OpenVPN Server + Docker Host (MacVLAN interfaces)

This forum is for general conversation and user-user networking.
Post Reply
elpardua
OpenVpn Newbie
Posts: 2
Joined: Sun Sep 22, 2019 12:27 am

OpenVPN Server + Docker Host (MacVLAN interfaces)

Post by elpardua » Sun Sep 22, 2019 1:00 am

Hi Guys:
I've been dealing in the past couple of days with a new testing server i've installed at home.
It has a single gigabit interface (within my LAN subnet, 192.168.0.0/24), and it's running arch, with a docker daemon to host my apps. All of this is behind my ISP CGNAT (so i use TCP and serveo to expose the 1194 port to the internet).

In the host, i've installed OpenVPN, configured it all, so far so good. I can connect from the outside, against serveo's public available port, get a 10.8.0.0/24 address and reach all my LAN devices (printer, other PCs, etc).

All my docker containers inside the server are running on macvlan interfaces, so they have also addresses from 192.168.0.0/24 subnet. Those containers are reachable from my laptop in the lan, but they won't be available to the tunnel clients.

I suppose, that the problem is the order in which traffic is processed by iptables, because NAT is done in the POSTROUTING table, so it's not being masquerade when it should.

Can someone shed a bit of light about this? I'll post the server configuration if needed, but i think it's more a routing problem than a VPN by itself.

Thanks in advance
Pablo.

elpardua
OpenVpn Newbie
Posts: 2
Joined: Sun Sep 22, 2019 12:27 am

Re: OpenVPN Server + Docker Host (MacVLAN interfaces)

Post by elpardua » Fri Sep 27, 2019 4:04 pm

NVM, i figured it out. In case someone needs to to the same, you have to create another macvlan interface on the host, and forward the traffic to the containers through that interface and not the parent one.

mrdimsum99
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 23, 2020 5:35 pm

Re: OpenVPN Server + Docker Host (MacVLAN interfaces)

Post by mrdimsum99 » Thu Jul 23, 2020 5:38 pm

elpardua wrote:
Fri Sep 27, 2019 4:04 pm
NVM, i figured it out. In case someone needs to to the same, you have to create another macvlan interface on the host, and forward the traffic to the containers through that interface and not the parent one.
Could you tell me how you did this? I have the same problem where most containers are macvlan and not reachable from the VPN client.

Post Reply