69

I'm trying to run docker image on MacOS with VPN turned on (TUN device). Docker container can access internet, but is not able to access resources behind vpn. What is the right way to make Docker go to VPN network?

I've tried docker run --net host to make docker share host network, it didn't help. Host can access VPN resources, docker container can't resolve their names..

Capacytron
  • 3,425
  • 6
  • 47
  • 80
  • 1
    I recently built a VPN container and needed `--privileged` for it, `--net host` wasn't required in my case. – schmunk Jul 27 '16 at 20:05
  • 3
    For any ubuntu user: On Ubuntu with NetworkManager handling the VPN connection, the `--net host` was sufficient to share the VPN connection. @schmunk As `--privileged` turns on all capabilities and therefore is a huge drawback in terms of security, you should try to identify only the crucial capability (`NET_ADMIN`?) and only enable this one. Further reading : [Docker Documentation - Engine - Runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) – Murmel Oct 27 '17 at 12:04
  • @Murmel you should post this comment as answer for ubuntu users, this was solution for me (ubuntu 18.04). – solujic Mar 26 '21 at 09:59
  • solution mentioned here worked for me : https://stackoverflow.com/a/52885161/294552 – sandeepkunkunuru Dec 14 '21 at 17:36
  • Related Docker issue https://github.com/docker/for-mac/issues/4751. – ks1322 Aug 13 '23 at 19:33

10 Answers10

42

I had to restart docker after connecting host machine to VPN.

sudo systemctl restart docker
docker start {name-of-container}
ks1322
  • 33,961
  • 14
  • 109
  • 164
Kennethz3
  • 579
  • 1
  • 4
  • 4
19

Not sure if it's best solution.

I took DNS that appears on my host after connecting to VPN

scutil --dns | grep 'nameserver\[[0-9]*\]'
nameserver[0] : xxx.xxx.xxx.xxx

Modified docker run command: 

docker run --cidfile="docker.pid" --dns=xxx.xxx.xxx.xxx --publish-all

Now docker container can access resources behind VPN... It works, but I have no idea if it's good or bad...

chrki
  • 6,143
  • 6
  • 35
  • 55
Capacytron
  • 3,425
  • 6
  • 47
  • 80
10

I had this exact problem. I tried other solutions suggested here, but they didn't work for me. After a lot of trial and error this solution worked very nicely:

Add "bip": "192.168.1.5/24" to the daemon.json configuration file. This file can be found in the docker desktop settings under docker engine or at /etc/docker/daemon.json. BIP is the setting for bridge IP addresses and will change the IPs docker assigns in its subnet. By changing this setting I avoided conflicts between VPN and docker ip addresses.

Restart docker daemon.

Stop all containers.

Run ‘docker network prune’ to remove unused networks.

Restart all containers. This will recreate their networks with the new IP addresses.

You may still need to restart docker after connecting to the VPN in the future. See this thread for other solutions and ideas: https://github.com/docker/for-mac/issues/2820

Sheridan Rea
  • 101
  • 1
  • 5
6

Had a similar problem. OP's solution worked, but so did simply restarting my docker vm:

docker-machine restart $host

Inspiration: https://www.reddit.com/r/docker/comments/39z4xd/when_my_docker_host_is_connected_to_vpn_i_can_no/

ccb
  • 79
  • 1
  • 3
5

Had this issue on docker version 3.6.0 (67351) running on Mac

What worked for me is combining the solutions posted by @Sheridan Rea and @Marco

  1. Changed Docker subnet to 192.168.65.0/28. It was set to 192.168.63.0/24 before. Clicked Apply & Restart / Restart Docker

  2. Run docker network prune

  3. Run docker compose up

Simply changing Docker subnet didn't worked for me

Now I can ping IP addresses behind VPN

Babad00k
  • 95
  • 1
  • 2
  • 7
4

What worked for me was to change docker subnet mask from /24 to /28, then restarted and I can now ping, telnet and other things on my vpn network. It says the default is /28 but docker desktop ships with /24 on it. Maybe it's a typo, I don't know.

Marco
  • 2,757
  • 1
  • 19
  • 24
1

Not sure why, but as others have suggested here changing Docker subnet worked. The only difference is that on Docker Desktop for Windows v4.14.0 setting subnet to /28 was not working.

screeshot of error message

But just bumping the subnet IP addess from 192.168.65.0/24 to 192.168.66.0/24 did the trick.

Stanislav Gaistruk
  • 31
  • 5
1

Neither of the previously posted solutions worked for me on MacOS with OpenVPN client. I figured I only need to define extra_hosts like this:

version: "3.9"
services:
    app:
        extra_hosts:
            - "something.vpn:192.168.196.3"

Now accessing something.vpn inside Docker container leads to 192.168.196.3. There was no need to change docker subnet or anything else.

M C
  • 21
  • 4
0

Using docker run --net nat did the trick for me. This was for a Windows container running on Docker for Desktop (Windows)

Rob Dunbar
  • 131
  • 2
  • 6
0

For those who are facing a similar issue (with timeout) but when --network host does work: it could be the mismatch in MTU (especially with WireGuard defaults).

Look at the output of ip link. What is the mtu for docker0 and wg0? If the former is larger than the latter (e.g. 1500 vs 1420), the packets coming from your container are probably just being dropped as they are too large.

This can help (in your docker-compose.yaml, or just create a similar external network):

networks:
  default:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1420

See also an article on this particular source of problems: https://sylwit.medium.com/how-we-spent-a-full-day-figuring-out-a-mtu-issue-with-docker-4d81fdfe2caf

(I wish I could find that article before solving the problem myself... let this be yet another gateway to the solution).

Andy Mikhailenko
  • 1,571
  • 1
  • 11
  • 10