Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
Table of Contents
- VPN Passthrough 🔗 Docker Desktop for Mac’s networking can work when attached to a VPN. To do this, Docker Desktop for Mac intercepts traffic from the containers and injects it into Mac as if it originated from the Docker application.
- Uninstalled RC1, killed any lingering processes and installed RC2 (all while connected through Cisco AnyConnect VPN client). Docker for Mac starts up and I can docker login, docker run, docker pull, etc. What a fantastic way to close out a week! Thank you for getting this fixed - it's a massive unblocker for me.
This video shows how to route the network of one container through another container. This is useful if you want to route a container through a vpn.Please, i. The fully explained instructions are here Docker Desktop, Hyper-V and VPN with the settings for Docker containers, Windows VMs and Linux VMs. I created a new internal Virtual Switch (let's call it 'Internal') and assigned to it a static IP address (let's say 192.168.4.2).
- Virtual Private Networking (VPN)
It is often the case that a system behind the firewall needs to be able to access a remote network through Virtual Private Networking (VPN). The two most common means for doing this are IPsec and PPTP. The basic setup is shown in the following diagram:
A system with an RFC 1918 address needs to access a remote network through a remote gateway. For this example, we will assume that the local system has IP address 192.168.1.12 and that the remote gateway has IP address 192.0.2.224.
If PPTP is being used and you need to have two or more local systems connected to the same remote server at the same time, then you should be sure that the PPTP helpers modules are loaded (ip_conntrack_pptp and ip_nat_pptp or nf_conntrack_pptp and nf_nat_pptp). Using the default modules file, Shorewall (Lite) will attempt to load these modules when Shorewall (Lite) is started.
If IPsec is being used, you should configure IPsec to use NAT Traversal -- Under NAT traversal the IPsec packets (protocol 50 or 51) are encapsulated in UDP packets (normally with destination port 4500). Additionally, keep-alive messages are sent frequently so that NATing gateways between the end-points will retain their connection-tracking entries. This is the way that I connect to the HP Intranet and it works flawlessly without anything in Shorewall other than my ACCEPT loc->net policy. NAT traversal is available as a patch for Windows 2K and is a standard feature of Windows XP -- simply select 'L2TP IPsec VPN' from the 'Type of VPN' pulldown.
Docker For Mac Vpn Passthrough Online
Alternatively, if you have an IPsec gateway behind your firewall then you can try the following: only one system may connect to the remote gateway and there are firewall configuration requirements as follows:
Table 1. /etc/shorewall/rules
ACTION | SOURCE | DEST | PROTO | DPORT | SPORT | ORIGDEST |
---|---|---|---|---|---|---|
DNAT | net:192.0.2.224 | loc:192.168.1.12 | 50 | |||
DNAT | net:192.0.2.224 | loc:192.168.1.12 | udp | 500 |
The above may or may not work — your mileage may vary. NAT Traversal is definitely a better solution. To use NAT traversal:
Table 2. /etc/shorewall/rules with NAT Traversal
ACTION | SOURCE | DEST | PROTO | DPORT | SPORT | ORIGDEST |
---|---|---|---|---|---|---|
DNAT | net:192.0.2.224 | loc:192.168.1.12 | udp | 4500 | ||
DNAT | net:192.0.2.224 | loc:192.168.1.12 | udp | 500 |
If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your firewall. As starting points, see The /etc/shorewall/tunnels manpage.
Containers are a great piece of technology. As a developer I enjoy its benefits in production-like environments, but most of all I love it because it improves our daily tasks.This article is part of the “Pragmatic Docker series for Web developers”, and it’s a simple example on how you can harness the containers power for your own needs.
“A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network.” Wikipedia
Basically it will create a secure pipeline between your device and the VPN server. Example, if your OpenVPN server is hosted on an AWS US EC2 instance, your HTTP requests, data, forms etc will go trough: your phone < - > public wifi < - > internet provider < - > VPN server < - > internet. Even if the Wifi or the internet provider is compromised, noone can see your data because is encrypted.
I started using VPN’s for personal use after the Krack attacks for pubic WiFis. If you find yourself using often public internet access points and/or you care more about your privacy and security you I will show you how can you setup your own VPN!
Requirements:
- Bash-like environment and basic knowledge
- familiar with Docker essentials
- a client with Open VPN client installed. Windows/Linux or Android
A server:
- a VPS/VM/server with internet and SSH access - Examples: Digital Ocean 5$ Droplet, AWS EC2, Google Compute Instance
- Docker installed on the server
- a STATIC (that does not change) public IP or domain/subdomain for your server, example: AWS Elastic IP or Google Cloud static IP
- 1194 TCP open port for ingress (incoming data), example: AWS Security group or Google Cloud Firewall Rule
Choose the location of your VM/Server wisely, it will be your location from now on. For example you can trick services that are only available for a specific country!
VPN Setup
We will use the most popular Docker image for Open VPN kylemanna/docker-openvpn.For persistence and convenience we need to store our VPN’s private key in a Docker volume, named ovpn-data-family
. It is basically a folder that will be shared by all OpenVPN containers. One advantage is that you can remove the container or run OpenVPN commands in parallel.
So far you should have downloaded the OpenVPN image locally, generate the config and a private key.
It is recommended that, for each client do you want to use (client = device you want to secure) to generate its own config/key. You can repeat the following steps for all your smart-phones and PCs.
The .ovpn
file is a configuration file that also contains an unique key for each device. If you lose/change a device you can also remove its credentials from the server.
Now we can run the server and let it do its work.
Remember to open the port 1194! (OpenVPN will use 1194 UDP but we are proxying it trough our machine on 1194 TCP with docker)
The output should be something like:
The server should be up and running by now and accessible from the internet. Docker will keep our container running even after the server is restarted.
Devices (clients)
Now you can test from a client that your traffic is routed trough the VPN server. This can be done after you put the .ovpn
files and import them to the OpenVPN clients, see these screenshots for a PC and Android example.
Docker For Mac Download
Download Windows/Linux or Android clients
[optional] DNS
By default, OpenVPN will tell the clients to use Google’s DNS, if you want a more private and slightly more performing service you can change it to Cloudflare 1.1.1.1.:
Replace
Docker For Mac Vpn Passthrough Windows 10
with
Note: to exit Vi you must press [ESC], then [:wq] to write the changes and quit
The End
You are done! I hope you learn a few things about docker, servers and as a result you have a free and personal VPN to keep your devices secure and private!