How make openvpn work with docker

docker debian openvpn docker-networking
jb. picture jb. · Aug 15, 2017 · Viewed 24.8k times · Source

I have recently installed privacy vpn, and it turns out that enabled openvpn breaks docker.

When I try to run docker-compose up i get following error 

ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network

Disabling vpn fixes the problem (however I'd rather not disable it). Is there any way to make these two co-exist peacefully? I use debian jessie, and my openvpn has following version string

 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 26 2017

A lot of people "solved" this problem by disabling the openvpn, so I'm asking specifically on how to make these two work at the same time.

References:

  1. https://stackoverflow.com/a/45377351/7918
  2. https://stackoverflow.com/a/42499393/7918

If this makes any difference my vpn provider is: https://www.ovpn.com/ and here is (somewhat redacted) config file: 

client
dev tun

proto udp

remote host port
remote-random

mute-replay-warnings
replay-window 256

push "dhcp-option DNS 46.227.67.134"    
push "dhcp-option DNS 192.165.9.158"

remote-cert-tls server
cipher aes-256-cbc
pull

nobind
reneg-sec 432000
resolv-retry infinite

comp-lzo
verb 1

persist-key
persist-tun
auth-user-pass /etc/openvpn/credentials
ca ovpn-ca.crt
tls-auth ovpn-tls.key 1

Answer

jb. picture jb. · Aug 15, 2017

Solution (TL;DR;)

Create /etc/openvpn/fix-routes.sh script with following contents: 

#!/bin/sh

echo "Adding default route to $route_vpn_gateway with /0 mask..."
ip route add default via $route_vpn_gateway

echo "Removing /1 routes..."
ip route del 0.0.0.0/1 via $route_vpn_gateway
ip route del 128.0.0.0/1 via $route_vpn_gateway

Add executable bit to the file: chmod o+x /etc/openvpn/fix-routes.sh. Change owner of this file to root: chown root:root /etc/openvpn/fix-routes.sh.

Add to your config following two lines: 

 script-security 2
 route-up  /etc/openvpn/fix-routes.sh

Explanation

Openvpn adds routes that for following networks: 0.0.0.0/1 and 128.0.0.0/1 (these routes cover entire IP range), and docker can't find range of IP addresses to create it's own private network.

You need to add a default route (to route everything through openvpn) and disable these two specific routes. fix-routes script does that.

This script is called after openvpn adds its own routes. To execute scripts you'll need to set script-security to 2 which allows execution of bash scripts from openvpn context.

Thanks

I'd like to thank author of this comment on github, also thanks to ovpn support.

Related questions

ps command doesn't work in docker container

I want to do a ps command in a docker container derived from Debian official Docker hub repository: $ docker run -ti debian:wheezy /bin/bash root@51afd6b09af8:/# ps bash: ps: command not found

Read More
How to set the locale inside a Debian/Ubuntu Docker container?

I'm running a Ubuntu Docker container. I have a Norwegian keyboard and need to use Norwegian characters (øæå). My Terminal character encoding is set to UTF-8 and I'm connected to my container using SSH. However, I'm unable to type Norwegian characters, …

Read More
Switching users inside Docker image to a non-root user

I'm trying to switch user to the tomcat7 user in order to setup SSH certificates. When I do su tomcat7, nothing happens. whoami still ruturns root after doing su tomcat7 Doing a more /etc/passwd, I get the following result …

Read More