OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN Server + Docker Host (MacVLAN interfaces)

https://forums.openvpn.net/viewtopic.php?t=28902

Page 1 of 1

OpenVPN Server + Docker Host (MacVLAN interfaces)

Posted: Sun Sep 22, 2019 1:00 am
by elpardua
Hi Guys:
I've been dealing in the past couple of days with a new testing server i've installed at home.
It has a single gigabit interface (within my LAN subnet, 192.168.0.0/24), and it's running arch, with a docker daemon to host my apps. All of this is behind my ISP CGNAT (so i use TCP and serveo to expose the 1194 port to the internet).

In the host, i've installed OpenVPN, configured it all, so far so good. I can connect from the outside, against serveo's public available port, get a 10.8.0.0/24 address and reach all my LAN devices (printer, other PCs, etc).

All my docker containers inside the server are running on macvlan interfaces, so they have also addresses from 192.168.0.0/24 subnet. Those containers are reachable from my laptop in the lan, but they won't be available to the tunnel clients.

I suppose, that the problem is the order in which traffic is processed by iptables, because NAT is done in the POSTROUTING table, so it's not being masquerade when it should.

Can someone shed a bit of light about this? I'll post the server configuration if needed, but i think it's more a routing problem than a VPN by itself.

Thanks in advance
Pablo.

Re: OpenVPN Server + Docker Host (MacVLAN interfaces)

Posted: Fri Sep 27, 2019 4:04 pm
by elpardua
NVM, i figured it out. In case someone needs to to the same, you have to create another macvlan interface on the host, and forward the traffic to the containers through that interface and not the parent one.

Re: OpenVPN Server + Docker Host (MacVLAN interfaces)

Posted: Thu Jul 23, 2020 5:38 pm
by mrdimsum99
elpardua wrote:
Fri Sep 27, 2019 4:04 pm
 NVM, i figured it out. In case someone needs to to the same, you have to create another macvlan interface on the host, and forward the traffic to the containers through that interface and not the parent one.
Could you tell me how you did this? I have the same problem where most containers are macvlan and not reachable from the VPN client.

Re: OpenVPN Server + Docker Host (MacVLAN interfaces)

Posted: Mon Aug 17, 2020 5:39 pm
by elpardua
Sorry for the delay. In case you haven't solved yet. In docker you use the maclan interface as default gateway for all your containers. The ip addresses of the containers are reachable also through that interface too. So you need to force them via static routing in your host through that interface.

Here are some of my containers from the host routing table for example.

192.168.0.12 0.0.0.0 255.255.255.255 UH 0 0 0 mac0
192.168.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 mac0
192.168.0.14 0.0.0.0 255.255.255.255 UH 0 0 0 mac0
192.168.0.15 0.0.0.0 255.255.255.255 UH 0 0 0 mac0
192.168.0.16 0.0.0.0 255.255.255.255 UH 0 0 0 mac0
192.168.0.17 0.0.0.0 255.255.255.255 UH 0 0 0 mac0
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/