I would like to be able to access internal swarm network from my workstation (so I can debug or access internal services) but nor --privileged nor --cap-add exists in docker service, so far I am trying:

• create an overlay network with --attachable

  docker network create -d overlay --attachable mynet
  

• run vpn container (pritunl in this case)

  docker run -d --name pritunl -p 1194:1194 -p 1194:1194/udp -p 9700:80 -p 443:443 --cap-add NET_ADMIN --network vpn jippi/pritunl
  

With this I got the service running in the desired network, but as it is out of swarm ports as exposed to host so not accessible from outside.

Any tip to will be welcome.

is there no Swarm user that requires some kind of “admin only” connection to swarm services?

is docker swarm advised for something else than a very simple infrastructure?

I’m using ssh to set up tunnels: https://finestructure.co/blog/2017/2/4/securely-entering-a-docker-swarm

This has worked fine for me so far but it can be a bit tedious setting up a lot of tunnels. I’m actually looking into setting up a vpn instead and would imagine the process to work similarly to the tunnel.

Regarding you particular problem - it looks like you’ve got services on different networks. I’d add the vpn as a service to your swarm (like I do in the ssh tunnel setup described above). I remember vaguely that there are issues with attachable networks in docker swarm.