All geek questions in one place

How to make openvpn work with docker

I recently set vpn privacy, and it turned out that openvpn disables docker.

When I try to run docker-compose up , I get the following error

 ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network

Disabling vpn fixes the problem (however, I would not disable it). Is there a way to make these two coexistences peaceful? I am using debian jessie and my openvpn has the following version string

  OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 26 2017

Many people "solved" this problem by disabling openvpn, so I ask specifically how to do these two works at the same time.

References:

If that matters, my vpn provider is: https://www.ovpn.com/ and here (configuration file):

 client dev tun proto udp remote host port remote-random mute-replay-warnings replay-window 256 push "dhcp-option DNS 46.227.67.134" push "dhcp-option DNS 192.165.9.158" remote-cert-tls server cipher aes-256-cbc pull nobind reneg-sec 432000 resolv-retry infinite comp-lzo verb 1 persist-key persist-tun auth-user-pass /etc/openvpn/credentials ca ovpn-ca.crt tls-auth ovpn-tls.key 1
+28
source share
5 answers

Solution (TL; DR;)

Create the script /etc/openvpn/fix-routes.sh with the following contents:

 #!/bin/sh echo "Adding default route to $route_vpn_gateway with /0 mask..." ip route add default via $route_vpn_gateway echo "Removing /1 routes..." ip route del 0.0.0.0/1 via $route_vpn_gateway ip route del 128.0.0.0/1 via $route_vpn_gateway

Add the executable bit to the file: chmod o+x/etc/openvpn/fix-routes.sh . Change the owner of this file to root: chown root:root/etc/openvpn/fix-routes.sh .

Add the following two lines to your configuration:

  script-security 2 route-up /etc/openvpn/fix-routes.sh

explanation

Openvpn adds routes for the following networks: 0.0.0.0/1 and 128.0.0.0/1 (these routes cover the entire range of IP addresses), and Docker cannot find the range of IP addresses to create its own private network.

You need to add a default route (for routing everything through openvpn) and disable these two specific routes. The fix-routes script does this.

This script is called after openvpn adds its own routes. To run the scripts, you need to set the script-security parameter to 2 which allows you to run bash scripts from the openvpn context.

thanks

I would like to thank the author of this comment on github , also thanks to the support of ovpn .

+32
source

You can also make docker-compose work if you have defined the CIDR subnets in your docker compose file:

 networks: your-network: ipam: config: - subnet: 172.16.238.0/24 gateway: 172.16.238.1

Another option: first create a network with a CIDR subnet, and then specify in the docker compose file that you want to use this network:

 docker network create your-network --subnet 172.24.24.0/24

In your docker, create a file:

 networks: your-network: external: true
+13
source

Based on Anas El Barkani's answer , I will give a complete step-by-step example of using PostgreSQL.

While the VPN is not connected, create a permanent docker network :

 docker network create my-network --subnet 172.24.24.0/24

In the docker-compose file, specify the network as external:

 version: "2" 
 services: postgres: container_name: postgres image: postgres volumes: - ./volumes/postgres/data:/var/lib/postgresql/data environment: - POSTGRES_DB=dummy - POSTGRES_USER=user - POSTGRES_PASSWORD=123456 - POSTGRES_HOST=localhost networks: - default ports: - "127.0.0.1:5432:5432" 
 networks: default: external: name: my-network

All this. Now you can enable the VPN and start / stop the container as usual:

 docker-compose up -d docker-compose down

There is no need to turn on / off the VPN every time or add strange scripts as root.

+2
source

Some additional context here: routes 0.0.0.0 and 128.0.0.0 are created only if the OpenVPN server (aka Access Server) is configured to push routes to send all the endpoint traffic via the Internet via VPN. By adding these wide routes, user Internet traffic can be routed without interfering with routing on the local network, and ensuring that the endpoint remains capable of directing OpenVPN traffic on its own to the local router.

If sending all Internet traffic through the OpenVPN server is not a requirement, it might be better to ask the VPN administrator to create a profile that will only direct traffic to the required destinations (for example, private IP ranges) through the VPN, and not all. This should avoid the need to communicate with routes at the endpoint.

0
source

Perhaps one way to do this is to add all the routes except 172.16.0.0/12 for routing through the VPN, so we are sure that all the outputs are processed correctly:

 sudo ip route add 192.0.0.0/2 via $route_vpn_gateway sudo ip route add 128.0.0.0/3 via $route_vpn_gateway sudo ip route add 176.0.0.0/4 via $route_vpn_gateway sudo ip route add 160.0.0.0/5 via $route_vpn_gateway sudo ip route add 168.0.0.0/6 via $route_vpn_gateway sudo ip route add 174.0.0.0/7 via $route_vpn_gateway sudo ip route add 173.0.0.0/8 via $route_vpn_gateway sudo ip route add 172.128.0.0/9 via $route_vpn_gateway sudo ip route add 172.64.0.0/10 via $route_vpn_gateway sudo ip route add 172.32.0.0/11 via $route_vpn_gateway sudo ip route add 172.0.0.0/12 via $route_vpn_gateway # And finally delete the default route which handle 172.16.0.0/12 sudo ip route del 128.0.0.0/1 via $route_vpn_gateway
0
source

Source: https://habr.com/ru/post/1014031/

More articles:


All Articles