You are not logged in.
- Topics: Active | Unanswered
#1 2022-03-23 10:15:42
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
How to use a vpn and not affect local connectivity/docker???
Hello all. I recently made the full switch to linux and am currently using arch linux and love it and really have no desire to go back to windows ever. The single only thing I really haven't sorted out is when i am using a vpn in linux; whether that be through kde network-manager or openvpn via terminal. It stops anything local being able to connect to my machine, for instance I am running docker containers and some are port forwarded, or say a remote to control kodi. All connections do not work when on vpn. I assume the vpn is trying to push those services through vpn and killing connectivity. In windows this deff does not happen. How can I make using a vpn not mess up my connectivity locally allowing other machines to still connect to services with local port/ip. Thank you very much for the help
P.S. My current bypass is running the vpn inside a docker container that acts as proxy and pushing certain apps through proxy. However this doesn't solve all my use cases and need to figure it out.
Offline
#2 2022-03-23 11:26:07
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
Sounds like an IP range conflict.
Take a look at this article: https://www.lullabot.com/articles/fixin … -conflicts
Offline
#3 2022-03-23 12:49:22
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
Thanks for responding but I know that is not whats going on. It is an easy to replicate system on other linux systems. I just don't see any error in overlapping addresses or anything that doesn't look right networking wise. It is something with the vpn specifically pushing all traffic with IP tables or something. I was just hoping someone here could kinda point me in the right direction or that someone else could enlighten me on how they had already solved this problem
Last edited by bpawnz (2022-03-23 12:53:11)
Offline
#4 2022-03-23 13:06:30
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
Did you already compare "ip a", "ip route" , "iptables -vnL" or "nft list table name" between VPN and no VPN?
Offline
#5 2022-03-23 13:40:09
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
By all means let me know what you think. I know it looks confusing at first glance but all those bridge connections are individual docker containers and I don't believe thats where my issue is. Atleast its not jumping out at me. But if you see anything that looks not right please let me know. But to my knowledge I am having no other networking issues except when on vpn. Thanks for the help!
ip route (w/o vpn)
default via 192.168.1.2 dev wlp3s0 proto dhcp metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-2656425d5736 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-5a0496a3987e proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-82ffeaaeb845 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-eef158e947a9 proto kernel scope link src 172.21.0.1 linkdown
172.22.0.0/16 dev br-b5964ac40462 proto kernel scope link src 172.22.0.1
172.23.0.0/16 dev br-dc896fdde70e proto kernel scope link src 172.23.0.1
172.24.0.0/16 dev br-59673c971461 proto kernel scope link src 172.24.0.1 linkdown
172.25.0.0/16 dev br-137ab6aac2b8 proto kernel scope link src 172.25.0.1 linkdown
172.26.0.0/16 dev br-c09459774447 proto kernel scope link src 172.26.0.1 linkdown
172.27.0.0/16 dev br-ecdcbe669c89 proto kernel scope link src 172.27.0.1
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.103 metric 600 ip route w/ vpn
default via 172.21.22.1 dev tun0 proto static metric 50
default via 192.168.1.2 dev wlp3s0 proto dhcp metric 600
143.255.58.37 via 192.168.1.2 dev wlp3s0 proto static metric 50
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-2656425d5736 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-5a0496a3987e proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-82ffeaaeb845 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-eef158e947a9 proto kernel scope link src 172.21.0.1 linkdown
172.21.22.0/23 dev tun0 proto kernel scope link src 172.21.23.63 metric 50
172.22.0.0/16 dev br-b5964ac40462 proto kernel scope link src 172.22.0.1
172.23.0.0/16 dev br-dc896fdde70e proto kernel scope link src 172.23.0.1
172.24.0.0/16 dev br-59673c971461 proto kernel scope link src 172.24.0.1 linkdown
172.25.0.0/16 dev br-137ab6aac2b8 proto kernel scope link src 172.25.0.1 linkdown
172.26.0.0/16 dev br-c09459774447 proto kernel scope link src 172.26.0.1 linkdown
172.27.0.0/16 dev br-ecdcbe669c89 proto kernel scope link src 172.27.0.1
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.103 metric 600
192.168.1.2 dev wlp3s0 proto static scope link metric 50 iptables -vnL (w/o vpn)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 147K packets, 230M bytes)
pkts bytes target prot opt in out source destination
778K 892M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
778K 892M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
20285 3069K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
109 6540 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
1414 124K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
109 6540 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-eef158e947a9 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-eef158e947a9 !br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-eef158e947a9 br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
