I need to understand how to make two docker containers work with a scenario like this:
There is a branch office with a router and a client. The network is 192.168.190.0/24 and the addresses are 1 and 57.
There is somewhere else a VM facing on the internet with public IP X.Y.Z.K and the docker environment installed on top.
Inside there are two containers. The first one is a web server facing only on a private network with address 192.168.80.2. The other container has connection on the private network with address 192.168.80.44 and exposes its 1194 port on the other network interface to the public IP.
I need to be able to make 192.168.190.57 open the pages on 192.168.80.2.
The VPN part works fine (the router connects and is pingable from the client) and I don't need help on that.
This is a mockup for my docker-compose file.
version: '2'
services:
openvpn:
image: mycompany/openvpn
restart: 'always'
cap_add:
- NET_ADMIN
ports:
- '1194:1194/udp'
networks:
nat:
private_net:
ipv4_address: '192.168.80.44'
coredns:
image: 'nginx'
restart: 'always'
links:
- openvpn:private_net_vpn
networks:
private_net:
ipv4_address: '192.168.80.2'
networks:
private_net:
internal: true
ipam:
config:
- subnet: '192.168.80.0/24'
nat:
Best Answer
At the end I discovered the issue.
By default if you define a network
internal: trueit means that some iptables rules will be enacted to block all the containers on the lan segment from getting out of it.At the beginning I thought it was just the route from, let's say, 192.168.80.2 to 192.168.80.1 (the ip assigned to the host machine for that lan segment) and then to the internet. Reading carefully all the iptables rules I found that the forwarding is also disabled.
Removing the
internal: trueallowed the container to route through the VPN as expected at the cost of allowing the web server to access directly the public internet.