2

When VPN is active, all the traffic seems to be tunneled through csctun0.

Using a VirtualBox I am able to set up a "network bridge" to eth0, which seems to completely ignore the manipulations made by Cisco's software. The VirtualBox directly connects to my local network and accesses local network devices and the internet directly.

I want to achieve the same with Docker containers, but the Docker's bridge seems to work differently.

What is necessary to let a Docker container bypass Cisco's tunnel like a VirtualBox does?

Edit: As suggested by @NetworkMeister I tried to use "macvlan" and followed the instructions on http://hicu.be/docker-networking-macvlan-bridge-mode-configuration but fail when I trying to send pings to the local gateway:

# docker exec -ti container0 ping -c 4 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: Destination Host Unreachable
64 bytes from 10.0.0.1: Destination Host Unreachable
64 bytes from 10.0.0.1: Destination Host Unreachable
64 bytes from 10.0.0.1: Destination Host Unreachable
--- 10.0.0.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
deviolog
  • 119
  • 6

2 Answers2

0

Docker's default bridge network allows you to NAT your containers into the physical network.

To achieve what you know as "bridged network" from VirtualBox, use Pipework or, if you are cutting edge, you can try the docker macvlan driver which is, for now, experimental.

NetworkMeister
  • 1,625
  • 2
  • 14
  • 19
  • I tried to run pipework, but it did not work. It seems that Cisco's client is taking control over things like routing and dns lookups. A similar problem occurs when it comes to docker's macvlan driver. As far as I understand its documentation, name resultion is again based on the host system where again Cisco's vpn client is blocking the way: `Containers use host’s DNS settings by default, so there is no need to configure DNS servers. If you absolutely need your containers to acquire IP data from the DHCP server, macvlan driver is currently not the solution you are looking for. Use pipework.` – deviolog Jun 02 '16 at 14:54
0

One (ugly) solution would be to run your docker container with --net=host. That way your docker container doesn't have a network interface and has the same network access as any of your physical machine, it should work.

michael_bitard
  • 3,613
  • 1
  • 24
  • 35
  • Basically, thats the problem ;D The network access is the same as on the host machine, everything is tunnled through csctun0. Afaik it is not possible to change routes in the container then: `root@container0:/# route del default` -> `SIOCDELRT: Operation not permitted` – deviolog Jun 03 '16 at 15:49
  • Ok, what you are saying is that even on your computer you can't `ping -c 4 10.0.0.1` when the VPN is on right ? If that's the case it is not related to docker at all. – michael_bitard Jun 06 '16 at 11:25
  • This is probably a misunderstanding. Its possible to send pings from the host system but not in the docker guest. – deviolog Jun 06 '16 at 11:44
  • Even when you `docker run --net=host` ? When you use --net=host you are without docker interface so basically it should work – michael_bitard Jun 06 '16 at 11:47