Multiple docker instances on the same server

[alessandroros]

I need to propagate broadcast packets, that's why I'm interested into this docker image with TAP support. My request is to be able to run multiple VPN servers (on different UDP ports of course) on the same host. Are you able to do that?

Should I create one physcal interface for each Docker container or it's not needed? I was able to create a first container with a VPN Server running on it but I had some issues on creating multiple containers.

Any tips?

[Salvoxia]

I've never thought about such a scenario. Disclaimer: I'm neither a networking nor an OpenVPN expert, but let's see what we can figure out.

I don't think it can work out of the box. The following points need to be considered:

• Each container will try to set up a bridge with the provided bridge name. The container will check if the bridge already exists. It will also check if the iptables rules already exist. It's important to set the same bridge parameters (IP, subnet, broadcast address, mac address), as each container will apply these properties to the bridge without any checks.
• Each container will create its own tap interface. This is where trouble starts. At the moment, you cannot configure a unique tap interface name for a container. But this can be added easily.

So maybe all that's missing is the possibility to define the tap device name for a container.

Can you elaborate on the issues you've encountered once you tried setting up a second container? That might tell us if it's indeed a conflict of tap interfaces or if there is anything else to consider. And can you also go into more detail about the use case and architecture you have in mind? I use this container to be able to use broadcast over VPN as well, that works fine. Do you need to relay broadcast packets to multiple networks over vpn?

[alessandroros]

Thanks for answering, really appriciated.

And can you also go into more detail about the use case and architecture you have in mind

Yes sure, once I recieve an "help request", I need to connect 2 PCs remotely in the same "LAN", so that both are able to reach them. The protocol I'm using relies on the transmission/reception of broadcast packets sent over this network (for discovering the counterpart) and that's why I need a bridged VPN with tap support. I've read many times that tun is working at layer 3, soI need tap and bridging to operate at layer 2. This is for 1 request, if I have a second request in parallel, I would not like to put the 2nd couple of PCs on the same "LAN" as the previous one, so that's why I thought about generating several OpenVPN server as containers in order to isolate all "couples" in their specific VPN server.

Can you elaborate on the issues you've encountered once you tried setting up a second container? That might tell us if it's indeed a conflict of tap interfaces or if there is anything else to consider.

I think that you already understood where's one issue. Since I cannot define the name of the second tap's container it tries probably to map to the tap0 which is already in use. Here the log of the docker which quits:

2024-05-03 13:52:57 Diffie-Hellman initialized with 2048 bit key
2024-05-03 13:52:57 CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem
2024-05-03 13:52:57 ROUTE_GATEWAY 10.243.64.1/255.255.255.0 IFACE=eth0 HWADDR=02:00:01:2a:18:01
2024-05-03 13:52:57 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
2024-05-03 13:52:57 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.254.0
2024-05-03 13:52:57 TUN/TAP device tap0 opened
2024-05-03 13:52:57 Could not determine IPv4/IPv6 protocol. Using AF_INET
2024-05-03 13:52:57 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-05-03 13:52:57 UDPv4 link local (bound): [AF_INET][undef]:1195
2024-05-03 13:52:57 UDPv4 link remote: [AF_UNSPEC]
2024-05-03 13:52:57 GID set to nogroup
2024-05-03 13:52:57 UID set to nobody
2024-05-03 13:52:57 MULTI: multi_init called, r=256 v=256
2024-05-03 13:52:57 IFCONFIG POOL IPv4: base=10.243.64.150 size=11
2024-05-03 13:52:57 Initialization Sequence Completed
Tearing down bridge...
Stopping OpenVPN
Removing iptables rules
2024-05-03 14:18:16 event_wait : Interrupted system call (fd=-1,code=4)
2024-05-03 14:18:16 Closing TUN/TAP interface
2024-05-03 14:18:16 SIGTERM[hard,] received, process exiting
Shuttdown down bridge
Deleting bridge
Removing tap device
2024-05-03 14:18:16 TUN/TAP device tap0 opened
2024-05-03 14:18:16 Persist state set to: OFF
setting IP, subnet and broadcast address for physical device

this is the 2nd container and as you see is trying to create the tun/tap device tap0, but probably it would be better if it used tap1 since tap0 is already in use.

`` ifconfig

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.243.64.7 netmask 255.255.255.0 broadcast 10.243.64.255 inet6 fe80::6cfd:a7ff:febc:e92a prefixlen 64 scopeid 0x20 ether 02:00:01:2a:18:01 txqueuelen 1000 (Ethernet) RX packets 35632 bytes 4484584 (4.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 38353 bytes 6468959 (6.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:48:bd:c6:bb txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 10.243.64.7 netmask 255.255.255.0 broadcast 10.243.64.255 inet6 fe80::1ff:fe2a:1801 prefixlen 64 scopeid 0x20 ether 02:00:01:2a:18:01 txqueuelen 1000 (Ethernet) RX packets 36630 bytes 5100256 (4.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 41472 bytes 6865798 (6.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.243.64.4 netmask 255.255.255.0 broadcast 10.243.64.255 inet6 fe80::3ff:fe2a:1801 prefixlen 64 scopeid 0x20 ether 02:00:03:2a:18:01 txqueuelen 1000 (Ethernet) RX packets 6021 bytes 377900 (369.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6037 bytes 275034 (268.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 2779 bytes 992452 (969.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2779 bytes 992452 (969.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tap0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::e40a:eaff:fe1e:2bcb prefixlen 64 scopeid 0x20 ether e6:0a:ea:1e:2b:cb txqueuelen 1000 (Ethernet) RX packets 586 bytes 50958 (49.7 KiB) RX errors 0 dropped 4 overruns 0 frame 0 TX packets 19 bytes 1882 (1.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

As you can see here I added another network interface eth1 because I didn't know if it was needed or not to map another bridged VPN Server on a different Port.

Do you need to relay broadcast packets to multiple networks over vpn?

No, as you I only need the broadcast in the same network, not on multiple networks.

Any suggestion on your side, would be really appriciated.

[Salvoxia]

Ok, I just added a change to ovpn_genconfig that will allow you to specify the OpenVPN device number the container will create. When creating the container's configuration, you can pass -t -o 1 to make the container use tap1 instead of tap0. This change is only present in the dev branch and thus the edge tag. Let me know if that lets you get one step further.

[alessandroros]

Hi, it has worked like a charm! Great, we were able to create a second VPN after adding an additional eth1 interface (eth0 was already in use by the other docker).

[Salvoxia]

Glad to hear, thanks for the test! I'll incorporate this change into the main branch and create a proper release for it.

[Salvoxia]

Released with 0.6