[Question] How access other services via VPN's ips

[Zeldri]

I wanted to know if it's possible to access other services, like web GUI from other container without using the server's private network. Server's and client's private network is 192.168.1.0/24. I didn't change the vpn's configuration, it's still on 192.168.255.0 How can I access the other container via 192.168.255.1, is it impossible because of the fact that the VPN is in a docker container ?

[Gooman-rus]

I have the same problem: it's impossible to connect via port 80 to the host 192.168.255.1 (OpenVPN server host) from the VPN client from the same network. How to fix this?

[erhan-]

I have created a network with docker network create and added both the service and the openvpn service to this external network. Then I added the route to the subnet into my client config file. I guess it might also work if you add it to the server:

route 192.168.1.0 255.255.255.0

I can ping and access the internal services this way but I would also like to add a dns service so that the the dns requests are also forwarded through the vpn to the internal dns server. This way I can use the service names as hostname instead of the IPs.

[erhan-]

Something like this works:

Create your network

docker netork create --attachable -d bridge --gateway 192.168.22.1 --subnet 192.168.22.0/24 vpnnet

docker-compose.yml

version: '3.7'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - /var/docker/volumes/openvpn:/etc/openvpn
    networks:
      vpnnet:
        ipv4_address: 192.168.22.100
  dns:
    restart: always
    image: strm/dnsmasq
    volumes:
      - ./dnsmasq.conf:/etc/dnsmasq.conf
    expose:
      - "53/udp"
      - "53/tcp"
    cap_add:
      - NET_ADMIN
    networks:
      vpnnet:
        ipv4_address: 192.168.22.101

networks:
  vpnnet:
    external: true

The in the openvpn.conf (I have mounted the volume on my system)

### Route Configurations Below
route 192.168.254.0 255.255.255.0
route 192.168.22.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 192.168.22.101"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no" 

In your client configuration this has to be appended for Linux:

route 10.24.2.0 255.255.255.0
comp-lzo no
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

On android I have to add the route and comp-lzo no command as well in the client configuration. Normally these should be pushed but it is not happening somehow. Redirect gateway is off for me.

Everything works if all containers use the same network. If you start using multiple networks, I somehow can't contact other subnets. I can pink from within the container to other contains in other connected subnets but the openvpn clients can not.

It is a routing issue. The containers from the other network do not know where to route the VPN packages through. You can try by trying to ping from the other network to a VPN client IP for example. Something like this works but is not a good solution:

ip route add 192.168.23.0/24 via ip_of_VPN dev interface_of_other_net

ip_of_VPN is the IP of the VPN server in the other network which you want to reach. This is not described good and I will try to find a better solution first.

For a single container you do this:

docker exec -u root --privileged prometheus ip route add VPN_SUBNET via OPENVPN_IP

e.g.

docker exec -u root --privileged prometheus ip route add 10.10.10.0/24 via 10.10.9.11 where 10.10.9.11 is the IP of the network where prometheus for example is.

[asfernandes]

dnsmasq.conf

@erhan- What you have in your dnsmasq.conf?

[erhan-]

Sorry, I gave up doing it this way and simply run openvpn server on the host. Way easier for the setup I want to achieve. Dnsmasq was setup in a way that it only acts as a dns relay and I added all static hosts there iirc.