6

I am new to networking so I am trying this for the first time. I created an openvpn docker that connects to a VPN server. Running wget -q -O - https://api.myip.com inside the docker container confirms that the docker's network is appropriately connected to the VPN and that the IP is of the VPN server. Now I want to try to route host traffic through the docker container and achieve the same result outside the container where the host traffic uses the VPN connection of the docker. Its not really clear to me how to do this from a docker host <-> container relationship so I thought perhaps I can make use of the port mapping feature in docker and also stand up a web proxy in the docker to handle any http/https requests.

Therefore, I stood up squid and openvpn server inside the same docker and exposed port 3128 (since that is what squid is listening on). The wget command on the host becomes: wget -q -O - https://api.myip.com -e use_proxy=yes -e http_proxy=localhost:12345

But the tests shows that the traffic is not going over the docker's vpn connection. Instead results show the communication is over the host's internet connection.

I run the container using the following Docker run command:

docker run --rm --cap-add NET_ADMIN --device /dev/net/tun --name vpn -it --sysctl net.ipv6.conf.all.disable_ipv6=0 -p 12345:3128 vpn-image

Is the above approach wrong? What is the best approach to route host traffic over multiple docker vpn connections?

The following resources indicate its possible but offer there own solutions specific to their use case. It would be nice to have a Linux network tool like wget or curl that can help me debug/test my solution's progress.

LeanMan
  • 181
  • 4

1 Answers1

0

This is an old question but seems to have gotten at least some recent traffic, so I'll answer it.

Depending on what you're trying to do, there are 2 ways of getting your networking to go thru the VPN, and depending on what you're trying to route there are 3 ways to accomplish this.

Proxy (forward proxy)

This requires your host system or container that you want to use the VPN to explicitly direct its traffic to a proxy running in the VPN container. Your VPN container needs to be running a proxy as well as the active VPN. The pretty effectively manages bi-directional network forwarding.

The technique requires you to expose a port from the containers proxy server that you've manually configured within the VPN container, and then configure your host system to use localhost:port as a proxy. This is pretty involved and has lots of options, so you should google it specifically.

Direct network stack control (of host)

Normally the VPN container has a separate network stack running in a separate namespace, but you can tell docker not to separate the network namespace and grant it full network stack access as it it were running natively on the host instead. If you're trying to use a containerized VPN as if it were installed natively on the host, this is what you would do. However control of the host network namespace is a separate permission from just sharing it, so you also need to add some capabilities. The 3xact capabilities depend on your VPN software, but they're usually CAP_NET, CAP_NET_RAW, and often CAP_ADMIN. If you're not sure and trust your application, you can just use privileged mode to grant all capabilities (plus some unnecessary other extras). So for this you add these two options to your run command: --net=host --cap=CAP_NET,CAP_NET_RAW,CAP_NET_ADMIN.

Direct network stack control (of another container)

This option is the same concept as direct network stack control of the host, but allows your VPN to be used by another container instead of the host, as if it were running within that container. To use it you just have to add a line to the non-VPN container's run command to tell it to share the network stack with your VPN container: --net=container:vpn-container-name

mtalexan
  • 101
  • 2