Join Log in
Score:-1
Mars avatar Server

How to allow VPN traffic to a Docker Container

io flag
Mars

I have the following:

                                            Docker Host (public IP 5.6.7.8)
(1) Client (IP 1.2.3.4) <--> (2) OpenVPN in a Container (public IP 5.6.7.8, port 1194)
                             (3) App in a Container (public IP 5.6.7.8, port 1234)

So, from my phone, I want to connect to my OpenVPN server as a client and after that, I want to connect to my app (e.g. Nextcloud). Probably this is a firewall issue. I want to block all traffic except the one that is coming from the VPN. I tried different rules and ways to figure it out what I need to do. So far, I didn't arrive at a solution.

This will block the traffic to the app:

-A DOCKER-USER -p tcp --dport 1234 -j DROP

This will allow it to work:

-A DOCKER-USER -p tcp -s 1.2.3.4/32 --dport 1234 -j ACCEPT

The rule that works for me is not good because I have to add each client's source IP. As far as I know, all the traffic is routed through the VPN (e.g. the public IP changes after I connect to it).

Any help is appreciated.

417
1 + 0
Score:0
mortal36 avatar Server
pt flag
mortal36

Why not just allow traffic from the OpenVPN server itself? Basically you are wanting to set up your VPN server as a middleman.

So instead of,

-A DOCKER-USER -p tcp -s 1.2.3.4/32 --dport 1234 -j ACCEPT

do

-A DOCKER-USER -p tcp -s [VPN_IPv4_ADDRESS] --dport 1234 -j ACCEPT
+ 6
Mars avatar
io flag
Mars
That doesn't work, unfortunately, I tried. Using TCPDump it seems that the traffic from the client is interpreted by the Docker Host as having the source IP 1.2.3.4 instead of [VPN_IPv4_ADDRESS].
0
Reply
mortal36 avatar
pt flag
mortal36
[VPN_IPv4_ADDRESS] would be the IP address of the machine your VPN is on.
0
Reply
mortal36 avatar
pt flag
mortal36
@Mars you can get the IP address of the VPN host by running `ip addr show` on the VPN host (assuming it's Linux-based).
0
Reply
Mars avatar
io flag
Mars
I tried with the public IP address of the Docker Host (same public IP also for the VPN server). It is Linux-based. `ip addr show` will present a lot of interfaces, I will add bellow some of them that might be related: - eno1, 192.168.0.4/24 -> IP from my router | - docker0, 172.17.0.1/16 -> Docker interface | - br-38fd1e596448, 172.26.0.1/16 -> interface for my OpenVPN Container | With what IP you are suggesting me to try?
0
Reply
mortal36 avatar
pt flag
mortal36
Try the router IP and then try the OpenVPN IP. If neither work, then I will have to revise my answer.
0
Reply
Mars avatar
io flag
Mars
Thanks for the input. It seems that it is working with the OpenVPN private IP / 24. I probably have to figure out how to get this IP dynamically.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.