32927 2910K ACCEPT all -- * br-2656425d5736 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1186 61696 DOCKER all -- * br-2656425d5736 0.0.0.0/0 0.0.0.0/0
28524 62M ACCEPT all -- br-2656425d5736 !br-2656425d5736 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-2656425d5736 br-2656425d5736 0.0.0.0/0 0.0.0.0/0
436K 579M ACCEPT all -- * br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
108K 15M ACCEPT all -- br-ecdcbe669c89 !br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-ecdcbe669c89 br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
427 129K ACCEPT all -- * br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
501 41389 ACCEPT all -- br-dc896fdde70e !br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-c09459774447 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-c09459774447 !br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-c09459774447 br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-b5964ac40462 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
965 57884 DOCKER all -- * br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
965 38600 ACCEPT all -- br-b5964ac40462 !br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
41 17425 ACCEPT all -- * br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
45 4752 ACCEPT all -- br-5a0496a3987e !br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-5a0496a3987e br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-59673c971461 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-59673c971461 !br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-59673c971461 br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-137ab6aac2b8 !br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-137ab6aac2b8 br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-82ffeaaeb845 !br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-82ffeaaeb845 br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (11 references)
pkts bytes target prot opt in out source destination
482 28920 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:14200
482 28920 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:444
1 44 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:22
0 0 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:21
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9443
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8000
627 32620 ACCEPT tcp -- !br-2656425d5736 br-2656425d5736 0.0.0.0/0 172.18.0.2 tcp dpt:443
0 0 ACCEPT tcp -- !br-2656425d5736 br-2656425d5736 0.0.0.0/0 172.18.0.2 tcp dpt:81
559 29076 ACCEPT tcp -- !br-2656425d5736 br-2656425d5736 0.0.0.0/0 172.18.0.2 tcp dpt:80
0 0 ACCEPT tcp -- !br-82ffeaaeb845 br-82ffeaaeb845 0.0.0.0/0 172.20.0.3 tcp dpt:80
0 0 ACCEPT tcp -- !br-ecdcbe669c89 br-ecdcbe669c89 0.0.0.0/0 172.27.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-ecdcbe669c89 br-ecdcbe669c89 0.0.0.0/0 172.27.0.2 tcp dpt:1080
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.3 tcp dpt:80
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.3 tcp dpt:6379
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.4 tcp dpt:9090
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.5 tcp dpt:3000
0 0 ACCEPT tcp -- !br-5a0496a3987e br-5a0496a3987e 0.0.0.0/0 172.19.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.4 tcp dpt:5800
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
1414 124K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-eef158e947a9 !br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
28524 62M DOCKER-ISOLATION-STAGE-2 all -- br-2656425d5736 !br-2656425d5736 0.0.0.0/0 0.0.0.0/0
108K 15M DOCKER-ISOLATION-STAGE-2 all -- br-ecdcbe669c89 !br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
501 41389 DOCKER-ISOLATION-STAGE-2 all -- br-dc896fdde70e !br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-c09459774447 !br-c09459774447 0.0.0.0/0 0.0.0.0/0
965 38600 DOCKER-ISOLATION-STAGE-2 all -- br-b5964ac40462 !br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
45 4752 DOCKER-ISOLATION-STAGE-2 all -- br-5a0496a3987e !br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-59673c971461 !br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-137ab6aac2b8 !br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-82ffeaaeb845 !br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
778K 892M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-2656425d5736 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
139K 77M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
778K 892M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 iptables -vnL (w/ vpn)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 174K packets, 263M bytes)
pkts bytes target prot opt in out source destination
820K 939M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
820K 939M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
20514 3097K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
111 6660 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
1414 124K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
111 6660 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-eef158e947a9 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-eef158e947a9 !br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-eef158e947a9 br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
