I would like a docker container running on my Linux server to utilize the VPN connection that the server is already connected to. Does this happen automatically, if not, what needs to be done?
Simple answer is yes. However, if you want to route certain containers over a VPN then I’d recommend having a look at Gluetun
Good question, not 100% certain…
I want to say by default “yes” because the docker container’s network uses default bridge unless you specify otherwise. In that case the containers don’t have any other networking than though their host, so if the host has a full tunnel through the VPN, then your containers would too.
There are other docker network types you can set up where this isn’t the case. NetworkChuck has a good video on this:
They need to be bound to the TUN interface that the VPN client creates. If they use regular network interface (eth0 or whatever), then not
Yes as you only have one physical port out of the machine. The host has an IP address and all your traffic is travelling through that.
I’m sure there’s a better way to explain that but you’re container can’t bypass the host address
Update:
So I have the same setup. I did traceroute Google.com with my vpn on then off to see the difference.
I then did the same from a container terminal. With the VPN on all I see are ‘ * * * *’ for each hop outside of my network.
Just bind the container to the vpn interface. Without ip binding your docker container is broadcasting at 0.0.0.0 and accessable via other IPs your server might process.
Lots of answers here already but I’ll suggest a different angle. Ideally you handle all the networking details on your router/switch. Pfsense or Opnsense is my preferred tool. You could just have a rule that routes all traffic for a VM through your VPN. This way you can create policies for various assets on your network and not have to screw around with individual ip table rules or other tweaks on every machine on your network (and then also worry about keeping them up).
You should look into routing and how to manipulate your local routing table. Things might be different if you NAT traffic along the way though.
You want to make sure that your firewall rules are properly set up. Assuming your VPN is your defined gateway, often firewalls have a fallback gateway, which might be your WAN gateway. So in case your VPN fails everything might go through wan, so make sure you have a block rule that catches the containers traffic if going anywhere else than the VPN gateway. Also it’s usually beneficial to do split routing, as you probably don’t want everything to go through the VPN but only the necessary services.
To remedy this it’s useful to give the relevant containers their own fixed IP via MacVLAN and create a rule in your firewall that routes the segment you chose the IP’s from the relevant Containers through VPN only with no fallback interface.
As an imaginary example, choose ip’s for the macvlan interfaces of your containers in the segment of
192.168.1.128/28, so from 192.168.1.129 to 192.168.1.142 and create a firewall rule that routes 192.168.1.128/28 over your VPN. If the VPN fails, your containers cannot connect. Make sure to properly NAT the traffic to and from the target network.
If you are using wireguard you could take a look at network namespaces, which I THINK could be another solution to the routing problem but I must admit that I haven’t had time yet to fully read and understand the documentation
If you want your containers to connect through a vpn, try using gluetun. Configure it to use your vpn and any containers that you want to put behind it you would just change the network from bridge/host to container: /gluetun.
eBPF-based tunneling
Phenomenal answer. I’ve been investigating implementing eBPF via Cilium
Really love this super technical break down. Thank you man
TLDR, just transparently route all your DNS traffic to your preferred provider, with iptables its pretty simple if you know the ports (port 53 udp) is regular DNS traffic
Thank you so much for the information!
Seconding Gluetun and Docker Networks - it’s the same containerization idea whether it’s an application or a network. I’m using Private Internet Access as my VPN and it works perfectly.
Yes as you only have one physical port out of the machine. The host has an IP address and all your traffic is travelling through that.
This isn’t always the case.
Docker’s macvlan network type makes the container a peer to your host instead of subordinate, I’m no VPN expert but I’d expect it to be unaffected unless you explicitly went in and changed its parent.
And even outside that a VPN doesn’t replace the main IP address AFAIK (it’d break local access, and ultimately that is how you need to send a packet to get it outside your LAN), it just adds more and sets the routing tables to mostly use the secure one instead. I’d expect the defaults to respect a VPN here (certainly if it was up firsst), but would definitely double check.
If my container has a public website, would I still be able to reverse proxy the VPN port/ ip address? I’m assuming this won’t work because there’s no way to port forward. I’m using a VPN client like express or nord.
And you want your reverse proxy to point at gluetun:port number
This depends. If your VPN does total isolation then no. This is the minority.
Most of the time, your system still has a local IP and that is where your reverse proxy is pointing at.
I do not know. I had to redo my server and on prior one I was using one container with a torrent client and VPN.(can’t seem to get it to work now)
With Nord, can you do the mesh network? would that be helpful or do others need to access the website?