However, these error-prone techniques require unnecessary complexity. The Docker bridge supports port mappings and docker run -link allowing communications between containers on the docker0 network. You must connect containers with the -link option in your docker run command. Docker does not support automatic service discovery on bridge. If you have containers running on your network, docker network inspect displays networking information for your containers.Īny containers on the same network may communicate with one another via IP addresses. This bridge is named br- with ID being the first 12 characters of the Docker network ID.Docker automatically creates a subnet and gateway for the bridge network, and docker run automatically adds containers to it. The Docker network creation created a new bridge device. I haven't tried it, but it should be possible to restrict the FORWARD rule for iptables. The last command adds a new route towards the VPN client configuration via the OpenVPN container fixed IP. The fourth and fifth commands configure IP forwarding. It is attached to the newly created Docker network and uses a fix IP. The third one creates the OpenVPN server. The second one creates the OpenVPN configuration using the same subnet as defined in the 1st command. We will attach the OpenVPN server to this network. The first command creates a dedicated new Docker network which define a new subnet. $ docker run -detach -name openvpn -v $PWD/files/openvpn:/etc/openvpn -net=docker-net-vpn -ip=172.20.20.2 -p 1194:1194/udp -cap-add=NET_ADMIN kylemanna/openvpn:2.4 Here are the commands (in this example I generate the server configuration directly on the server and I skip the CA generation, please follow the paranoid documentation of the above mention project instead): $ docker network create -attachable=true -driver=bridge -subnet=172.20.20.0/24 -gateway=172.20.20.1 docker-net-vpn This container is attached to the Docker network docker-net-vpn. In this example, I will run the above mention OpenVPN server inside Docker on host. # Rely on Docker to do port mapping, internally always 1194
This should generate a server config file similar to: server 192.168.255.0 255.255.255.0 $ sudo ip route add 192.168.255.0/24 via Īnyway, here are the options I've used to set-up the server: $ docker run -rm -net=none -it -v $PWD/files/openvpn:/etc/openvpn kylemanna/openvpn:2.4 ovpn_genconfig -u udp:// -N -d -c -p "route " -e "topology subnet" $ sudo iptables -A FORWARD -i tun+ -j ACCEPT This can be summarise with these commands: $ sudo sysctl -w _forward=1 This means setting the sysctl ip_forward to 1 (it should be the case if you have Docker install), allowing packets from the tun device to go through the iptables FORWARD chain and setting proper routing. The host of the VPN server should be configured to support forwarding of IP packets from one subnet to another. The VPN server should have the client-to-client, topology subnet, dev tun0 (or other tun device) and push "route " configured. The VPN server is going to be one of those containers. In order to allow bi-directional connection between selected Docker containers and the VPN clients, you need to create a Docker network on which you are going to attach container which should be allowed to be accessed by the VPN clients. I'm using the so-called "paranoid" documentation to set-up my OpenVPN server, but in my view this should be the standard way and not the paranoid way. I have been using the very good Docker container from Kyle Manna ( ).
0 kommentar(er)
