Docker Desktop Windows and VPN - no network connection inside container

Asked 26/3, 2020 at 14:10 Answered 1/2, 2022 at 19:57

I'm trying to use Docker on Windows while being connected to VPN.

When VPN is not connected, everything works OK.

But when I connect to our corporate VPN using Cisco AnyConnect client, network inside docker container is not working anymore:

docker run alpine ping www.google.com
ping: bad address 'www.google.com'

docker run alpine ping -c 5 216.58.204.36
PING 216.58.204.36 (216.58.204.36): 56 data bytes
--- 216.58.204.36 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

How to fix this issue and make it work?

My setup is:

Windows 10 Version 1809 (OS Build 17763.1098)
Docker Desktop Community 2.2.0.4 (43472): Engine 19.03.8, Compose 1.25.4, Kubernetes 1.15.5, Notary 0.6.1, Credential Helper 0.6.3
Docker is in Windows containers mode with experimental features enabled (needed to run windows and linux images at the same time)

Vermiculite answered 26/3, 2020 at 14:10 Comment(5)

Did you ever figure out the answer to this? I've been having a similar issue, been trying to test an application via my Docker Desktop but need it to connect to a database through VPN (also Cisco AnyConnect client) – Feminize 27/4, 2020 at 13:14

Unfortunately, no. But linux container in pure linux mode worked fine with this setup, so I'm trying to migrate to linux containers competely. – Vermiculite 27/4, 2020 at 17:13

Duplicate: #56342373? – Kendra 7/5, 2020 at 18:51

@kuga, yes, seems very similar – Vermiculite 8/5, 2020 at 17:50

I have a similar problem. im using mysql and karaf containers, im connected to the VPM and create a network with my public ip, but the connection does not work since im not able to call any services. – Fellows 5/8, 2020 at 15:34

While my VPN (AnyConnect) was running, I had to run the following from PowerShell (admin mode):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Marris answered 1/2, 2022 at 19:57 Comment(0)

Actually i did it using Docker Desktop and Hyper-V virtual machines. Using OpenConnect but i think it can be done for most VPN client with minor adaptations.

The fully explained instructions are here Docker Desktop, Hyper-V and VPN with the settings for Docker containers, Windows VMs and Linux VMs

I created a new internal Virtual Switch (let's call it "Internal") and assigned to it a static IP address (let's say 192.168.4.2)
I created a new VM with Ubuntu server and OpenConnect, connected to both the default Virtual Switch and the "Internal"
On the OpenConnect VM
- Assigned to "Internal" a fixed ip (192.168.4.3)
- Added a new tun interface "persistent" telling openconnect to use that tun (adding the "-i tun0" parameter as openconnect start parameter)
  
  sudo ip tuntap add name tun0 mode tun
- Installed the persist-iptables
- Forced the ip forwarding
  
  sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf && sysctl -p
- Setup the routing
  
  sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT sudo iptables -A FORWARD -o tun0 -j ACCEPT sudo iptables -A FORWARD -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i tun0 -j ACCEPT
- After connecting the vpn i added permanently the dns servers to the resolve.conf
- And retrieve the class of addresses of the VPN (like 10...* )
On the Docker containers
- Added on Dockerfile the basic route
  
  RUN route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.4.3
- Then running the docker file i added the dns giving net admin and sys module permissions
  
  --dns 8.8.8.8 --dns 10.1.77.21 --dns 10.4.52.21 --dns-search test.dns.it
  --cap-add=NET_ADMIN --cap-add=SYS_MODULE

Cody answered 15/3, 2021 at 14:48 Comment(3)

IMHO using Hyper-V is not state-of-the-art anymore. The way to go is use wsl2 on Windows what Docker Desktop meanwhile uses by default. Can someone confirm or deny if Docker Desktop meanwhile solves the VPN issue with Cisco Any Connect as claimed in the feautres? docs.docker.com/docker-for-windows/networking/#features - If not this could be an option: github.com/sakai135/wsl-vpnkit – Galimatias 16/7, 2021 at 11:33

Actually with GlobalProtect 5.2.3 and WSL2 Docker Desktop works flawlessy, without any problem. But my new setup is based on openconnect on docker with the various vpn services running in the same docker network and accessed through a docker openvpn server :P The reason was to do some dns hijacking, etc etc – Cody 16/7, 2021 at 12:1

Hyper-V is still needed for windows containers. – Alexina 14/10, 2023 at 17:23

Recommended topics

Hot tags