1.1.80 > 172.31.0.0.40862: Flags [S.], seq 3864141643, ack 3291520497, win 65535, options [mss 1400,nop,wscale 5,sackOK,TS val 1128286079 ecr 3523470500], length 0

15:10:49.844636 IP 172.17.0.2.40862 > 1.1.1.1.80: Flags [S], seq 3291520496, win 29200, options [mss 1460,sackOK,TS val 3523471523 ecr 0,nop,wscale 7], length 0

15:10:49.986796 IP 1.1.1.1.80 > 172.31.0.0.40862: Flags [S.], seq 3864141643, ack 3291520497, win 65535, options [mss 1400,nop,wscale 5,sackOK,TS val 1128286079 ecr 3523471523], length 0

15:10:51.860629 IP 172.17.0.2.40862 > 1.1.1.1.80: Flags [S], seq 3291520496, win 29200, options [mss 1460,sackOK,TS val 3523473539 ecr 0,nop,wscale 7], length 0

15:10:52.001615 IP 1.1.1.1.80 > 172.31.0.0.40862: Flags [S.], seq 3864141643, ack 3291520497, win 65535, options [mss 1400,nop,wscale 5,sackOK,TS val 1128286079 ecr 3523473539], length 0

I looked through other similar questions that talk about iptables but fiddling around with them didn’t work
I can’t deploy another VM/container that will act as a VPN terminator. I am stuck with using VPN on host machine (company policy)

I would really appreciate any hints in what to look for. Any pointers?