In our swarm, some containers will need to access external service via an OpenVPN connection.
Adhering to separation of responsibilities, we implement a client OpenVPN containers that will be responsible for the VPN layer. And we intend other containers to use it as a gateway when they need to reach a machine on the VPN.
Example
docker network create -d overlay --attachable vpn_net
# Start the gateway on this network
docker run --name openvpn -d --cap-add NET_ADMIN --network vpn_net openvpn-client
# deploy a swarm of containers
docker stack deploy -c docker-compose.yml custom-stack
(With docker-compose.yml notably making vpn-net one of the networks available to the services that require VPN connectivity.)
Sadly, said containers are not able to ping IPs on the VPN (even though the openvpn container successfully ping them). And it seems we are not allowed to add routes to the containers running in the swarm:
$ route add -net 192.168.2.0/24 gw openvpn
SIOCADDRT: Operation not permitted
Is there any way to add such route to the containers in the swarm?
