Hi,

I had the same need for work.
I resolved my problem creating a new bridge and use iptables to change routes.
Its hard, but works.

work on this way:
first - create a new network interface with:

~$ docker network create --attachable --opt ‘com.docker.network.bridge.name=bridge-vpn’ --opt ‘com.docker.network.bridge.enable_ip_masquerade=false’ bridge-vpn

second - configure iptables:

~$ RTABLE=10022
~$ RTNAME=bridge-vpn
~$ sudo iptables -t mangle -A PREROUTING -i ${RTNAME} -j MARK --set-xmark 0x${RTABLE}/0xffffffff
~$ sudo iptables -t mangle -A PREROUTING -i ${RTNAME} -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
~$ sudo ip rule add from all fwmark 0x${RTABLE} lookup ${RTABLE}
~$ sudo sysctl net.ipv4.conf.all.rp_filter=2

third, add default gateway to bridge:

~$ sudo ip route add $(ip route show dev bridge-tj) dev ${RTNAME} table ${RTABLE}
~$ IPVPN=$(ip address show tun0 | grep "inet " | sed -e ‘s|.inet ||’ -e 's|/.||’)
~$ sudo ip route add default via ${IPVPN} dev tun0 table ${RTABLE}

IPVPN is your vpn ip obtained from tun0 connection, change this for your purpose.

and finally, you can test with a docker busybox, like this:

~$ docker run --network=bridge-tj --rm -itd --name=container-busybox busybox
~$ docker start container-busybox
~$ docker attach container-busybox

on busybox try this:

~# traceroute 8.8.8.8

for now sysctl on rp_filter it’s necessary because I couldn’t make it work without it, when the packet go back it is dropped out.

have fun…

… this editor is painful, the symbol $ sometimes appear sometimes not, I givup to editing.