I have a docker cluster with an OpenVPN container as an access server and a dns container as a forwarder. All containers are connected to a docker overlay network called vpn, but some run as a docker swarm stack and others are running independently from swarm.
An OpenVPN client can connect and use dns to resolve internal containers names, I had to add an iptables masquerade rule to achieve this, but can't ping containers in stack despite being accessible from OpenVPN container. I've checked iptables rules and routing tables and couldn't figure out why it returns host unreachable while trying to ping a stack service from an OpenVPN client.
