Configuring Docker Bridge Network to Access OpenVPN Client Devices via Host TUN Interface


4 views

In this setup, we have:

  • CentOS 7/8 host running Docker 20.10+
  • Custom bridge network (10.10.0.0/24) with MTU 1500
  • Two containers attached to bridge network (docker1:10.10.0.3, docker2:10.10.0.4)
  • OpenVPN server (either host-based or containerized) creating tun0 (172.19.0.0/24)
  • VPN clients receiving IPs from 172.19.0.10-172.19.0.254

The primary obstacles preventing communication between Docker containers and VPN clients are:

1. Docker's default iptables rules blocking forwarded traffic
2. Missing route entries between network segments
3. Potential MTU mismatches between interfaces
4. Kernel IP forwarding disabled by default

1. Enable IP Forwarding

# Permanent setting
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

# Verify
sysctl net.ipv4.ip_forward

2. Configure Docker Daemon

Edit /etc/docker/daemon.json:

{
  "bip": "10.10.0.1/24",
  "default-address-pools": [
    {"base": "10.10.0.0/16", "size": 24}
  ],
  "iptables": true
}

Then restart Docker:

systemctl restart docker

3. Create Custom Bridge Network

docker network create \
  --driver bridge \
  --subnet 10.10.0.0/24 \
  --gateway 10.10.0.1 \
  --opt com.docker.network.bridge.name=docker_custom \
  custom_net

4. Configure iptables Rules

Add these rules to /etc/rc.local for persistence:

iptables -A FORWARD -i docker_custom -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o docker_custom -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

5. Add Static Routes

On the Docker host:

ip route add 172.19.0.0/24 via 10.10.0.1 dev docker_custom

For containers to access VPN clients:

docker exec -it container1 ip route add 172.19.0.0/24 via 10.10.0.1

Test connectivity from container to VPN client:

docker exec -it docker1 ping 172.19.0.10
  • Check route tables with ip route show
  • Verify iptables rules with iptables -L -v -n
  • Inspect interface MTUs: ip link show | grep mtu
  • Capture packets: tcpdump -i docker_custom -n

If running OpenVPN in a container, use:

docker run -d \
  --name openvpn \
  --cap-add=NET_ADMIN \
  --device=/dev/net/tun \
  --network=host \
  -v /path/to/config:/etc/openvpn \
  kylemanna/openvpn

When working with Docker and OpenVPN, we often need to establish communication between containers and VPN clients. The typical setup involves:

  • Docker containers connected to a user-defined bridge network (e.g., 10.10.0.0/24)
  • OpenVPN server creating a TUN interface (tun0) with client IPs (e.g., 172.19.0.0/24)
  • Host acting as the intermediary between these networks

To enable communication between these networks, we need to configure several components:


# Check existing Docker networks
docker network ls

# Inspect your user-defined bridge
docker network inspect bridge_name

The first critical step is ensuring IP forwarding is enabled on the host:


# Check current forwarding status
sysctl net.ipv4.ip_forward

# Enable permanently
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

We need to set up proper NAT and routing rules using iptables:


# Allow traffic between Docker and OpenVPN networks
iptables -A FORWARD -i docker0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o docker0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Enable NAT for outgoing traffic from containers
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o tun0 -j MASQUERADE

# Add route for VPN clients to reach Docker network
ip route add 10.10.0.0/24 via 172.19.0.1 dev tun0

When creating your Docker network, consider these parameters:


docker network create \
  --driver=bridge \
  --subnet=10.10.0.0/24 \
  --gateway=10.10.0.1 \
  --opt "com.docker.network.bridge.name"="docker0" \
  my_bridge_network

After applying these changes, test the connectivity:


# From a container, ping a VPN client
docker exec -it container1 ping 172.19.0.5

# From a VPN client, test reaching a container
ping 10.10.0.3

For more granular control, add specific rules for containers:


iptables -A FORWARD -i docker0 -o tun0 -s 10.10.0.3 -d 172.19.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -o docker0 -s 172.19.0.0/24 -d 10.10.0.3 -j ACCEPT
  • Check interface names match your actual setup (docker0, tun0)
  • Verify routes exist for both networks
  • Ensure containers have proper default gateways
  • Confirm no conflicting firewall rules are blocking traffic

# Useful diagnostic commands
ip route show
iptables -L -n -v
ip addr show