OpenVPN container allows client connection, but not internal network access

I’m sorry ahead of time for such a long post. I’m using the kylemanna/openvpn image to allow connections from the outside into my private network. I’m able to get the containers running and a client to connect successfully, but after connecting, the client has no access to the other containers on my docker network. I’ve spent days trying various configurations and have searched the Internet for similar issues, but the other fixes don’t seem to apply to my setup. I suspect this is a routing issue on my host, but can’t be sure. Here are the steps I am taking as of now:

my setup:

$ uname -a

Linux dockerhost01 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux

$ docker-compose version

docker-compose version 1.20.0, build ca8d3c6
docker-py version: 3.1.3
CPython version: 3.6.4
OpenSSL version: OpenSSL 1.0.1t  3 May 2016

$ docker version

Client:
 Version:      18.05.0-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   f150324
 Built:        Wed May  9 22:16:20 2018
 OS/Arch:      linux/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.05.0-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.5
  Git commit:   f150324
  Built:        Wed May  9 22:14:30 2018
  OS/Arch:      linux/amd64
  Experimental: false

my docker-compose file:

version: '2.2'

services:

    1_openvpn:
        cap_add:
            - NET_ADMIN
        image: kylemanna/openvpn:latest
        container_name: 1_openvpn
        ports:
            - '21200:1194/udp'
        tty: true
        restart: always
        volumes:
            - /data/n_1/openvpn:/etc/openvpn
        networks:
             - 1_subnet

    1_apache:
        image: php-7.2-apache
        container_name: 1_apache
        restart: always
        environment:
            - ALLOW_OVERRIDE=true
        expose:
            - '80'
        volumes:
            - /data/n_1/apache:/var/lib/apache
        networks:
            - 1_subnet

networks:
    1_subnet:
        name: 1_subnet
        driver: bridge
        ipam:
            driver: default
            config:
            - subnet: 172.21.0.0/24

First I generate the OpenVPN config files,

$ docker-compose run --rm 1_openvpn ovpn_genconfig -c -u udp://(VPN_PUBLIC_IP):1194 -p "172.21.0.0 255.255.255.0"

then I generate the EasyRSA PKI cert authority.

$ docker-compose run --rm 1_openvpn ovpn_initpki

I spin them up,

$ docker-compose up -d

and add a client.

$ docker-compose run --rm 1_openvpn easyrsa build-client-full USERNAME

Now I get the client config file to transfer to the server ill be using as a remote client.

$ docker-compose run --rm 1_openvpn ovpn_getclient USERNAME > USERNAME.ovpn

In what should be the final setup step, I add IPv4 forwarding rules.

$ sudo sysctl -w net.ipv4.ip_forward=1
$ sudo iptables -A FORWARD -i tun+ -j ACCEPT
$ sudo ip route add 192.168.255.0/24 via 172.21.0.1

Everything looks good up to here, as this is almost verbatim what the available recipes for this image call for. I go to my remote client and connect to my VPN server.

$ sudo openvpn --config CLIENTNAME.ovpn

Wed Aug  8 22:41:10 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Wed Aug  8 22:41:10 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Enter Private Key Password: ******
Wed Aug  8 22:41:12 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug  8 22:41:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET](VPN_PUBLIC_IP):1194
Wed Aug  8 22:41:12 2018 UDP link local: (not bound)
Wed Aug  8 22:41:12 2018 UDP link remote: [AF_INET](VPN_PUBLIC_IP):1194
Wed Aug  8 22:41:12 2018 [VPN_PUBLIC_IP] Peer Connection Initiated with [AF_INET]VPN_PUBLIC_IP:1194
Wed Aug  8 22:41:13 2018 TUN/TAP device tun0 opened
Wed Aug  8 22:41:13 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Aug  8 22:41:13 2018 /sbin/ip link set dev tun0 up mtu 1500
Wed Aug  8 22:41:13 2018 /sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Wed Aug  8 22:41:13 2018 Initialization Sequence Completed

I verify I’m getting a connection by watching the logs of my VPN container:

$ docker logs 1_openvpn -f

Wed Aug  8 22:08:02 2018 (CLIENT_IP):33295 TLS: Initial packet from [AF_INET](CLIENT_IP):33295, sid=b1a902fd cd9e9062
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 VERIFY OK: depth=1, CN=#(VPN_PUBLIC_IP)#
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 VERIFY OK: depth=0, CN=CLIENTNAME
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_VER=2.4.0
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_PLAT=linux
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_PROTO=2
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_NCP=2
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_LZ4=1
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_LZ4v2=1
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_LZO=1
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_COMP_STUB=1
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_COMP_STUBv2=1
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_TCPNL=1
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug  8 22:08:03 2018 (CLIENT_IP):33295 [CLIENTNAME] Peer Connection Initiated with [AF_INET](CLIENT_IP):33295
Wed Aug  8 22:08:03 2018 CLIENTNAME/(CLIENT_IP):33295 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled)
Wed Aug  8 22:08:03 2018 CLIENTNAME/(CLIENT_IP):33295 MULTI: Learn: 192.168.255.6 -> CLIENTNAME/(CLIENT_IP):33295
Wed Aug  8 22:08:03 2018 CLIENTNAME/(CLIENT_IP):33295 MULTI: primary virtual IP for CLIENTNAME/(CLIENT_IP):33295: 192.168.255.6
Wed Aug  8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 PUSH: Received control message: 'PUSH_REQUEST'
Wed Aug  8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 SENT CONTROL [CLIENTNAME]: 'PUSH_REPLY,route 172.21.0.0 255.255.255.0,route 192.168.255.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Aug  8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Aug  8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Aug  8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Now when I go to ping the apache container, I get “host unreachable.” I’m lost, any help can be appreciated.

Problem solved.

For anybody else that runs into the same issue, ping isn’t always enabled on containers, so don’t rely exclusively on pinging to verify connectivity. Curl worked fine, and I’ve wasted a ton of time.

1 Like

Hello @justinbod

Are you able to curl/ping back? I mean from inside of a host container, are you able to access the client ip address?

I am connecting some controllers to my host app, using openvpn but I need the host to access the controllers as well.

I have done a lot of research but no success yet…

Thanks!