IPv6 Docker containers running on an OpenVPN client

[jarik]

I needed to have a global IPv6 addresses for Docker containers running on a VPN client. There doesn't seem to be too much info on-line about that kind of setup but eventually got it working - below is what I did, for the record.

Used two /64 subnets:

* LAN: 2001:db8:0:1::/64
* VPN: 2001:db8:0:ffff::/64

Note: This allows assigning /80 for Docker, which is enough. If you want to make your client additionally e.g. a WLAN router (i.e. use SLAAC behind the VPN client), you may need to have more address space available for the clients in order to provide the required /64s for them.

Divided VPN /64 subnet like this (static allocation for each client):

* Server: 2001:db8:0:ffff:0000::/72
* Client 1: 2001:db8:0:ffff:0100::/72
* Client 2: 2001:db8:0:ffff:0200::/72
* Client 3: 2001:db8:0:ffff:0300::/72
* ...

Finally, allocated the following subnets inside each client (X=client number):

* Tunnel: 2001:db8:0:ffff:0X00::/80
* Docker: 2001:db8:0:ffff:0X01::/80
* ...

Server-side /etc/openvpn/server.conf:

Code: Select all

dev tun0
topology subnet
client-config-dir /etc/openvpn/staticclients

server-ipv6 2001:708:120:f16::/64
push "route-ipv6 2000::/3"
...

Server-side /etc/openvpn/staticclients/clientX (X=client number):

Code: Select all

ifconfig-push 192.168.100.10X 255.255.255.255
ifconfig-ipv6-push 2001:db8:0:ffff:X00::/80
iroute-ipv6 2001:db8:0:ffff:X00::/72

Additionally, created the keys as described in howto.

Client-side clientX.ovpn:

Code: Select all

port 1194
dev tun
remote server.example.com
tls-client
pull
<ca>
-----BEGIN CERTIFICATE-----
...

On clients, add the following options to /etc/sysconfig/docker-network (this works on Redhat-based distros):

Code: Select all

DOCKER_NETWORK_OPTIONS="--ipv6 --fixed-cidr-v6=\"2001:db8:0:ffff:X01::/80\""

Alternatively, add those parameters to Docker command line.

If the firewall on your client blocks forwarding between docker and VPN, add following lines *before* "-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited" in /etc/sysconfig/ip6tables:

Code: Select all

-A FORWARD -i docker0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o docker0 -j ACCEPT

Restart Docker and firewall:

Code: Select all

# systemctl restart docker
# systemctl restart firewalld

You can use the following commands to test connectivity:

Code: Select all

# docker pull fedora
# docker run -it fedora /bin/bash
# dnf install iproute iputils
# ip -6 a
# traceroute6 google.com

Perhaps (hopefully?) not the most elegant solution, but seems to work.

[jarik]

The following modifications allow autoconfiguring DNS and Docker addresses:

Server-side /etc/openvpn/server.conf:

Code: Select all

push "setenv-safe IPV6_DNS '2001:4860:4860::8888 2001:4860:4860::8844'"

Client-side clientX.ovpn:

Code: Select all

script-security 2
up /etc/openvpn/openvpn-up.sh

/etc/openvpn/openvpn-up.sh (note: check&update TODO parts, they are distribution specific):

Code: Select all

#! /bin/bash

########################
# DNS config from server
#
if [ "$OPENVPN_IPV6_DNS" != "" ]; then
  OPENVPN_IPV6_DNS=${OPENVPN_IPV6_DNS//[^0-9a-fA-F\: ]/}
  echo DNS settings: $OPENVPN_IPV6_DNS

  TMP_FILE=`mktemp /tmp/ovpn_dns_conf.XXXXXXXXXXXXXXXXXX`
  echo \# Written by $0 >> $TMP_FILE
  for tmp in $OPENVPN_IPV6_DNS; do
    echo nameserver $tmp >> $TMP_FILE
  done
# TODO: enable this after testing:
# sudo cp $TMP_FILE /etc/resolv.conf
  rm $TMP_FILE
else
  echo WARNING: No DNS server specified
fi

###############
# Docker config
#
MYDIR=`dirname $0`
echo My net: $ifconfig_ipv6_local/$ifconfig_ipv6_netbits
DOCKER_NET=`$MYDIR/calc_docker_net.py $ifconfig_ipv6_local $ifconfig_ipv6_netbits`/$ifconfig_ipv6_netbits
echo DOCKER net: $DOCKER_NET

TMP_FILE=`mktemp /tmp/ovpn_dckr_conf.XXXXXXXXXXXXXXXXXX`
# TODO: update/test this in your distribution:
DOCKER_CONF_FILE=/etc/sysconfig/docker-network
echo \# Written by $0 >> $TMP_FILE
echo DOCKER_NETWORK_OPTIONS=--ipv6=true --fixed-cidr-v6=\"${DOCKER_NET}\" >> $TMP_FILE
# if [ ! -e $DOCKER_CONF_FILE ] || ! diff -q $TMP_FILE $DOCKER_CONF_FILE > /dev/null; then
#  sudo cp $TMP_FILE $DOCKER_CONF_FILE
#  sudo systemctl restart docker
# fi
rm $TMP_FILE

/etc/openvpn/calc_docker_net.py (note: requires Python 3.3):

Code: Select all

#!/usr/bin/env python3

import ipaddress
import sys

# add 1 to network address
print((ipaddress.ip_address(sys.argv[1]) + (1 << (128 - int(sys.argv[2])))))