I’m sorry ahead of time for such a long post. I’m using the kylemanna/openvpn image to allow connections from the outside into my private network. I’m able to get the containers running and a client to connect successfully, but after connecting, the client has no access to the other containers on my docker network. I’ve spent days trying various configurations and have searched the Internet for similar issues, but the other fixes don’t seem to apply to my setup. I suspect this is a routing issue on my host, but can’t be sure. Here are the steps I am taking as of now:
my setup:
$ uname -a Linux dockerhost01 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux $ docker-compose version docker-compose version 1.20.0, build ca8d3c6 docker-py version: 3.1.3 CPython version: 3.6.4 OpenSSL version: OpenSSL 1.0.1t 3 May 2016 $ docker version Client: Version: 18.05.0-ce API version: 1.37 Go version: go1.9.5 Git commit: f150324 Built: Wed May 9 22:16:20 2018 OS/Arch: linux/amd64 Experimental: false Orchestrator: swarm Server: Engine: Version: 18.05.0-ce API version: 1.37 (minimum version 1.12) Go version: go1.9.5 Git commit: f150324 Built: Wed May 9 22:14:30 2018 OS/Arch: linux/amd64 Experimental: false
my docker-compose file:
version: '2.2' services: 1_openvpn: cap_add: - NET_ADMIN image: kylemanna/openvpn:latest container_name: 1_openvpn ports: - '21200:1194/udp' tty: true restart: always volumes: - /data/n_1/openvpn:/etc/openvpn networks: - 1_subnet 1_apache: image: php-7.2-apache container_name: 1_apache restart: always environment: - ALLOW_OVERRIDE=true expose: - '80' volumes: - /data/n_1/apache:/var/lib/apache networks: - 1_subnet networks: 1_subnet: name: 1_subnet driver: bridge ipam: driver: default config: - subnet: 172.21.0.0/24
First I generate the OpenVPN config files,
$ docker-compose run --rm 1_openvpn ovpn_genconfig -c -u udp://(VPN_PUBLIC_IP):1194 -p "172.21.0.0 255.255.255.0"
then I generate the EasyRSA PKI cert authority.
$ docker-compose run --rm 1_openvpn ovpn_initpki
I spin them up,
$ docker-compose up -d
and add a client.
$ docker-compose run --rm 1_openvpn easyrsa build-client-full USERNAME
Now I get the client config file to transfer to the server ill be using as a remote client.
$ docker-compose run --rm 1_openvpn ovpn_getclient USERNAME > USERNAME.ovpn
In what should be the final setup step, I add IPv4 forwarding rules.
$ sudo sysctl -w net.ipv4.ip_forward=1 $ sudo iptables -A FORWARD -i tun+ -j ACCEPT $ sudo ip route add 192.168.255.0/24 via 172.21.0.1
Everything looks good up to here, as this is almost verbatim what the available recipes for this image call for. I go to my remote client and connect to my VPN server.
$ sudo openvpn --config CLIENTNAME.ovpn Wed Aug 8 22:41:10 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017 Wed Aug 8 22:41:10 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 Enter Private Key Password: ****** Wed Aug 8 22:41:12 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Aug 8 22:41:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET](VPN_PUBLIC_IP):1194 Wed Aug 8 22:41:12 2018 UDP link local: (not bound) Wed Aug 8 22:41:12 2018 UDP link remote: [AF_INET](VPN_PUBLIC_IP):1194 Wed Aug 8 22:41:12 2018 [VPN_PUBLIC_IP] Peer Connection Initiated with [AF_INET]VPN_PUBLIC_IP:1194 Wed Aug 8 22:41:13 2018 TUN/TAP device tun0 opened Wed Aug 8 22:41:13 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Aug 8 22:41:13 2018 /sbin/ip link set dev tun0 up mtu 1500 Wed Aug 8 22:41:13 2018 /sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5 Wed Aug 8 22:41:13 2018 Initialization Sequence Completed
I verify I’m getting a connection by watching the logs of my VPN container:
$ docker logs 1_openvpn -f Wed Aug 8 22:08:02 2018 (CLIENT_IP):33295 TLS: Initial packet from [AF_INET](CLIENT_IP):33295, sid=b1a902fd cd9e9062 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 VERIFY OK: depth=1, CN=#(VPN_PUBLIC_IP)# Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 VERIFY OK: depth=0, CN=CLIENTNAME Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_VER=2.4.0 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_PLAT=linux Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_PROTO=2 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_NCP=2 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_LZ4=1 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_LZ4v2=1 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_LZO=1 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_COMP_STUB=1 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_COMP_STUBv2=1 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 peer info: IV_TCPNL=1 Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Aug 8 22:08:03 2018 (CLIENT_IP):33295 [CLIENTNAME] Peer Connection Initiated with [AF_INET](CLIENT_IP):33295 Wed Aug 8 22:08:03 2018 CLIENTNAME/(CLIENT_IP):33295 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled) Wed Aug 8 22:08:03 2018 CLIENTNAME/(CLIENT_IP):33295 MULTI: Learn: 192.168.255.6 -> CLIENTNAME/(CLIENT_IP):33295 Wed Aug 8 22:08:03 2018 CLIENTNAME/(CLIENT_IP):33295 MULTI: primary virtual IP for CLIENTNAME/(CLIENT_IP):33295: 192.168.255.6 Wed Aug 8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 PUSH: Received control message: 'PUSH_REQUEST' Wed Aug 8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 SENT CONTROL [CLIENTNAME]: 'PUSH_REPLY,route 172.21.0.0 255.255.255.0,route 192.168.255.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 0,cipher AES-256-GCM' (status=1) Wed Aug 8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Aug 8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Aug 8 22:08:04 2018 CLIENTNAME/(CLIENT_IP):33295 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Now when I go to ping the apache container, I get “host unreachable.” I’m lost, any help can be appreciated.