32927 2910K ACCEPT all -- * br-2656425d5736 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1186 61696 DOCKER all -- * br-2656425d5736 0.0.0.0/0 0.0.0.0/0
28524 62M ACCEPT all -- br-2656425d5736 !br-2656425d5736 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-2656425d5736 br-2656425d5736 0.0.0.0/0 0.0.0.0/0
446K 592M ACCEPT all -- * br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
113K 16M ACCEPT all -- br-ecdcbe669c89 !br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-ecdcbe669c89 br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
427 129K ACCEPT all -- * br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
501 41389 ACCEPT all -- br-dc896fdde70e !br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-c09459774447 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-c09459774447 !br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-c09459774447 br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-b5964ac40462 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
979 58724 DOCKER all -- * br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
979 39160 ACCEPT all -- br-b5964ac40462 !br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
41 17425 ACCEPT all -- * br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
45 4752 ACCEPT all -- br-5a0496a3987e !br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-5a0496a3987e br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-59673c971461 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-59673c971461 !br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-59673c971461 br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-137ab6aac2b8 !br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-137ab6aac2b8 br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-82ffeaaeb845 !br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-82ffeaaeb845 br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (11 references)
pkts bytes target prot opt in out source destination
489 29340 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:14200
489 29340 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:444
1 44 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:22
0 0 ACCEPT tcp -- !br-b5964ac40462 br-b5964ac40462 0.0.0.0/0 172.22.0.2 tcp dpt:21
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9443
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8000
627 32620 ACCEPT tcp -- !br-2656425d5736 br-2656425d5736 0.0.0.0/0 172.18.0.2 tcp dpt:443
0 0 ACCEPT tcp -- !br-2656425d5736 br-2656425d5736 0.0.0.0/0 172.18.0.2 tcp dpt:81
559 29076 ACCEPT tcp -- !br-2656425d5736 br-2656425d5736 0.0.0.0/0 172.18.0.2 tcp dpt:80
0 0 ACCEPT tcp -- !br-82ffeaaeb845 br-82ffeaaeb845 0.0.0.0/0 172.20.0.3 tcp dpt:80
0 0 ACCEPT tcp -- !br-ecdcbe669c89 br-ecdcbe669c89 0.0.0.0/0 172.27.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-ecdcbe669c89 br-ecdcbe669c89 0.0.0.0/0 172.27.0.2 tcp dpt:1080
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.3 tcp dpt:80
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.3 tcp dpt:6379
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.4 tcp dpt:9090
0 0 ACCEPT tcp -- !br-dc896fdde70e br-dc896fdde70e 0.0.0.0/0 172.23.0.5 tcp dpt:3000
0 0 ACCEPT tcp -- !br-5a0496a3987e br-5a0496a3987e 0.0.0.0/0 172.19.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.4 tcp dpt:5800
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
1414 124K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-eef158e947a9 !br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
28524 62M DOCKER-ISOLATION-STAGE-2 all -- br-2656425d5736 !br-2656425d5736 0.0.0.0/0 0.0.0.0/0
113K 16M DOCKER-ISOLATION-STAGE-2 all -- br-ecdcbe669c89 !br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
501 41389 DOCKER-ISOLATION-STAGE-2 all -- br-dc896fdde70e !br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-c09459774447 !br-c09459774447 0.0.0.0/0 0.0.0.0/0
979 39160 DOCKER-ISOLATION-STAGE-2 all -- br-b5964ac40462 !br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
45 4752 DOCKER-ISOLATION-STAGE-2 all -- br-5a0496a3987e !br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-59673c971461 !br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-137ab6aac2b8 !br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-82ffeaaeb845 !br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
820K 939M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-eef158e947a9 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-2656425d5736 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-ecdcbe669c89 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-dc896fdde70e 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-c09459774447 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-b5964ac40462 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-5a0496a3987e 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-59673c971461 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-137ab6aac2b8 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-82ffeaaeb845 0.0.0.0/0 0.0.0.0/0
144K 77M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
820K 939M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Last edited by bpawnz (2022-03-23 13:44:23)
Offline
#6 2022-03-23 14:06:34
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
ip route w/ vpn: Line 9:
172.21.22.0/23 dev tun0 proto kernel scope link src 172.21.23.63 metric 50 Your VPN uses the same IP range (172.21.x.x) as one of the ranges of docker.
