When running OpenVPN on Amazon Linux 2 EC2 instances, Docker's default behavior of setting the iptables FORWARD policy to DROP can break VPN connectivity. This creates a conflict between Docker's networking requirements and OpenVPN's packet forwarding needs.
# Before Docker starts
iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
# After Docker starts
systemctl start docker
iptables -L FORWARD
Chain FORWARD (policy DROP)
Docker modifies iptables rules by default to isolate container networks. On Amazon Linux 2, this behavior is more aggressive than on Ubuntu, completely dropping forwarded packets unless they match Docker-specific rules.
Here are three effective solutions, each with different trade-offs:
Option 1: Modify Docker's iptables Configuration
Create or edit /etc/docker/daemon.json:
{
"iptables": false
}
Then restart Docker:
systemctl restart docker
Note: This completely disables Docker's iptables management, which may affect container networking.
Option 2: Use a Custom iptables Ruleset
Create a script to run after Docker starts:
#!/bin/bash
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -P FORWARD ACCEPT
Make it executable and run it after Docker starts.
Option 3: Systemd Unit Override
Create a systemd override for Docker:
mkdir -p /etc/systemd/system/docker.service.d
cat > /etc/systemd/system/docker.service.d/override.conf <Then reload and restart:
systemctl daemon-reload
systemctl restart docker
After implementing any solution, verify with:
iptables -L FORWARD -v
You should see forwarded packets being accepted through your VPN interface.
For a more permanent solution, consider using iptables-persistent:
yum install iptables-services
systemctl enable iptables
iptables -P FORWARD ACCEPT
service iptables save
1. Security implications of changing FORWARD policy
2. Order of rule application matters in iptables
3. Test changes in a staging environment first
4. Consider network namespaces for more complex setups
When running OpenVPN on an Amazon Linux 2 EC2 instance, network forwarding works perfectly until Docker is started. The moment Docker service starts, it modifies the iptables FORWARD chain policy from ACCEPT to DROP, breaking VPN packet forwarding functionality.
# Before Docker starts:
iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
# After Docker starts:
systemctl start docker
iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Docker deliberately sets the default FORWARD policy to DROP as a security measure, then implements its own forwarding rules through the DOCKER-USER chain. This behavior is particularly aggressive on Amazon Linux 2 compared to other distributions like Ubuntu.
Create a Docker daemon configuration file to preserve your iptables rules:
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<EOF
{
"iptables": false
}
EOF
Then restart Docker:
sudo systemctl restart dockerIf you prefer to keep Docker's iptables management but need VPN forwarding, add these rules:
sudo iptables -I DOCKER-USER -i tun+ -j ACCEPT
sudo iptables -I DOCKER-USER -o tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -o tun+ -j ACCEPT
To make these persistent across reboots on Amazon Linux 2:
sudo service iptables save
sudo chkconfig iptables onVerify your rules are working with:
sudo iptables -L FORWARD -v
sudo iptables -L DOCKER-USER -v