Swarm, node-local network, ipam and managing service address

This post provides quite a bit of useful information but does not cover everything I need…
https://forums.docker.com/t/address-conflict-using-macvlan-network-driver-in-swarm/41044?u=crobitaille

Before going into the details of my issue, does anyone know if there is documentation about the default IPAM driver? There is a lot of reference to it throughout the guides, reference and other documents but I spent 1h searching for a formal reference for this driver but could not find one.

Now my issue.

I am trying to use swarm to deploy stacks of services on remote worker nodes that sit behind firewall + NAT. My understanding is that swarm could at least be able to deploy the stacks, that is the local engines are able to connect to one or more manager nodes (the managers are reachable) and get going. I may be proven wrong if the manager(s) need to contact the workers’ engine; but this is TBD.

Once the local stack is running on each nodes, I plan to have one of the service to actually be a VPN client routing the local docker bridge network (not the host’s network but really a local docker only network that connects all the services, including the VPN) to another network. This other network, at the other end of the VPN, is serving another type of service stack. The former type of stack will have 1000s of workers while the later type of stack will only have a handful of instances.

I need to have the services from the first type of stack be accessible from services in the other type of stack; this means that the local subnet needs to be unique across the whole swarm scope and routable through the VPN. I know how to manage the node-local network (from the post I reference above and other readings) to do this (I will more than likely have one of the service in the local stack act as a local manager for the network, which somehow get a unique subnet configuration to apply). What I do not know is how to assign a fix IP address to the VPN service, which must match the gateway address defined for the local docker network. Said differently, I would like to be able to define a generic stack for the remote workers but have the VPN address match the gateway of the node-local subnet, which is only known locally in the worker and only at run time.

I am hoping that the IPAM driver can help me with this; i.e. that it is possible to instruct the driver to pick up the gateway info from the local network and apply it to the VPN service. But since there is little documentation for this driver I suspect that this is beyond its capability. If so, do you have any suggestion on how to achieve this?