8

I'm trying to use Docker on Windows while being connected to VPN.

When VPN is not connected, everything works OK.

But when I connect to our corporate VPN using Cisco AnyConnect client, network inside docker container is not working anymore:

docker run alpine ping www.google.com
ping: bad address 'www.google.com'

docker run alpine ping -c 5 216.58.204.36
PING 216.58.204.36 (216.58.204.36): 56 data bytes
--- 216.58.204.36 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

How to fix this issue and make it work?

My setup is:

  • Windows 10 Version 1809 (OS Build 17763.1098)
  • Docker Desktop Community 2.2.0.4 (43472): Engine 19.03.8, Compose 1.25.4, Kubernetes 1.15.5, Notary 0.6.1, Credential Helper 0.6.3
  • Docker is in Windows containers mode with experimental features enabled (needed to run windows and linux images at the same time)
Aleksei Petrov
  • 936
  • 12
  • 31
  • Did you ever figure out the answer to this? I've been having a similar issue, been trying to test an application via my Docker Desktop but need it to connect to a database through VPN (also Cisco AnyConnect client) – m.e.conroy Apr 27 '20 at 13:14
  • Unfortunately, no. But linux container in pure linux mode worked fine with this setup, so I'm trying to migrate to linux containers competely. – Aleksei Petrov Apr 27 '20 at 17:13
  • Duplicate: https://stackoverflow.com/questions/56341873/windows-containers-have-no-internet-access-but-linux-containers-do-with-vpn-c#comment108640469_56341873? – kuga May 07 '20 at 18:51
  • @kuga, yes, seems very similar – Aleksei Petrov May 08 '20 at 17:50
  • I have a similar problem. im using mysql and karaf containers, im connected to the VPM and create a network with my public ip, but the connection does not work since im not able to call any services. – Tiago Machado Aug 05 '20 at 15:34

2 Answers2

1

While my VPN (AnyConnect) was running, I had to run the following from PowerShell (admin mode):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000
bantal
  • 23
  • 3
0

Actually i did it using Docker Desktop and Hyper-V virtual machines. Using OpenConnect but i think it can be done for most VPN client with minor adaptations.

The fully explained instructions are here Docker Desktop, Hyper-V and VPN with the settings for Docker containers, Windows VMs and Linux VMs

  • I created a new internal Virtual Switch (let's call it "Internal") and assigned to it a static IP address (let's say 192.168.4.2)

  • I created a new VM with Ubuntu server and OpenConnect, connected to both the default Virtual Switch and the "Internal"

  • On the OpenConnect VM

    • Assigned to "Internal" a fixed ip (192.168.4.3)

    • Added a new tun interface "persistent" telling openconnect to use that tun (adding the "-i tun0" parameter as openconnect start parameter)

      sudo ip tuntap add name tun0 mode tun

    • Installed the persist-iptables

    • Forced the ip forwarding

      sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf && sysctl -p

    • Setup the routing

      sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT sudo iptables -A FORWARD -o tun0 -j ACCEPT sudo iptables -A FORWARD -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i tun0 -j ACCEPT

    • After connecting the vpn i added permanently the dns servers to the resolve.conf

    • And retrieve the class of addresses of the VPN (like 10...* )

  • On the Docker containers

    • Added on Dockerfile the basic route

      RUN route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.4.3

    • Then running the docker file i added the dns giving net admin and sys module permissions

      --dns 8.8.8.8 --dns 10.1.77.21 --dns 10.4.52.21 --dns-search test.dns.it
      --cap-add=NET_ADMIN --cap-add=SYS_MODULE

Kendar
  • 692
  • 7
  • 25
  • 1
    IMHO using Hyper-V is not state-of-the-art anymore. The way to go is use wsl2 on Windows what Docker Desktop meanwhile uses by default. Can someone confirm or deny if Docker Desktop meanwhile solves the VPN issue with Cisco Any Connect as claimed in the feautres? https://docs.docker.com/docker-for-windows/networking/#features - If not this could be an option: https://github.com/sakai135/wsl-vpnkit – Jörg Jul 16 '21 at 11:33
  • Actually with GlobalProtect 5.2.3 and WSL2 Docker Desktop works flawlessy, without any problem. But my new setup is based on openconnect on docker with the various vpn services running in the same docker network and accessed through a docker openvpn server :P The reason was to do some dns hijacking, etc etc – Kendar Jul 16 '21 at 12:01