Docker tunnel traffic on specific port via VPN
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Not sure if this is docker specific or a general networking question.
I'm running a Debian Jessie server with serveral docker containers. My understanding is that docker creates a virtual interface (or strictly speaking a virtual ethernet bridge) called docker0
and binds the virtual interfaces of each individual container. It then manipulates the host's iptables
to allow communication between each container's exposed ports and the host's network.
I have a VPN, the interface is tun0
. One of the containers exposes two ports: 8888
and 23456
. I want to tunnel all traffic to and from port 23456
through the VPN.
How can this be done?
Another way of looking at this is that docker automatically routes traffic based on the port to the right container. I want to insert another layer via iptables
, where traffic on port 23456
is directed to the VPN and any traffic from the VPN is directed to port 23456
.
For info, the VPN provider uses OpenVPN.
linux networking vpn routing iptables
add a comment |
Not sure if this is docker specific or a general networking question.
I'm running a Debian Jessie server with serveral docker containers. My understanding is that docker creates a virtual interface (or strictly speaking a virtual ethernet bridge) called docker0
and binds the virtual interfaces of each individual container. It then manipulates the host's iptables
to allow communication between each container's exposed ports and the host's network.
I have a VPN, the interface is tun0
. One of the containers exposes two ports: 8888
and 23456
. I want to tunnel all traffic to and from port 23456
through the VPN.
How can this be done?
Another way of looking at this is that docker automatically routes traffic based on the port to the right container. I want to insert another layer via iptables
, where traffic on port 23456
is directed to the VPN and any traffic from the VPN is directed to port 23456
.
For info, the VPN provider uses OpenVPN.
linux networking vpn routing iptables
add a comment |
Not sure if this is docker specific or a general networking question.
I'm running a Debian Jessie server with serveral docker containers. My understanding is that docker creates a virtual interface (or strictly speaking a virtual ethernet bridge) called docker0
and binds the virtual interfaces of each individual container. It then manipulates the host's iptables
to allow communication between each container's exposed ports and the host's network.
I have a VPN, the interface is tun0
. One of the containers exposes two ports: 8888
and 23456
. I want to tunnel all traffic to and from port 23456
through the VPN.
How can this be done?
Another way of looking at this is that docker automatically routes traffic based on the port to the right container. I want to insert another layer via iptables
, where traffic on port 23456
is directed to the VPN and any traffic from the VPN is directed to port 23456
.
For info, the VPN provider uses OpenVPN.
linux networking vpn routing iptables
Not sure if this is docker specific or a general networking question.
I'm running a Debian Jessie server with serveral docker containers. My understanding is that docker creates a virtual interface (or strictly speaking a virtual ethernet bridge) called docker0
and binds the virtual interfaces of each individual container. It then manipulates the host's iptables
to allow communication between each container's exposed ports and the host's network.
I have a VPN, the interface is tun0
. One of the containers exposes two ports: 8888
and 23456
. I want to tunnel all traffic to and from port 23456
through the VPN.
How can this be done?
Another way of looking at this is that docker automatically routes traffic based on the port to the right container. I want to insert another layer via iptables
, where traffic on port 23456
is directed to the VPN and any traffic from the VPN is directed to port 23456
.
For info, the VPN provider uses OpenVPN.
linux networking vpn routing iptables
linux networking vpn routing iptables
asked May 7 '15 at 8:51
fswingsfswings
539523
539523
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This should be completely automatic, except for the need of the usual masquerade rule:
iptables -t nat -A POSTROUTING -i docker0 -o tun0 -j MASQUERADE
Just for the sake of thoroughness, make sure you have the routing rule, on the host, servicing docker0: if you can ping the dockers from the host, no need to read further. Otherwise add
ip route add Docker'sNetwork/16 via dev docker0
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f911813%2fdocker-tunnel-traffic-on-specific-port-via-vpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This should be completely automatic, except for the need of the usual masquerade rule:
iptables -t nat -A POSTROUTING -i docker0 -o tun0 -j MASQUERADE
Just for the sake of thoroughness, make sure you have the routing rule, on the host, servicing docker0: if you can ping the dockers from the host, no need to read further. Otherwise add
ip route add Docker'sNetwork/16 via dev docker0
add a comment |
This should be completely automatic, except for the need of the usual masquerade rule:
iptables -t nat -A POSTROUTING -i docker0 -o tun0 -j MASQUERADE
Just for the sake of thoroughness, make sure you have the routing rule, on the host, servicing docker0: if you can ping the dockers from the host, no need to read further. Otherwise add
ip route add Docker'sNetwork/16 via dev docker0
add a comment |
This should be completely automatic, except for the need of the usual masquerade rule:
iptables -t nat -A POSTROUTING -i docker0 -o tun0 -j MASQUERADE
Just for the sake of thoroughness, make sure you have the routing rule, on the host, servicing docker0: if you can ping the dockers from the host, no need to read further. Otherwise add
ip route add Docker'sNetwork/16 via dev docker0
This should be completely automatic, except for the need of the usual masquerade rule:
iptables -t nat -A POSTROUTING -i docker0 -o tun0 -j MASQUERADE
Just for the sake of thoroughness, make sure you have the routing rule, on the host, servicing docker0: if you can ping the dockers from the host, no need to read further. Otherwise add
ip route add Docker'sNetwork/16 via dev docker0
answered Jun 13 '15 at 12:24
MariusMatutiaeMariusMatutiae
39.1k954101
39.1k954101
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f911813%2fdocker-tunnel-traffic-on-specific-port-via-vpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown