6.8.3 use network from VPN Docker


Recommended Posts

Hi,

 

may this helps in terms how to use the new function --net=container:Container_Name to use another dockers network, a nice feature to route traffic through a VPN docker when the client docker is not capable to use a proxy.

 

sample usecase

 

i use a VPN Docker container which provides a privoxy vpn or a socks vpn, but i have a docker like xteve which doesnt have the function to route traffic through a http or socks proxy, so when i want to use it through vpn i have to either set the whole mashine behind a vpn or build a docker which includes VPN AND xteve.

Now with this feature enabled we can route any docker now through the VPN docker pretty easy.

 

i describe 2 scenarios,

1. all dockers in custom:br0 with their own ip (nice feature which is working properly with host access since 6.8.2 as note)

2. VPN Docker like binhex privoxy, ovpn privoxy, ... on host in bridge mode (port mappings needed)

 

to 1.

basic situation before bridged to VPN

image.png.227e44ced52dff7672bc52748cd13efe.png

ovpn_privoxy is my vpn docker connected to my vpn provider and providing as mentioned a http and socks proxy, xteve cant use this features.

as mentioned, here my dockers are each on br0 with their own ip, now i ll bridge xteve to use the vpn docker

 

todo so, simply remove the network from xteve and add the following line in this usecase to extra parameters

 

--net=container:ovpn_privoxy

image.thumb.png.08c8d9358fc883a7cde63d0d1b28e681.png

 

now xteve will use the network stack from the vpn container, will look like this

image.thumb.png.1669013addd6c17385706298abfb0623.png

 

xteve docker now doesnt have a own ip anymore and using the container:ovpn_privoxy as network.

to reach xteve webui now u enter the ip from ovpn_privoxy and the port from the client app, http://192.168.1.80:34400/web in this usecase,

now the xteve external traffic will use the vpn connection from ovpn_privoxy, thats it here ;) thanks to limetech now ;)

now when adding another container u can do so, just beware, as there is only one network stack left, its not possible to use apps which uses the same ports,

sample here would be, i want a second instance of xteve run through the vpn docker, both listening on 34400, would NOT work, even they resist in their own dockers,

the network stack is unique from the ovpn docker here ... so either the 2nd, 3rd, ... app can use different ports (like xteve can be switched to any port) or its just

not possible cause ports are unique ...

 

sample with a second working app

image.png.c240ed0aa1e32bd586bb6566585ddc16.png

 

like above, ovpn_privoxy is the docker providing the network, now for a 2nd "client" docker, to reach the clients now

 

http://192.168.1.80:34400/web  <- xteve app

http://192.168.1.80:6555  <- emby app

 

of course is the http proxy (port 8080) and socks proxy (port 1080) also still available, has no influence ...

 

i hope this helps howto use the --net.... extra parameter

 

now, to 2. (VPN docker is running on host unraid in bridge mode)

 

only difference is now, u have to add the port mappings to the VPN docker, in this case i would add 34400:34400 and 6555:6555 to the VPN docker

 

image.thumb.png.de5e2466df7be920f7c498ca76addf8b.png

 

would result here in this (my unraid server has the ip 192.168.1.2

image.png.5637610c03d310297bbdafc707c89f05.png

 

thats the only difference when using the VPN docker in bridge mode, now your vpn and apps are all accessed via 192.168.1.2:.....

 

in both usecases there is another nice feature limetech added, as soon the VPN docker gets an update, the "client docker(s)" need to update too which is in the end a restart only to fetch the correct network stack ... u should see a update notification on all dockers relating to the VPN docker as soon that one received an update or u changed something on this docker, if so, please push update or restart the docker(s), shouldnt be too often (depending on update frequency of your VPN docker)

 

in case i can do something better, let me know to correct it.

  • Like 1
  • Thanks 9
Link to comment
12 hours ago, AngleRacket said:

I am working on a container stack using this one: https://github.com/ColinHebert/pia-openvpn

 

Haven't gotten it all sorted yet, but I was able to connect with a test container and echo my IP. Returned the proper VPN IP, so I think it's going to be fine.

Yep, this worked great, and was extremely easy to setup.

EDIT: This worked great until it didn't - the openvpn container would loose the connection after a few hours and had to be restarted. I switched to https://github.com/alturismo/ovpn_privoxy

 

[Updated]

1. Added the ovpn_privoxy container

  • downloaded the PIA ovpn file from here: https://www.privateinternetaccess.com/openvpn/openvpn.zip
  • started the container once, then stopped
  • changed login, password in the file, per the github instructions
  • renamed all my ovpn files to use underscore rather than space - ovpn files with spaces seemed to fail
  • I DID change my network from bridge to Custom:BR0 because I wanted my apps to use a specific IP
  • added static IP to vpn container

2. Opened my existing containers and set network to NONE, and added extra param of '--net=container:pia'

3. Confirmed by opening container console and using 'curl https://ipinfo.io/ip'

4. Because I can't seem to get the docker admin page to open the webui, I added a container for DashMachine to serve as a landing page

 

Couple of notes:

1. I could no longer get it to redirect ports. Example, I wanted DashMachine mapped to port 80, but it ignored my mapping and used the default 5000.

2. Docker admin page no longer shows 'WebUI' option on these containers. Even when I hard coded the IP and port.

3. If you do what I did and forget to change network to none, it will fail to load and take your container out of the list. Just add it back manually using the 'add container' button. All your setting will still be there. At least mine were.

 

 

Edited by AngleRacket
Link to comment

Another thought I had was that I would like to be able to run some kind of browser through the VPN. Obviously, I could setup some kind of proxy and point my browser at it, but that's not ideal for my use case. I just want to be able to pop on to the VPN and check out some web sites.

