5

I am currently using tinc to create a VPN between two servers. This allows me from server A to access B through the IP address 10.0.0.2 and creates an interface:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        inet6 fe80::babb:cc53:dd5e:23f8  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 42  bytes 11987 (11.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 55  bytes 7297 (7.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I would like to pass this route to my docker container on server A:

version: '3.2'
services:
  traefik:
    image: "traefik:v2.2.0"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme:/acme"
      - "./traefik.toml:/traefik.toml"
      - "./rules:/etc/traefik/rules"
    networks:
      - traefik
    deploy:
      placement:
        constraints:
          - node.role == manager

networks:
  traefik:
    external: true

Currently inside the container traefik I can ping 10.0.0.2 but it is a different host completely.

If I remove:

networks:
  traefik:
    external: true

and add network_mode: host within the traefik service I can route to 10.0.02 but then I cannot access other containers which share the traefik network.

If I try and put them both together I get the error:

'network_mode' and 'networks' cannot be combined

In other words how can I create the dashed line connection?

enter image description here

This also depicts my problem in that container B can't be in both networks at once.

enter image description here

I added Server A just as a more real world example of a swarm.

maxisme
  • 3,974
  • 9
  • 47
  • 97
  • what do you mean by "pass this connection to my docker container" and "Pass a network interface to docker container"? What are you trying to achieve? – Maxim Sagaydachny Apr 26 '20 at 04:37
  • Within the container `traefik` I would like to be able to have `10.0.0.2` point to the same address as on my host (as created by `tinc`). Does that make sense? – maxisme Apr 26 '20 at 10:58
  • no. i does not make sense. there are servers and clients. can you describe problem from such point of view? – Maxim Sagaydachny Apr 26 '20 at 11:04
  • I am not quite sure how clients come into this? I just added a diagram. So as high level as I can think of - on `Server A` I can access Server B through `10.0.0.2` I would also like to be able to access `Server B` from within the `Traefik Container`. Does that help you understand at all? – maxisme Apr 26 '20 at 11:14
  • @maxisme that does make sense. What's the config for other containers (one would be enough)? Your `tinc.conf` also might be useful here (use Pastebin if it is a long file). – ximaera Apr 28 '20 at 18:17
  • How do you mean config for the other containers? Please just act as if there is only one container - `traefik container`. – maxisme Apr 28 '20 at 18:23
  • the tinc.conf is just: ``` Name = cloud AddressFamily = ipv4 Interface = tun0 ``` – maxisme Apr 28 '20 at 18:24
  • @maxisme I can't :-) A part of your issue is inability to communicate to *other containers*. – ximaera Apr 28 '20 at 18:25
  • @maxisme I'll be more specific. "I can ping 10.0.0.2 but it is a different host completely" — this part is unclear: there's a different host (other than B) under the IP address 10.0.0.2, and you're landing there instead of B? – ximaera Apr 28 '20 at 18:29
  • Inability to communicate to other containers AND the host. I can do OR... Does that make sense? I think the sollution is to somehow expose the host to the overlay network. – maxisme Apr 28 '20 at 18:29
  • @ximaera I think that is just a sidenote. The container has absolutely no concept of 10.0.0.2 in the first place but annoyingly it is used by swarms that IP. – maxisme Apr 28 '20 at 18:31
  • @maxisme what IP addresses are in use in your network bridge on server A? E.g. what IP address is `traefik` being assigned? – ximaera Apr 28 '20 at 18:39

1 Answers1

0

A solution I came up with was not use tinc at all and use autossh to effectively port forward with a command like this:

autossh -M 43585 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -NR 3000:localhost:3000 root@serverA

Ran on server B (first image).

This means that I can then route from the container to Server B via http://serverA:3000 for example.

maxisme
  • 3,974
  • 9
  • 47
  • 97