I am trying to configure a docker-compose stack with a container that connects to a VPN, and another container that exposes an HTTP service which is reachable only through that VPN connection.
I searched online and found that network_mode: service:<serviceName> setting in docker-compose.yml should do the trick, but it is not working in my environment.

If I start the two containers separately with docker run and --network=container:<containerName> setting, everything works and I can correctly connect to the remote HTTP service with curl localhost:8080

Here is the working configuration with two separate commands:

docker run --rm --name vpn --privileged --hostname vpn --publish 127.0.0.1:8080:80 --device /dev/net/tun --cap-add NET_ADMIN registry.internal.com/vpnclient

docker run --rm --name proxy --network=container:vpn registry.internal.com/proxy

And here is docker-compose.yml that is not working:

version: '3'

services:
  vpn:
    container_name: vpn
    image:  registry.internal.com/vpnclient
    privileged: true
    ports:
      - 8080:80
    devices:
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    restart: unless-stopped


  proxy:
    container_name: proxy
    image: registry.internal.com/proxy
    depends_on:
      - vpn
    network_mode: service:vpn
    restart: unless-stopped