Let Docker access the internet by passing through the VPN connection
strongSwan
My host machine, a laptop running Manjaro Linux, is connected via VPN to the internet. I use strongSwan, the open-source IPsec-based VPN solution.
IPsec with the IKEv2 protocol is fast and secure.
Now, Docker doesn’t work. Networking issues are a common problem with VPN and Docker.
You can piggyback your Docker container on the host network. That technique only works on Linux machines.
The Docker container doesn’t get its own network. But you can’t (and don’t need to) re-map ports.
Another approach is using the bypass-lan plugin. The method should also work on macOs and Windows.
You can enable the plugin under /etc/strongswan.d/charon/bypass-lan.conf:
bypass-lan {
## A comma-separated list of network interfaces for which connected subnets
## should be ignored, if interfaces_use is specified this option has no
## effect.
## interfaces_ignore =
## A comma-separated list of network interfaces for which connected subnets
## should be considered. All other interfaces are ignored.
## interfaces_use =
## Whether to load the plugin. Can also be an integer to increase the
## priority of this plugin.
load = yes
}
Make sure to load the plugin. Example settings for /etc/strongswan.conf (modular configuration):
## strongswan.conf - strongSwan configuration file
#
## Refer to the strongswan.conf(5) manpage for details
#
## Configuration changes should be made in the included files
charon-systemd {
threads = 16
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
Docker and DNS Lookups
After you’ve configured strongSwan, there’s still some work needed. Docker can’t resolve DNS lookups when the host machine runs the strongSwan VPN.
I’ve found an article that explains all the details. Fix /etc/docker/daemon.json:
{
"dns": ["1.1.1.1", "8.8.8.8"]
}
Restart the Docker service:
sudo service docker restart
// or
sudo systemctl restart docker
Final Thoughts
Now you can run a VPN tunnel on your computer, but Docker still works. Amazing.