Allow bridged or NAT networking as an optional alternative to host-only network #213
Comments
|
Can confirm this. I'm in the process of introducing docker into the company. The majority are using a MacBook Pro/Air with Cisco AnyConnect VPN. Is there any solution for this problem? |
|
we stopped using the NAT port forwarding because it gave us reliability issues. but we will need to find a solution to this, yes. |
|
This was an issue for me as well, so I looked around and found a workaround, at least. In a nutshell - anyconnect's default firewall rules on OS X don't know about vboxnet0 and don't allow it. For my install, the last few lines of the firewall looked like: 00060 skipto 65535 ip from 10.102.13.173 to 255.255.255.255 via utun0 out And I did the following to fix it: sudo ipfw delete 00061 Obviously, the exact fw line numbers and IP/network will depend on the local network config and how boot2docker was set up by the user. It's also worth noting that because this bollixes up boot2docker, you need to do your initial boot2docker init without being attached to the VPN. Making a script to do this automatically wouldn't be heinously hard, but it would be nice to have this built-in; I'm just not sure how to make it happen after the VPN is up (which is obviously when you'd need to modify the ipfw rules). Credit to this page http://www.petefreitag.com/item/753.cfm - where I just noticed there's some work in the comments to make just such a script. |
|
Also have this issue, and would love some support in this area. |
|
@knownasilya I'd start with the fix outlined in @bortels comment above... |
|
@SvenDowideit Tried but Yosemite is different and so far I've not figured out where the firewall record is and how to change it.. Looks like it's |
|
@knownasilya Did you ever find out how the firewall actually works? No matter what I try, |
|
I had to update AnyConnect. Then I was able to use the network as long as it was created while not on the VPN. So for me that was:
but for boot2docker that last step may be superfluous |
|
Just to throw this out there: OpenConnect has been updated to work with Mavericks and Yosemite and works flawlessly with our ASAs for access. Bonus: it doesn't mess with pfctl so boot2docker works just fine without any futzing around. |
|
Fwiw - openconnect was where I finally landed. Unfortunately, in many
|
|
Does anybody know how to fix it with Yosemite + Cisco Anyconnect? I stuck in here. Too many discussion I found but haven't found any suggestion works. The "ipfw" is removed from Yosemite now. Thanks a lot. |
|
Use openconnect if you can. brew cask install tuntap # needs homebrew cask
|
|
Setting up port forwarding in Virtual Box worked for me, as described here: boot2docker/boot2docker#628 (comment) (thanks @johnnyt) export DOCKER_HOST=tcp://127.0.0.1:2376 |
|
openconnect is awesome: $ brew install openconnect
$ sudo openconnect --user={username} {vpn-hostname} |
|
Sorry, this repository is long-since deprecated in favor of Docker Toolbox (whose usage is now also discouraged in favor of Docker for Windows and Docker for Mac). |
The host-only network that boot2docker exposes (via vbox) is not compatible with the Cisco Anyconnect VPN client. The VPN client (when running in split-tunnel mode) automatically adds firewall rules (at least on MacOS it does). The firewall rules block all network traffic except the whitelisted hosts on the VPN network, and the public internet over the en* ports. In effect, all network traffic via vboxnet0 is firewalled off.
If boot2docker made bridged or NAT networking available as an alternative to host-only networking, then Cisco AnyConnect VPN users could access their boot2docker hosts.
I realise that this opens a potential security hole, however I believe the impact is low because it would typically only be used by Cisco VPN users. The alternative is having no docker, which I think is worse.
The text was updated successfully, but these errors were encountered: