search

wfg / docker-openvpn-client

OpenVPN client with killswitch and proxy servers; built on Alpine
MIT License
353 stars 107 forks source link

Docker-compose works in local contexts, but not remote contexts #106

Closed brandon-arnold closed 1 year ago

brandon-arnold commented 1 year ago

Love this container! I'm having an issue getting this to work in my remote context, though.

I'm composing both this container as well as the serjs/go-socks5-proxy that is inheriting the network. Here's the docker-compose.yml that works great with the local context (on my local machine) as a SOCKS5 VPN proxy, with my browser pointing at 0.0.0.0:1080

services:
  openvpn-client:
    image: ghcr.io/wfg/openvpn-client:3.1
    container_name: openvpn-client
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - /path/to/my/config:/data/vpn
    environment:
      - CONFIG_FILE=my_expressvpn.ovpn
      - ALLOWED_SUBNETS=0.0.0.0/0
      - KILL_SWITCH=on
      - VPN_AUTH_SECRET=expressvpn_userpass
    restart: unless-stopped
    ports:
      - 1080:1080
    secrets:
      - expressvpn_userpass
  go-socks5-proxy:
    image: serjs/go-socks5-proxy
    container_name: go-socks5-proxy
    network_mode: service:openvpn-client
secrets:
  expressvpn_userpass:
    file: /path/to/my/config/userpass

When I try to deploy this to the remote context, it seems to complete the initialization sequence fine, but it seems to time out when my local browser tries to connect to it. When the container isn't running, the host actively refuses my proxy connections, but when running it jus times out. Sometimes there is one error reported by the go-socks5-proxy container that pops up from time to time that is probably related:

socks: Failed to handle request: readfrom tcp ...: splice: connection reset by peer

The weird thing is that the serjs/go-socks5-proxy works fine on the remote host by itself:

services:
  go-socks5-proxy:
    image: serjs/go-socks5-proxy
    container_name: go-socks5-proxy
    ports:
      - 1080:1080

I can set the local browser proxy to the remote docker host IP and the proxy works great.

Any idea where the breakdown may be happening?

brandon-arnold commented 1 year ago

Ooookay. I shelled into the container and ip route didn't have any of my subnets. Then I remembered #102 and ALLOWED_SUBNETS isn't doing jack squat in that version.