This is what I found:

https://hub.docker.com/r/jlesage/firefox

 

Firefox in a container.

 

Very simple setup, good to go.

Link to comment
On 3/17/2020 at 9:59 PM, Forusim said:

Thanks for guide.

Is there any minimalistic (alpine-based) openvpn-client docker, where I can drop my ovpn file (ofc with the login credentials) and it will just work?

obviously im using mine ;) and its pretty light and offeers privoxy and socks proxy ...

On 3/18/2020 at 6:17 AM, AngleRacket said:

Another thought I had was that I would like to be able to run some kind of browser through the VPN. Obviously, I could setup some kind of proxy and point my browser at it, but that's not ideal for my use case. I just want to be able to pop on to the VPN and check out some web sites.

This is what I found:

https://hub.docker.com/r/jlesage/firefox

 

Firefox in a container.

 

Very simple setup, good to go.

yes, thats a way todo when u dont want a browser proxy

if your usecase is similar to mine (only some sites shell use a proxy) i use chrome addon foxproxy, u can setup proxy useage only for some sites ...

if u want a remote browser in browser, then this is the also my current best advice, firefox from @Djoss

i hope someday he will make a chrome variant ... ;)

Link to comment

I've been running a set of containers sharing their network as described here for a few days now, and I have had a few issues. Just wanted to post them here to see if you guys are getting the same problems:

 

  1. Using alturismo/ovpn_privoxy as my base container and vpn, the vpn seems to go down after a day or so. When I see everything is stopped - no vpn traffic - I restart the container and everything lights back up as expected. This could be the several things, but I feel like the VPN client is losing the connection and not reconnecting automatically.
  2. When I do have to restart the vpn, I can't just restart the main container. I have to restart every child container. That's a little tedious.
  3. The restarted child containers don't always start correctly, sometimes needing another restart. I seem to have better luck with this process: stop the children, restart the main container, start the children. But with eight-ish child containers, that's a real pain.
  4. Another challenge, that I haven't looked into yet, is that I need to allow traffic from my VPN container to a single IP on my normal LAN. My first thought is that maybe the route can be added in the OVPN files to have the VPN push the route to the network stack. If not, I don't know how else I might tackle this. Anyone else doing this?
Link to comment

@AngleRacket

 

1. the container does check every 3 minutes the online state (should check in the logs), may take a look what is in there, sample

ping ok
or

we seem to be offline, restarting openvpn

 

that should be your major point cause

 

2. is by design like described in first post ... when "master is edited, restarted, ..." all "slaves" need a restart ...

 

may give another vpn container like binhex ovpn container a try as master if mine aint working properly in your setup, or take a look at logs and leave a message here what is happening when checkup failed.

Link to comment
  • 4 weeks later...

I've been using https://github.com/binhex/arch-privoxyvpn as a socks style proxy for a VM for quite some time now as I wanted all traffic from that VM routed through the vpn.

 

I just setup Firefox docker using what you described above... I'll leave it on and see if it ever drops

Link to comment
  • 1 month later...
On 3/19/2020 at 1:48 PM, alturismo said:

obviously im using mine ;) and its pretty light and offeers privoxy and socks proxy ...

Your docker? How does it work. I am subscribed to Express VPN, which is running on my router. I'd prefer though to run it on Unraid rather than the Router. Would this work with your solution? Ideally all dockers would then be funneled through the VPN. In an ideal world, I may want to exclude some URLs, which are excluded from the VPN, but that's a bonus.

Link to comment

@steve1977 this was pointed to a small solution.

 

if it works with express i cant tell, u can try it if you want or may try the more complex but also more variable one from binhex privoxy-vpn which i also used before.

 

the procedure to run "client" containers is described above, doesnt matter which vpn docker u use, should be always the same.

i dont have any exclusion url management buildin (not my usecase).

Link to comment
  • 3 years later...

Is it possible to use the VPN only for outgoing traffic? Like not having the web interface VPN:ed, but the other traffic. 

Eg, Torrent-program. No VPN for the interface, but VPN for all torrent traffic. Or TheLounge.

 

Let's use my instance of irc-client TheLounge. 
Locally I use port 9000 for the WebUI, and a subdomain which is reversed-proxied to 9000 when used externally. So I don't want to VPN that part. 9000 is the only port mentioned in the docker settings and under Port Mappings column. 
TheLounge connects to an external IRC-server on port 6697, that server see my personal public IP. THIS is the part I'd like to VPN.
Is that possible with similair method? Or is it a whole different thing? 

Link to comment
1 hour ago, tshorts said:

TheLounge connects to an external IRC-server on port 6697, that server see my personal public IP. THIS is the part I'd like to VPN.

thats whats happening

 

1 hour ago, tshorts said:

Locally I use port 9000 for the WebUI, and a subdomain which is reversed-proxied to 9000 when used externally. So I don't want to VPN that part. 9000 is the only port mentioned in the docker settings and under Port Mappings column. 

this traffic (web client browser <> reverse proxy <> TheLounge) is NOT running through VPN as its directly connected.

 

so i assume its already by default like you wish

Link to comment
On 2/8/2024 at 6:26 PM, alturismo said:

thats whats happening

 

this traffic (web client browser <> reverse proxy <> TheLounge) is NOT running through VPN as its directly connected.

 

so i assume its already by default like you wish

I see my public (none-vpn) IP on the IRC server. 
But found the built in VPN Wireguard thing, so I'll look into that. Understand that's where VPN for outbound traffic is supposed to go.  

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.