Some apps we have depend on being connected to our VPN to connect to different (not-yet dockerized)solutions.

What is the 'docker way' of doing this? In my mind adding OpenVPN to an existing image is against the docker philosophy.

From where I'm standing I feel that creating a docker VPN client container makes the most sense. But what would that look like? I use docker compose, so there would definitely be a

myContainer
- links: myVPNClient

but would I then have to forward ports? Or what would have to happen to enable myContainer to connect through the openVPN container.

Another option would be to ask Jess Frazelle (jfrazelle), who is in the habit of containerizing everything.

Sure enough, she has a jfrazelle/dockerfiles/openvpn project which exposes it directly to the host:

vpn:
  build: .
  volumes:
    - .:/etc/openvpn
  net: host
  devices:
    - /dev/net/tun:/dev/net/tun
  cap_add:
    - NET_ADMIN

It uses a TUN (not TAP) interface.

Probably the easiest solution would be to configure any containers that need the vpn to use the network namespace of the vpn container. That is, your docker-compose.yml would include something like:

vpn:
  image: myvpn_image

app1:
  image: app1_image
  net: container:vpn

With this configuration, the vpn container and the app1 container see the same network evironment.