Manager
I have a docker swarm setup on a mesh VPN. My manager is on 10.0.0.1. I have run:
docker swarm init --advertise-addr=wg0
which then uses the VPN IP to listen on 10.0.0.1 opposed to the default public IP.
Worker
On my worker 10.0.0.2 I can then join the swarm:
docker swarm join --token SWMTKN-1... 10.0.0.1:2377
And everything works great.
The question
Unfortunately, I imagined that this setup would mean that all network activity for the swarm would all be under this VPN in that you could only route to the container from within the VPN network 10.0.0.0/24. This is not the case - if one of my services on a worker node uses a port let's say 80 when routing to PUB_IP_OF_SWARM:80 it is handled by docker although I have not explicitly exposed port 80 on the swarm e.g:
ports:
- 80:80
when running docker ps I can see that a container has 80/tcp under PORTS but even if I remove that container I am routed to somewhere by docker - when inspecting with Wireshark:
-- DOCKER CONTAINER WITH PORT 80 NOT RUNNING
201 42.900853464 172.18.0.2 → SOME PUBLIC IP I DON'T RECOGNISE TCP 58 [TCP Retransmission] 80 → 46521 [SYN, ACK] Seq=0 Ack=1 Win=64860 Len=0 MSS=1410
-- DOCKER CONTAINER WITH PORT 80 RUNNING
202 44.578866182 172.18.0.1 → 172.18.0.2 TCP 74 42142 → 80 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=2625752199 TSecr=0 WS=128
203 44.598042481 172.18.0.2 → 127.0.0.1 TCP 74 80 → 42142 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM=1 TSval=2603481334 TSecr=2625752199 WS=128
204 44.598106511 172.18.0.1 → 172.18.0.2 TCP 66 42142 → 80 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=2625752219 TSecr=2603481334
205 44.598262858 172.18.0.1 → 172.18.0.2 HTTP 139 GET / HTTP/1.1
206 44.616831844 172.18.0.2 → 127.0.0.1 TCP 66 80 → 42142 [ACK] Seq=1 Ack=74 Win=64256 Len=0 TSval=2603481353 TSecr=2625752219
207 44.618663675 172.18.0.2 → 127.0.0.1 HTTP 220 HTTP/1.1 302 Found (text/plain)
When making a HTTP request to my worker node externally it returns a 404 and I believe is being routed to my manager although I can't see that being the case in the wireshark logs:
5 2.297454567 MY HOME IP → 172.18.0.2 TCP 78 62063 → 443 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1380 WS=64 TSval=442045669 TSecr=0 SACK_PERM=1
6 2.315953260 172.18.0.2 → MY HOME IP TCP 74 443 → 62063 [SYN, ACK, ECN] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM=1 TSval=2607358273 TSecr=442045669 WS=128
7 2.335935602 MY HOME IP → 172.18.0.2 TCP 66 62063 → 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSval=442045707 TSecr=2607358273
8 2.336135170 MY HOME IP → 172.18.0.2 TLSv1 583 Client Hello
9 2.360086448 172.18.0.2 → MY HOME IP TCP 66 443 → 62063 [ACK] Seq=1 Ack=518 Win=63872 Len=0 TSval=2607358312 TSecr=442045707
10 2.360197845 172.18.0.2 → MY HOME IP TLSv1.3 1434 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data
11 2.360204742 172.18.0.2 → MY HOME IP TLSv1.3 264 Application Data, Application Data
12 2.379397317 MY HOME IP → 172.18.0.2 TCP 66 62063 → 443 [ACK] Seq=518 Ack=1567 Win=129728 Len=0 TSval=442045750 TSecr=2607358317
13 2.418295248 MY HOME IP → 172.18.0.2 TLSv1.3 96 Change Cipher Spec, Application Data
14 2.418338129 MY HOME IP → 172.18.0.2 TCP 66 62063 → 443 [FIN, ACK] Seq=548 Ack=1567 Win=131072 Len=0 TSval=442045787 TSecr=2607358317
15 2.437103286 172.18.0.2 → MY HOME IP TCP 66 443 → 62063 [FIN, ACK] Seq=1567 Ack=549 Win=64128 Len=0 TSval=2607358394 TSecr=442045787
16 2.457970013 MY HOME IP → 172.18.0.2 TCP 66 62063 → 443 [ACK] Seq=549 Ack=1568 Win=131072 Len=0 TSval=442045825 TSecr=2607358394
17 3.270244135 MY HOME IP → 172.18.0.2 TCP 78 62066 → 443 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1380 WS=64 TSval=442046631 TSecr=0 SACK_PERM=1
18 3.289073793 172.18.0.2 → MY HOME IP TCP 74 443 → 62066 [SYN, ACK, ECN] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM=1 TSval=2607359246 TSecr=442046631 WS=128
19 3.314538917 MY HOME IP → 172.18.0.2 TCP 66 62066 → 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSval=442046673 TSecr=2607359246
20 3.315201380 MY HOME IP → 172.18.0.2 TLSv1 583 Client Hello
Can anyone explain why docker is taking over all networking and how to stop it?
