Docker VPN IPSec client without privileged access Docker VPN IPSec client without privileged access docker docker

Docker VPN IPSec client without privileged access


docker vpn

You can do it without privileged access, but NET_ADMIN capabilities is required, so that the container can created and tunnel interface.

To test the config I picked up a free VPN service from

https://www.vpnbook.com/freevpn

Downloading this [file] (https://www.vpnbook.com/free-openvpn-account/VPNBook.com-OpenVPN-US1.zip)

I created below Dockerfile for the same

FROM ubuntu:16.04RUN apt update && apt install -y openvpn curl socat wget ca-certificates opensslWORKDIR /openvpn/configCOPY vpnbook-us1-tcp80.ovpn .COPY start.sh /start.shENV OPENVPN_USERNAME=vpnbook OPENVPN_PASSWORD=dup2atuCMD /start.sh

In the vpnbook-us1-tcp80.ovpn, I made a small changed to auth-user-pass and made it auth-user-pass openvpn-credentials, so we can pass credentials from a file. Next was to create a start.sh

#!/bin/shmkdir -p /dev/net && mknod /dev/net/tun c 10 200printf "$OPENVPN_USERNAME\n$OPENVPN_PASSWORD" > openvpn-credentialschmod 600 openvpn-credentialssocat TCP4-LISTEN:80,reuseaddr,fork TCP4:ipinfo.io:80 2>&1 >/dev/null &exec openvpn --inactive 3600 --ping 10 --ping-exit 60 --config vpnbook-us1-tcp80.ovpn

The mknod /dev/net/tun c 10 200 creates a tun device at run-time inside container so we don't need to map it from host.

Since you wanted other containers to access mysql by connecting to this container, you will change below

socat TCP4-LISTEN:80,reuseaddr,fork TCP4:ipinfo.io:80 2>&1 >/dev/null &

to

socat TCP4-LISTEN:3306,reuseaddr,fork TCP4:<YourMYSQLIP>:3306 2>&1 >/dev/null &

What this would do is listen to local port X on container and forward that request to port Y on IP/domain your provide. Then we can either map this ports to Host or access them directly through container.

To run the whole thing I made a simple docker-compose.yml

version: "3"services:  vpn:    build: .    cap_add:      - NET_ADMIN    ports:      - 3306:3006      - 8080:80    dns:      - 8.8.8.8

Now after doing docker-compose up -d and waiting for few seconds, I run below command on my host

$ curl -H "Host: ipinfo.io" localhost:8080/json{  "ip": "198.7.62.204",  "hostname": "us1.vpnbook.com",  "city": "Manassas",  "region": "Virginia",  "country": "US",  "loc": "38.7701,-77.6321",  "org": "AS30633 Leaseweb USA, Inc.",  "postal": "20109"}

As you can see localhost:8080 was mapped to container port 80 and socat is forwarding that port 80 to ipinfo.io:80. The forwarding is happening through the VPN

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last