Offline
#7 2022-03-23 14:14:41
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
since I dont control vpn server I will need to change docker range correct?
Last edited by bpawnz (2022-03-23 14:19:20)
Offline
#8 2022-03-23 14:28:05
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
Yep. The article I mentioned above suggests modifying "/etc/docker/daemon.json".
Offline
#9 2022-03-23 15:09:40
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
one sec.. Trying some networking stuff out and I'll get back to u. Thanks for your help!
Last edited by bpawnz (2022-03-23 15:16:31)
Offline
#10 2022-03-23 16:06:01
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
Ok well we are making progress. I am able to connect to my containers locally. But port forwards still do not work on vpn. Which is a large part of why I really want this working. I am running nginx and few webservers. And on vpn they are absolutly not reachable but can be reached by other machines on my local network? PS. Removed all containers from default bridge subnet and put default bridge to give out addresses on 10.1.0.0/16
And i checked all my cloudfare/nginx and everything since I just redeployed a bunch of containers and they connect not on vpn. So the issue isn't there.
Last edited by bpawnz (2022-03-23 16:16:38)
Offline
#11 2022-03-23 16:21:35
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
Please clarify what you want to achieve.
Your local Arch machine (192.168.1.2) is running several docker containers (10.1.0.0/16) and connects to a VPN (172.21.22.0/24). Clients on 192.168.1.x can reach the docker containers, but you want them to be accessible from...?
Last edited by -thc (2022-03-23 16:22:05)
Offline
#12 2022-03-23 16:40:44
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
My machine is on ip (192.168.1.103). Router gateway is at (192.168.1.1). Docker is giving out address 10.1.1.1, 10.1.2.1, 10.1.3.1, etc... My port forwarding in "docker" is working properly. For instance I can connect to (192.168.1.103:8096) locally and see my jellyfin container, or nginx container on (192.168.1.103:81, 80, 443) . I have port forwarding on router (192.168.1.1) going and accessible to web on 80, and 443. These forwards on router are looking at nginx at (192.168.1.103:80, 443. Nginx reverse proxies based on sub-domain to configured ip/port on my machine locally (ex 192.168.1.103:8096 for jellyfin or 192.168.1.103:7777 for ttrss). Everything routes and works how it should when I am not on vpn. But as soon as I get on vpn nothing is accessible via the (web/router foward/nginx reverse proxy). But making the changes you said does make services on my machine available locally when I am on vpn. Which is an improvement and step in right direction. But I need to get nginx routing correctly while I am on vpn. Does all that makes sense?? Thank you for your expertise.
PS.. I am using cloudflare to handle dns and sudbdomains... etc. Not sure if that matters or not but don't think it does. All works as it should not on vpn.
I will provide any other info u need. Thanks again for helping me sort this out.
My understanding of networking is if it can be seen locally the router should be able to port foward to it. But it is not working. I am willing to let you teamviewer in and see for yourself
Last edited by bpawnz (2022-03-23 16:53:58)
Offline
#13 2022-03-23 16:51:30
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
O.K. - this is what I think your problem is:
Your Arch machine hosts containers that are accessible from the internet through your router (port forwarding 1) to and through your machine (port forwarding 2) to the service containers - like a "docker DMZ". This all works only if your not on the VPN. Correct?
