Windows containers have no internet access, but Linux containers do - with VPN-Client active on host [closed]

Asked 28/5, 2019 at 12:4 Answered 23/9, 2020 at 13:14

I have a Stonesoft VPN-Client and Docker-for-Windows installed on my host machine. My Windows containers seem to fail to resolve any host (even www.google.com). My Linux containers however work perfectly fine. When I disable the VPN Adapter in my network adapter list, the windows containers can access the internet again. But I need them to work with VPN active.

So I researched for quite a while and tried to following:

Check the adapter priorities in powershell: Get-NetIPInterface -AddressFamily IPv4 | Sort-Object -Property InterfaceMetric -Descending

It was said, that the primary adapter should have the lowest metric value. Which is ethernet in my case and that seems fine. https://github.com/docker/for-win/issues/2760

Run image with --dns=8.8.8.8 flag. Did not solve the issue.
I went into the Virtual-Switch settings of the Hyper-V Manager. I set the switch called 'nat' to 'external network'. Well my containers got internet connection after that. But it automaticly disabled the VPN adapter so that's not right.
Setting the IPv4 address and DNS of the vEthernet(nat) to automatic. Also did not help.
Reinstalling Container Tools, Hyper-V and Docker. No success.
Trying older versions of Docker-for-Windows. No success.

Here is some information about my environment:

My network adapters:

My Docker settings are default.

Hyper-V virtual switches:

vEthernet(nat) IPv4 settings:

vEthernet(DockerNAT) IPv4 settings:

vEthernet(Default Switch) IPv4 settings:

ipconfig /all on my host:

I hope this helps and someone can answer this question. It has been bothering me for quite a while now.

EDIT:

Since there was no actual question in there:

How do I solve this problem?

Cohort answered 28/5, 2019 at 12:4 Comment(1)

Got exactly the same problem with another VPN software (Check Point Endpoint Security) – Built 24/4, 2020 at 16:49

I just figured this out:

1). Follow: https://docs.docker.com/machine/drivers/hyper-v/#example:

2). Start hyper v (may need to enable): https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v

3). Then in hyper v create external virtual switch. Select your wifi adapter. (should work with vpn on or off).

4). reboot.

5). Start container and attach to new network.

docker network ls
docker network connect "John Windows Container Switch" win1809
docker network inspect "John Windows Container Switch"

shows:

        "Containers": {
            "b8c4ae07761fdf082602f836654013b8d83a717cce9156880a80c7542d855842": {
                "Name": "win1809",
                "EndpointID": "e84652fc93fd1fa2970c3bdcad513d8928fc35823a9f8cf0e638926b6091a60c",
                "MacAddress": "00:15:5d:fb:77:dd",
                "IPv4Address": "",
                "IPv6Address": ""

6). docker exec -it win1809 powershell

ping www.google.com

Pinging www.google.com [172.217.10.36] with 32 bytes of data:
Reply from 172.217.10.36: bytes=32 time=19ms TTL=118
Reply from 172.217.10.36: bytes=32 time=18ms TTL=118
Reply from 172.217.10.36: bytes=32 time=18ms TTL=118
Reply from 172.217.10.36: bytes=32 time=14ms TTL=118

Victor answered 23/9, 2020 at 13:14 Comment(1)

Are you able to access your local network or the VPN network with this configuration? In case I use somethin similar configuration with Hyper-V for windows VM I'm able to access my local network. – Ulla 20/7, 2022 at 20:17

I assume you also have issue reaching your host machine from your local network (home network), in case you are connected to VPN (office network). You can check with route print command on the docker host, you may see some line similar to following: 172.23.58.112 255.255.255.240 10.141.192.1 10.141.239.232 2

The above is related to VPN configuration. There is a possibility to configure VPN with split tunneling. That would allow network traffic not only to office network, but for security reason it is often prohibited.

I'm now on Windows 10 build 1803 and Docker 2.3.0.3 (45519)

If that is the case we can do nothing I'm afraid, windows containers are connected using the hyper-v's virtual switch and in my case the AnyConnect is corporate configured and prohibits any network communication outside corporate network.

Interestingly linux containers are working differently AFAIK the network layer is now under linux and the kernel has direct docker host connection. With linux containers I have no trouble issuing ping host.docker.internal.

But I hope I'm wrong and someone tells different :)

Can you please sent the result of the route print command from host and from container too in order to verify my hypotheses!

Quote:

Windows Container Networking

The container host uses a Hyper-V virtual switch to provide this connectivity to the containers and connects the containers to the virtual switch (vSwitch) using either a Host virtual NIC (Windows Server Containers) or a Synthetic VM NIC (Hyper-V Containers). Compare this with Linux containers which use a bridge device instead of the Hyper-V Virtual Switch and veth pairs instead of vNICs / vmNICs to provide this basic Layer-2 (Ethernet) connectivity to the containers themselves. The Hyper-V virtual switch alone does not allow network services running in a container to be accessible from the outside world, however. We also need Layer-3 (IP) connectivity to correctly route packets to their intended destination.

Linux containers (works with VPN):

Going Behind The Scenes of Docker Networking

docker0 is a virtual bridge interface created by Docker. It randomly chooses an address and subnet from a private defined range. All the Docker containers are connected to this bridge and use the NAT rules created by docker to communicate with the outside world. Remember the “channels” I mentioned above? Well, these channels are actually a veth “tunnel” (a bi-directional connection between each container namespace and the docker0 bridge).

Some more interesting stuff:

Hyper-V has a support for something called integration services.

In order to use Hyper-V sockets, the application must be registered with the Hyper-V Host's registry.

By registering the service in the registry, you get:

WMI management for enable, disable, and listing available services Permission to communicate with virtual machines directly.

Registry location and information:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices\

On my system this registry region contains the following entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices\000007CF-FACB-11E6-BD58-64006A7986D3]
"ElementName"="Docker VPNKit Bridge"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices\00001003-FACB-11E6-BD58-64006A7986D3]
"ElementName"="Docker fileserver"

One site I found related to this topic is this site: https://qiita.com/kikuchi_kentaro/items/29dd46ea8d0fda6e7f02#hyper-v-socket

There is some more like tho following but I'm not sure what is exactly the one used by docker for desktop:

Based on that I assume that docker uses some sort of tunneling proxy on local host network space, that is tunneled over the integration service of Hyper-V to linux kit. One endpoint is VPN-Kit (windows user space) the other endpoint is the the eth0 connected to docker0 virtual bridge (Linux kit). That is why the Linux container is not affected by the VPN.

Note: VPN-Kit still works for Linux containers even with WSL2.

Ulla answered 15/6, 2020 at 11:46 Comment(0)

Recommended topics

Hot tags