Accessing Docker containers from my VPN stopped working

[Majesty00]

Hello!

I'll try to be to the point and explain everything the best I can. I'm at a loss and I've been trying to figure what's going on for a few days now...

Here's my setup:

• Synology DS220+ with latest firmware 7.1.1-42962 Update 5

• Docker 20.10-.3-1308 with containers working and online (Plex, Medusa, Radarr, etc...)

• Nighthawk R7000 running FreshTomato 2023.2 (I've also tried 2022.6, running OpenVPN Server using certificates)

• Pixel 7 Pro phone (latest April ROM) running OpenVPN Connect 3.3.3

When I'm at home, on my LAN or Wifi, I can access everything just fine: my computers and my containers.

All that I'm about to describe used to work just fine.

I can connect to my VPN without problems. I can ping my computers and I can remote control them (with VNC using their local IPs). I can also ping (either by DN or IP) my NAS/Computers and they answer.

What doesn't work is trying to connect to the containers when connected to my VPN (configured on my router). I'm using Chrome (I've also tried Firefox) to use my containers.

I just don't know how to diagnose what's going on. As far as I know, OpenVPN on my Pixel 7 pushes the route.

Here's the log from OpenVPN Connect. I've hidden my IP with <External IP>. I don't know if my setup is the most secure there is, but I'm trying.

Code: Select all

[Apr 20, 2023, 18:43:57] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY

[Apr 20, 2023, 18:43:57] Frame=512/2048/512 mssfix-ctrl=1250

[Apr 20, 2023, 18:43:57] ----- OpenVPN Start -----

[Apr 20, 2023, 18:43:57] EVENT: CORE_THREAD_ACTIVE

[Apr 20, 2023, 18:43:57] UNUSED OPTIONS
3 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
10 [resolv-retry] [infinite]
11 [nobind]
13 [verb] [3]
14 [status] [status]

[Apr 20, 2023, 18:43:57] Contacting <External IP>:1194 via UDP

[Apr 20, 2023, 18:43:57] Connecting to [<External IP>]:1194 (<External IP>) via UDPv4

[Apr 20, 2023, 18:43:57] EVENT: RESOLVE

[Apr 20, 2023, 18:43:57] EVENT: WAIT

[Apr 20, 2023, 18:43:57] EVENT: CONNECTING

[Apr 20, 2023, 18:43:57] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

[Apr 20, 2023, 18:43:57] Creds: UsernameEmpty/PasswordEmpty

[Apr 20, 2023, 18:43:57] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.3-9248
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1


[Apr 20, 2023, 18:43:57] VERIFY OK: depth=1, /C=GB/ST=Yorks/L=York/O=FreshTomato/OU=IT/CN=server, signature: RSA-SHA256

[Apr 20, 2023, 18:43:57] VERIFY OK: depth=0, /C=GB/ST=Yorks/L=York/O=FreshTomato/OU=IT/CN=server, signature: RSA-SHA256

[Apr 20, 2023, 18:43:57] SSL Handshake: peer certificate: CN=server, 2048 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD


[Apr 20, 2023, 18:43:57] Session is ACTIVE

[Apr 20, 2023, 18:43:57] Sending PUSH_REQUEST to server...

[Apr 20, 2023, 18:43:57] EVENT: GET_CONFIG

[Apr 20, 2023, 18:43:57] OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [dhcp-option] [DNS] [192.168.1.75]
2 [route-gateway] [10.8.0.1]
3 [topology] [subnet]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.8.0.2] [255.255.255.0]
7 [peer-id] [1]
8 [cipher] [AES-256-GCM]


[Apr 20, 2023, 18:43:57] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: 1

[Apr 20, 2023, 18:43:57] EVENT: ASSIGN_IP

[Apr 20, 2023, 18:43:57] Connected via tun

[Apr 20, 2023, 18:43:57] EVENT: CONNECTED info='<External IP>:1194 (<External IP>) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]'

What makes me think the route is pushed is the Routing Table in FreshTomato (once again, I've hidden my external IP). What I marked in yellow is the VPN route being pushed (right?).



I'm not sure someone can figure out what's going on, but if someone can give me pointers or any kind of help, it would be very much appreciated!

Thank you!

[Anasabdullah]

It seems like the issue is that you're unable to access the Docker containers from outside your LAN when connected to your VPN. This could be due to the routing configuration of your VPN.

One thing you can try is to check the routing table on your Synology NAS when connected to the VPN. You can do this by logging into your NAS via SSH and running the command "ip route".

This will show you the routing table for your NAS. Make sure that there is a route to the subnet used by your Docker containers (e.g., 172.17.0.0/16) via the VPN gateway.

If this route is missing, you can add it manually by running the command "ip route add <subnet> via <VPN gateway>".

For example, if your Docker containers are on the subnet 172.17.0.0/16 and your VPN gateway is at 10.8.0.1, you would run the command "ip route add 172.17.0.0/16 via 10.8.0.1".

If the route is already present, then it's possible that there is a firewall rule blocking access to the Docker containers from outside the LAN. You may need to check your firewall rules to ensure that traffic from the VPN is allowed to reach the Docker containers.

Another thing you can try is to connect to the Docker containers using their internal IP addresses when connected to the VPN. You can find the IP addresses of your containers by running the command "docker inspect <container name>".

Look for the "IPAddress" field in the output of this command to find the internal IP address of the container. You can then use this IP address to connect to the container from your VPN.

For example, if the internal IP address of your Plex container is 172.17.0.2, you can access it by navigating to "http://172.17.0.2:32400/web" in your browser while connected to the VPN.

I hope this helps! Let me know if you have any further questions.