For what exact purpose you need the VPN in this construct?
Last edited by -thc (2022-03-23 16:54:04)
Offline
#14 2022-03-23 16:58:39
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
Yes that is correct everything you just said.
I do some trading stuff that I always have going that I would prefer my IP address not show where I live exactly. and its always going so I need vpn going. And I want systemwide vpn going and not proxy setup how I was. I want to use their application instead of website. I was running vpn inside docker container that was acting as socks5 proxy. That worked. But want to use application. And proxychain breaks the app. And I have a pretty nice computer that can handle the hosting and everything else no problem. Ryzen 9 with 64gb of RAM. I'm not pushing my resources beyond their limits and everything is pretty well seperated and containerized.
Last edited by bpawnz (2022-03-23 17:03:23)
Offline
#15 2022-03-23 17:17:29
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
What I think happens is this:
Your construct does work as long as your default gateway is your home router (192.168.1.1). When you activate your VPN the default gateway gets overwritten - with your VPN tunnel endpoint. The container requests arrive via home router and the answers are sent to the VPN tunnel endpoint - which dismisses them.
I don't see a simple solution to this.
Offline
#16 2022-03-23 17:31:31
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
I believe something like what you said is definitely going on. I think the issue in particular is with nginx getting mixed up somewhere route wise. As in when it is trying to resolve I get connection timed out, not an error that there is nothing there. I guess I need to move on to looking at how to define static routes in nginx for gateway. idk. You say you don't see a simple solution. Well nothing in my life is simple ever it seems. Do you see a solution at all??
I appreciate your help tho man. Real note
Offline
#17 2022-03-23 17:35:50
- bpawnz
- Member
- Registered: 2022-02-11
- Posts: 11
Re: How to use a vpn and not affect local connectivity/docker???
Just thought maybe I can some way give nginx its own ip on my local subnet 192.168.1.1/24. Not sure if that is possible but it should be if I can figure out how to set up bridged networking like that in docker and assign it to that network. Do you have much experience with docker like that? I personally have only been using docker for a year and am self taught. I have a professional IT background but have had no formal training in docker. Though at this point i understand it pretty well but haven't got into the weeds to far on networking as of now.
Doing it that way vpn shouldn't route that IP. Only my main machine 192.168.1.103, not the ip nginx is handed by dhcp. Do you see anything wrong with this approach?
Last edited by bpawnz (2022-03-23 17:38:10)
Offline
#18 2022-03-23 17:57:10
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
I have only theoretical knowledge about containers - I'm more a virtualization guy.
IMO a dedicated "router container" will not solve this problem - as soon as your default gateway changes, the docker connections will be broken.
What about setting up a real virtual machine with VPN inside for trading? That should work.
Last edited by -thc (2022-03-23 17:57:43)
Offline
#19 2022-03-24 06:56:44
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: How to use a vpn and not affect local connectivity/docker???
Hi,
Networking with docker isn't that easy, You could try different drivers like host and macvlan (https://docs.docker.com/network/).
But it would be just a way to bypass the real issue.
Basically, what a VPN like OpenVPN does is to create new routes on your main routing table. Either it deletes and pushes a new default route that routes traffic through the tunnel or it is a bit more clever and avoid deletion by pushing two new rules: 0.0.0.0/1, 128.0.0.0/1 that route traffic through the tunnel.
It is obvious to say but you need to not route your containers traffic through the tunnel. IMHO, the best solution, which address the real issue, is to make use of policy routing. It is a feature of iproute2 (man ip-route).
It avoids messing with Netfilter or building overly complex network infrastructure on your host.
Last edited by Koatao (2022-03-24 11:53:59)
Offline
#20 2022-03-24 09:52:17
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: How to use a vpn and not affect local connectivity/docker???
O.K. - I never stumbled across policy based routing - a good solution for this case.
Offline