Access tun device inside docker container

[bbirand]

Hi,

Thanks a lot for pipework, it is truly very useful! I have an unusual setup, in which I am running an OpenVPN client inside a docker container. This creates a tun device inside the container. I now want to bridge this tun interface with a bridge that exists on the host device, in order to transmit data out of this VPN connection. Is this possible?

Thanks!

[jpetazzo]

Hi!

Are you creating a tun or tap device? (I'm asking, because tun is level 3, and you cannot bridge it, AFAIK; so I think you meant tap but want to be sure first.)

[bbirand]

Thanks for the reply! Here are more clarifications: I actually am creating a tun device (sadly that's what my VPN provider supports). But explaining what I'm trying to do may help: I want to create an outgoing VPN connection from within a docker container (which I have done), and then route traffic from the host OS through that connection. With pipework, I can create the eth1 device in the container that has a bridge interface in the host. The way I figured I'd approach my problem is to do the same, but instead of bridging to eth1, do it to the tun device created by OpenVPN. How does this sound?

[jpetazzo]

Hi!

In that case, I think you cannot use bridging, because tun is level 3, not level 2.

Here is how I would do it:

• start container with VPN client
• make sure that container can contact the remote network; let's pretend that it's 10.0.0.0/8
• in the container, add an iptables rule, e.g. iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
• in the host, check the IP address of the container; let's pretend that it's 172.17.0.123
• in the host, setup a static route for the remote network, through the container, i.e. ip route add 10.0.0.0/8 via 172.17.0.123

Does that make sense?

[bbirand]

Thanks again for the answer, jpetazzo (and sorry I couldn't get back earlier). You are absolutely right, in that I can't add the tun device to a regular bridge. I actually want to add that device to an openvswitch, not a regular bridge-tools switch, which I realize I didn't specify earlier. I essentially want to have an ovsbr0 device in the host, and then decide which connections to send out through the tun device of OpenVPN that's within a docker container.

I realize now that this is all becoming too problem-specific, and I definitely understand if it's beyond the scope of a Github "Issues" page..

[jpetazzo]

Hmm, are you sure that it is possible to add a tun device (not tap!) to an OVS bridge?

I'd love to read some docs about that, since I thought it wasn't possible.

[bbirand]

Well, I just followed the guerilla method of trying to add the device:

$ openvpn --config a_config.ovpn &
$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.116.1.6  P-t-P:10.116.1.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:4384 (4.3 KB)  TX bytes:0 (0.0 B)
$ ovs-vsctl add-port ovsbr0 tun0
$ ovs-vsctl list-ports ovsbr0
pl11334eth1
pl11404eth1
tun0

Am I missing something?

[jpetazzo]

Well!

Disclaimer: I certainly don't know enough about OVS.

I would think that this cannot work, because the tun interface cannot transport Ethernet headers (and an OVS bridge is supposed to transport Ethernet, right?).

• What's the expected behavior?
• What's the observed behavior?
• Is it feasible for you to switch to a tap device?

But don't forget my disclaimer :-)

[jpetazzo]

Closing older issues.

[hugochinchilla]

@jpetazzo I'm configuring a setup like the one you describe, I can ping other clients in the VPN from both the container and the host, but in addition I would like to be able to ping from other machines using the host as the gateway, I've setup a route from other machine but it's not enough, i think i need to add some iptables rule in the host but my iptables wizardry is very limited and i didn't manage to make it work, any sugestions?

[jpetazzo]

Hi @hugochinchilla,

Could you open a new issue with that question, please?

Thank you!

[hugochinchilla]

It's not really an issue with pipework, i'm not using it, just asking for advice, I found this when googling and looks a lot like my setup.

[jpetazzo]

Ah, if you're not using pipework, I'm sorry, this is probably not the right venue for your question ... Maybe you could try on stackoverflow? Sorry again!