Connect to a VPN (OpenVPN) from a docker service on swarm
I have an OpenVPN server running exposing some private IP addresses, I would like my docker swarm services to access those addresses.
Ideally, there wouldn't be an OpenVPN client "inside" the containers as the images are expected to be deployed in an environment where a VPN will not be necessary.
What I tried so far
I successfully connected a container to my VPN with the dperson/openvpn-client image.
I successfully launched another container using that container as its network using the --net=container:my-vpn-client
flag.
Now i'm trying to set up a docker service that will access my private IP addresses and what i found is:
- I can't run the openVPN client in a service as it cannot be given
cap-add: NET_ADMIN
. There are open issues with Docker discussing this matter but they are still open. - I figured i could have the openVPN client container run "beside" the swarm cluster, but I can't use
network_mode: "container:my-vpn-client"
as it is not supported and does make sense since i couldn't possibly force an arbitrary container to be present on every node of the swarm without it being a service itself. - I tried creating an attachable network (bridge/overlay) and just stick my OpenVPN client container in it and expect magically other members of that network to go through that pipe... and i was disappointed.
So here i am, any idea?
P.S. If it can help, this is mainly to setup some automated tests that will run the services on single docker machine in swarm mode, as in swarm init > stack deploy > run tests > swarm leave. So if there's a "hack" for that... i may be interested ;)
I do this exact same thing, on your openvpn docker client you will need to configure NAT
iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -o tun0 -j SNAT --to-source 10.8.0.10
iptables -t nat -A POSTROUTING -d 172.18.0.50/32 -o eth1 -j SNAT --to-source 172.18.0.100
For me, I set this up to run at boot via an iptables-restore
On your docker host, add the following to the /etc/network/interfaces
post-up ip rule add from 172.18.0.0/16 table 200
post-up ip route add 192.168.11.222 via 172.18.0.100 table 200
NB This is what you use where
- 172.18.0.0 is your docker network
- 172.18.0.50 is one of your docker containers
- 172.18.0.100 is your docker openvpn client
- 192.168.11.222 is the private IP you want your docker clients to be able to access
- tun0 is the OpenVPN interface of your docker client
- eth1 is the 172.18.0.0 network interface of your openvpn docker client