Docker Desktop Windows and VPN - no network connection inside container

I’m trying to use Docker on Windows while being connected to VPN.

When VPN is not connected, everything works OK.

But when I connect to our corporate VPN using Cisco AnyConnect client, network inside docker container is not working anymore:

docker run alpine ping www.google.com
ping: bad address 'www.google.com'

docker run alpine ping -c 5 216.58.204.36
PING 216.58.204.36 (216.58.204.36): 56 data bytes
--- 216.58.204.36 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

How to fix this issue and make it work?

My setup is:

  • Windows 10 Version 1809 (OS Build 17763.1098)
  • Docker Desktop Community 2.2.0.4 (43472): Engine 19.03.8, Compose 1.25.4, Kubernetes 1.15.5, Notary 0.6.1, Credential Helper 0.6.3
  • Docker is in Windows containers mode with experimental features enabled (needed to run windows and linux images at the same time)
1 Like

I’m blocked with this issue too… Not sure what to do since new to all this.

1 Like

I’m faced with the same problem… but I am using my corporate VPN GlobalProtect by [Palo Alto Networks]

1 Like

Also seeing the same problem. I’m using a standard Windows 10 VPN (PPTP).

Is there somewhere someone can go for paid support? I see that people go for days without someone looking at this problem. This is not acceptable.

I’m having the same or similar issue. Did you manage to solve it. I’m using corporate vpn (Cisco AnyConnect Secure Mobility Client)

blocked with this issue too…

I met the same VPN problem on Linux (Ubuntu 18) with AnyConnect client, but I solved it partially after I address the problem which came with VPN-established iptables rule, may you try following steps:

  • 1.Try connect (which is blocked in the container but can be arrived from host) internet address inside the container such as ssh username@xx.xx.xxx to send some traffic

  • 2.Exit to host and then run shell command sudo iptables -n -v -l | grep DROP, find out the non-zero led line, this line is the traffic-blocked iptables rule

  • 3.Insert some rule to allow you connection before which was found out in step 2

I guess not only AnyConnect but also many VPNs will work with docker incorrectly,

And some answers from StackOverflow mention that docker daemon must start after the AnyConnect vpnagentd, I don’t verify, maybe these links are useful:

Eventually, I write a script to handle the problem automatically after every reconnect.

#!/bin/bash
# for safe exit
# set -xeuo pipefail

# Anyconnect retry connect and add iptables rule to accept all traffic to dockers
# 2020,9,14 by Hai-chien Teng

# check per 60 seconds
while true
do
    # determinate if connected
    found=`ip a | grep 10.10.10| wc -l`
    if [ "$found" -eq 0 ]
    then

        echo "Ready to connect VPN server..."
        printf '$VPN_USERNAME\n$VPN_PASSWORD\n' | /opt/cisco/anyconnect/bin/vpn -s connect $VPN_HOST:443

        # Wait for HTTP establishment
        sleep 5

        # determinate if connnect fail
        found=`ip a | grep 10.10.10| wc -l`
        if [ "$found" -eq 0 ]
            then
                # retry connect
                echo "Retry connect..."
                continue
        fi
        echo "connected!!!"
    else
        ip=`ip a | grep 10.10.10 | sed -r 's/.*\s(.*)\/.*/\1/'`
        echo "There are already connected, ip is $ip"
    fi

    # determinate if the ACCEPT rule was added
    foundrule=`printf '$PASSWORD' | sudo -S iptables -vnL ciscovpn | sed -n '3p' | grep cscotun0`
    if [ ! "$foundrule" ]
    then
        printf '$PASSWORD' | sudo -S iptables -t filter -I ciscovpn -i cscotun0 -p all -j ACCEPT
        echo "Add ACCEPT rule"
    fi

    # check per 60 seconds
    sleep 60
done

Kind of sad that none of docker or wsl2 team working on this issue. most companies use vpn for security and it is unacceptable that there is no fix yet.

1 Like

I have the same issue. docker login does NOT work behind a VPN, error message: Login did not succeed, error: Error response from daemon: Get "https://registry-1.docker.io/v2/"

But logging in via Docker Desktop on Windows works, although it doesn’t help.

The problem is that without a proper docker login all container builds will constantly re-download metadata for each container, which increases the time of the build for no reason at all… a huge cluster.

Please fix.