Possible to prevent internet access if vpn goes down?

[henry74]

I'd like to prevent linked containers from using the internet if the vpn tunnel goes down. Is this possible?

[dperson]

Good idea.

I've added an -f option to the script now. It's not in the README.md yet, because I haven't really had a chance to test it to make sure it doesn't break things. It will set up iptables rules that should do the right thing.

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT      
iptables -A OUTPUT -o lo -j ACCEPT                                           
iptables -A OUTPUT -o tap0 -j ACCEPT                                         
iptables -A OUTPUT -o tun0 -j ACCEPT                                         
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT                        
iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT                      
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT                      
iptables -A OUTPUT -j DROP

If you test it out before I have a chance, please let me know your results.

[henry74]

Would you just pass the flag during the docker run command?

[dperson]

Yes as an argument after the container you're running, IE:

docker run --cap-add=NET_ADMIN --device /dev/net/tun -d dperson/openvpn -v "vpn.server.name;username;password" -f

Alternatively, you can connect to a running container, with exec and run it that way:

docker exec <container_name> openvpn.sh -f iptables -S

The final command will just have it show the updated iptables rules in the container, it's not needed.

[dperson]

I got around to testing it this weekend, and it reaches the "works for me" milestone. I'm going to close this issue, let me know if you have problems. Thanks.

[dmp1ce]

How would you test this? I tried docker exec into the openvpn client, then I kill openvpn process, but that kills the connection for transmission even if I don't run openvpn with the -f flag.

[dperson]

It was more for VPN disconnection issues. The openvpn process is PID 1 in the container, when it exits the container shuts down. My testing was as indicated above. The firewall rules are quite strict. It allows only:

• DNS queries
• TCP connections to the default OpenVPN port
• UDP connections to the default OpenVPN port
• Connections over the lo (loopback) device, which are only to the host itself
• Connections over the tun0 and tap0 devices which are managed by OpenVPN, and will only work when the VPN is connected.

If you wish to do further testing, you can start the container, without starting the VPN, but with the firewall running with the following:

docker run -it --rm --cap-add=NET_ADMIN --device /dev/net/tun -d dperson/openvpn -f bash

Which will allow you to test the container with the firewall but without the VPN connected. The state you were asking about.

[dmp1ce]

OK. The testing worked to my satisfaction. For anyone following along, I specifically wanted to test if a container using the vpn network would be able to use the host network if for whatever reason vpn didn't connect to openvpn correctly. If the -f is not used, then the attached container will be able to ping out on the host network, even if the openvpn is not connected. Using -f prevents this.

The results are probably obvious, but to test I ran the following commands:

$ # No firewall rules
$ docker run -d --name=vpn --cap-add=NET_ADMIN --device /dev/net/tun dperson/openvpn-client sleep 10; \
> docker run --rm -it --net=container:vpn dperson/transmission ping google.com; \
> docker stop vpn; docker rm vpn
4327a3d86a8b6a78b03319af1c4ba33e64dcd557ca2424132ac2ad044926295e
PING google.com (74.125.138.100): 56 data bytes
64 bytes from 74.125.138.100: icmp_seq=0 ttl=39 time=38.136 ms
64 bytes from 74.125.138.100: icmp_seq=1 ttl=39 time=41.862 ms
64 bytes from 74.125.138.100: icmp_seq=2 ttl=39 time=36.181 ms
64 bytes from 74.125.138.100: icmp_seq=3 ttl=39 time=39.436 ms
64 bytes from 74.125.138.100: icmp_seq=4 ttl=39 time=40.423 ms
64 bytes from 74.125.138.100: icmp_seq=5 ttl=39 time=36.521 ms
64 bytes from 74.125.138.100: icmp_seq=6 ttl=39 time=37.640 ms
64 bytes from 74.125.138.100: icmp_seq=7 ttl=39 time=40.015 ms
64 bytes from 74.125.138.100: icmp_seq=8 ttl=39 time=37.565 ms
64 bytes from 74.125.138.100: icmp_seq=9 ttl=39 time=41.376 ms
ping: sending packet: Network is unreachable
vpn
vpn

$ # With firewall rules
$ docker run -d --name=vpn --cap-add=NET_ADMIN --device /dev/net/tun dperson/openvpn-client  -f sleep 10; \
> docker run --rm -it --net=container:vpn dperson/transmission ping google.com; \
> docker stop vpn; docker rm vpn
4ed5acc1ee59eb3630da53ca27002b641576223aa441ff224338e9078010b55e
PING google.com (74.125.21.101): 56 data bytes
ping: sending packet: Operation not permitted
vpn
vpn

The moral of the story is use -f if it is critical that the container run through openvpn.