Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to connect to hosts through VPN #1803

Closed
alexschultz opened this issue Jun 30, 2017 · 8 comments

Comments

@alexschultz
Copy link

commented Jun 30, 2017

Expected behavior

Should be able to access hosts accross vpn

Actual behavior

DNS resolves IP address, but is not able to connect

Information

just upgraded to docker for mac ce Version 17.06.0-ce-mac18 (18433). I have a compose file with many containers that connect over a VPN. The problem I am having is that I can resolve hostnames over the VPN to an IP address, but when I actually make a request to the host I am trying to hit, it gives me a response from a totally different (invalid) IP address. I know DNS is resolving the host because when I ping the host, it shows the correct IP address but the response is supposedly coming from something else

PING example.host.com (192.168.65.174) 56(84) bytes of data.
From something-else.host.com (192.168.65.2) icmp_seq=1 Destination Host Unreachable
From something-else.host.com (192.168.65.2) icmp_seq=2 Destination Host Unreachable
From something-else.host.com (192.168.65.2) icmp_seq=3 Destination Host Unreachable’

[OK] db.git
[OK] vmnetd
[OK] dns
[OK] driver.amd64-linux
[OK] virtualization VT-X
[OK] app
[OK] moby
[OK] system
[OK] moby-syslog
[OK] db
[OK] env
[OK] virtualization kern.hv_support
[OK] slirp
[OK] osxfs
[OK] moby-console
[OK] logs
[OK] docker-cli
[OK] menubar
[OK] disk

9848A4C6-554E-4390-91CC-2E179F94C995

Steps to reproduce the behavior

  1. start container on host with vpn configured for another network
  2. ping host in remote network
@djs55

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2017

Thanks for your report.

There seems to be a genuine clash between your environment's legitimate use of 192.168.65.x and the internal VM<->host use of 192.168.65.x. I believe it only manifests in 17.06 because we've reserved more IP addresses to use for additional clients.

For the record here are the 2 shell fragments we discussed for changing the internal IP addresses on community slack:

cd ~/Library/Containers/com.docker.docker/Data/database/
git reset --hard
mkdir -p com.docker.driver.amd64-linux/slirp
echo 192.168.63.2 > com.docker.driver.amd64-linux/slirp/docker
echo 192.168.63.1 > com.docker.driver.amd64-linux/slirp/host
git add com.docker.driver.amd64-linux/slirp/docker 
git add com.docker.driver.amd64-linux/slirp/host
git commit -s -m 'change ip'

and

cd ~/Library/Containers/com.docker.docker/Data/database/
git checkout state
echo 192.168.63.3 > com.docker.driver.amd64-linux/slirp/extra_dns 
echo -n 0 > com.docker.driver.amd64-linux/slirp/bridge-connections
git add com.docker.driver.amd64-linux/slirp/extra_dns 
git add com.docker.driver.amd64-linux/slirp/bridge-connections
git commit -m 'remove more IPs'

(I believe both are needed)

@djs55 djs55 self-assigned this Jun 30, 2017

@alexschultz

This comment has been minimized.

Copy link
Author

commented Jul 2, 2017

Thanks for the feedback. That fixed my issue and allowed me to connect over the VPN. Just curious, is this fix documented anywhere and what are the consequences of using this approach?

@djs55

This comment has been minimized.

Copy link
Contributor

commented Jul 2, 2017

@alexschultz thanks for the confirmation! This workaround isn't documented anywhere yet, but I'll try to write it up and make a PR here: https://github.com/docker/docker.github.io/blob/master/docker-for-mac/networking.md which will be published https://docs.docker.com/docker-for-mac/networking/

The only consequence is that it breaks a new feature of the networking component that you probably aren't using. If you are developing with https://github.com/linuxkit/linuxkit then you can type linuxkit run <OS image> and the LinuxKit image will boot and connect to the same network that Docker for Mac is using. With this workaround enabled, LinuxKit won't be able to get an IP address by DHCP.

There are 2 code changes I'd like to make

  1. the ability to change the range of IP addresses handed out by the DHCP server -- this is hardcoded at the moment
  2. perhaps a UI-based mechanism (or a config file?) to change the network range -- something a bit easier than the script full of git commands

djs55 added a commit to djs55/vpnkit that referenced this issue Jul 3, 2017

Dhcp: make the dynamic DHCP range configurable
When `bridge-connections` is enabled the server will reserve more IP
addresses for clients such as LinuxKit which connect to the vpnkit
network. Previously it was not possible to adjust fully the
range of addresses handed out, so if you had a clash you were out of
luck.

This patch plumbs through a new `slirp/highest-ip` setting so that
clashes can be worked around.

Related to [docker/for-mac#1803]

Signed-off-by: David Scott <dave.scott@docker.com>

djs55 added a commit to djs55/docker.github.io that referenced this issue Jul 3, 2017

Mac: explain how to avoid an IP address clash
The issue [docker/for-mac#1803] describes a situation where the internal
IP addresses used by Docker for Mac clashed with IP addresses in use on
the local environment. This problem became worse in 17.06 because we
expanded the number of IP addresses we reserved, making clashes more likely.

This patch describes how to work around a clash by changing the internal
IP addresses used by Docker for Mac.

Signed-off-by: David Scott <dave.scott@docker.com>
@djs55

This comment has been minimized.

Copy link
Contributor

commented Jul 14, 2017

FYI we've gone a step further and added a UI element to allow the network to be customised. It should be in the 17.07 edge release, due very soon.

@alexschultz

This comment has been minimized.

Copy link
Author

commented Jul 14, 2017

@djs55

This comment has been minimized.

Copy link
Contributor

commented Jan 18, 2018

Closing ticket as the option to customise the IP address range is available on both edge and stable branches in the preferences dialog:
screen shot 2018-01-09 at 11 01 53

Thanks again for your report!

@DiegoGallegos4

This comment has been minimized.

Copy link

commented May 8, 2018

how to make the same configuration explained above in the UI?

@YRM64

This comment has been minimized.

Copy link

commented May 8, 2018

Alexschultz, legitimate concerns, and djs55 excellent response in addressing alexschulttz's concerns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.