nickkjolsing
Despite successful VPN connection, cannot connect to internet in container (wget and ping)
I have setup the container on my QNAP NAS and I managed to configure it correctly so that it: Will not be killed instantly by the QNAP non-native OpenVPN instance Kill Daemon Use the correct .ovpn config files and .crt to connect to mullvad correctly
After editing the compose file and starting up the container, I can see in the console that OpenVPN connects.
According to the tutorial I now have to
/bin/sh
into the container and use
wget -qO- http://ipecho.net/plain | xargs echo
to check the containers public IP to make sure the traffic is really routed through the vpn tunnel.
But I noticed that, despite the successful OpenVPN connection the container does not seem to be able to connect to the internet.
I get a bad address in response.
I then tried
curl
but unfortunately, it is not installed. Neither is
apt-get
I've read, that maybe it is because of bad DNS configuration so I tried
ping 0
ping 192.168.178.1 (Local Internet Router)
sucessfully. But...
ping 8.8.8.8
returns nothing. I tried switching
network_mode: bridge/host
but the errors remain the same. What else can I try? Or is it correct, that I can't access the Internet inside the container anymore? Maybe the default interface in the container shell does not use the established vpn tunnel?
I created this container in order to route another containers traffic through the vpn. But I was not able to try yet.
I am not an IT expert and don't know much about docker networking. I rely on QNAPs Container Station automatic setup of virtual switches and interfaces and it worked so far.
I have two other containers running (HomeBridge and pi-hole) who don't have any connectivity issues.
The HomeBridge container runs in NAT mode and the pi-hole got his own IP adress on my network. So general routing seems to work on my QNAP.
My compose file
version: "3"
services:
openvpn-client:
image: yacht7/openvpn-client
container_name: openvpn-client
network_mode: bridge
cap_add:
- NET_ADMIN
environment:
- KILL_SWITCH=on
- FORWARDED_PORTS=54975
- SUBNETS=192.168.178.0/24,192.168.178.0/24
devices:
- /dev/net/tun
volumes:
- /share/Container/mullvad:/data/vpn
ports:
- 5800:5800
- 5900:5900
- 80:80
- 443:443
- 3129:3129
restart: unless-stopped
Container Console
---- Running with the following variables ----
Kill switch: on
Tinyproxy: off
Shadowsocks: off
Whitelisting subnets: 192.168.178.0/24,192.168.178.0/24
Using configuration file: /data/vpn/mullvad_md_kiv.conf
Using OpenVPN log level: 3
Creating /data/vpn/mullvad_md_kiv.conf.modified and making required changes to that file.
Changes made.
Creating VPN kill switch and local routes.
Allowing established and related connections...
Allowing loopback connections...
Allowing Docker network connections...
Allowing specified subnets...
RTNETLINK answers: File exists
Allowing remote servers in configuration file...
Using:
md-kiv-001.mullvad.net (IP:178.175.142.194 PORT:53)
Allowing connections over VPN interface...
Allowing connections over VPN interface to forwarded ports...
Preventing anything else...
iptables rules created and routes configured.
Running OpenVPN client.
Wed Dec 22 07:22:20 2021 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Wed Dec 22 07:22:20 2021 WARNING: file 'mullvad_userpass.txt' is group or others accessible
Wed Dec 22 07:22:20 2021 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Wed Dec 22 07:22:20 2021 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Wed Dec 22 07:22:20 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Dec 22 07:22:20 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]178.175.142.194:53
Wed Dec 22 07:22:20 2021 Socket Buffers: R=[819200->1048576] S=[819200->1048576]
Wed Dec 22 07:22:20 2021 UDPv4 link local: (not bound)
Wed Dec 22 07:22:20 2021 UDPv4 link remote: [AF_INET]178.175.142.194:53
Wed Dec 22 07:22:20 2021 TLS: Initial packet from [AF_INET]178.175.142.194:53, sid=3de8a366 b49ace25
Wed Dec 22 07:22:20 2021 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, [email protected]
Wed Dec 22 07:22:20 2021 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v4, [email protected]
Wed Dec 22 07:22:20 2021 VERIFY KU OK
Wed Dec 22 07:22:20 2021 Validating certificate extended key usage
Wed Dec 22 07:22:20 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Dec 22 07:22:20 2021 VERIFY EKU OK
Wed Dec 22 07:22:20 2021 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=md-kiv-001.mullvad.net, [email protected]
Wed Dec 22 07:22:20 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Wed Dec 22 07:22:20 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Wed Dec 22 07:22:20 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
Wed Dec 22 07:22:20 2021 [md-kiv-001.mullvad.net] Peer Connection Initiated with [AF_INET]178.175.142.194:53
Wed Dec 22 07:22:21 2021 SENT CONTROL [md-kiv-001.mullvad.net]: 'PUSH_REQUEST' (status=1)
Wed Dec 22 07:22:26 2021 SENT CONTROL [md-kiv-001.mullvad.net]: 'PUSH_REQUEST' (status=1)
Wed Dec 22 07:22:26 2021 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.7.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.7.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:53::1001/64 fdda:d0d0:cafe:53::,ifconfig 10.7.0.3 255.255.0.0,peer-id 1,cipher AES-256-GCM'
Wed Dec 22 07:22:26 2021 Pushed option removed by filter: 'route-ipv6 0000::/2'
Wed Dec 22 07:22:26 2021 Pushed option removed by filter: 'route-ipv6 4000::/2'
Wed Dec 22 07:22:26 2021 Pushed option removed by filter: 'route-ipv6 8000::/2'
Wed Dec 22 07:22:26 2021 Pushed option removed by filter: 'route-ipv6 C000::/2'
Wed Dec 22 07:22:26 2021 Pushed option removed by filter: 'ifconfig-ipv6 fdda:d0d0:cafe:53::1001/64 fdda:d0d0:cafe:53::'
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: compression parms modified
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: --socket-flags option modified
Wed Dec 22 07:22:26 2021 NOTE: setsockopt TCP_NODELAY=1 failed
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: route options modified
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: route-related options modified
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: peer-id set
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Dec 22 07:22:26 2021 OPTIONS IMPORT: data channel crypto options modified
Wed Dec 22 07:22:26 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Dec 22 07:22:26 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Dec 22 07:22:26 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Dec 22 07:22:26 2021 ROUTE_GATEWAY 10.0.3.1/255.255.255.0 IFACE=eth0 HWADDR=02:42:0a:00:03:02
Wed Dec 22 07:22:26 2021 TUN/TAP device tun0 opened
Wed Dec 22 07:22:26 2021 TUN/TAP TX queue length set to 100
Wed Dec 22 07:22:26 2021 /sbin/ip link set dev tun0 up mtu 1500
Wed Dec 22 07:22:26 2021 /sbin/ip addr add dev tun0 10.7.0.3/16 broadcast 10.7.255.255
Wed Dec 22 07:22:26 2021 /etc/openvpn/up.sh tun0 1500 1552 10.7.0.3 255.255.0.0 init
Wed Dec 22 07:22:26 2021 /sbin/ip route add 178.175.142.194/32 via 10.0.3.1
Wed Dec 22 07:22:26 2021 /sbin/ip route add 0.0.0.0/1 via 10.7.0.1
Wed Dec 22 07:22:26 2021 /sbin/ip route add 128.0.0.0/1 via 10.7.0.1
Wed Dec 22 07:22:26 2021 Initialization Sequence Completed
