Not able to access container connected to gluetun with macvlan network

[arpitgupta]

Running on Synology with macvlan nework with IP: 192.168.1.240. I have confirmed that the container using gluetun has the network setup and is connected to the vpn. However i am not able to access the UI. Is macvlan network supported? Or do i need to add custom ip table rules? Any pointers?

docker compose

services:
  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - "/dev/net/tun:/dev/net/tun"
    restart: unless-stopped
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      TZ: 'America/Los_Angeles'
      VPNSP: 'mullvad'
      VPN_TYPE: 'wireguard'
      WIREGUARD_PRIVATE_KEY: 'xxx'
      WIREGUARD_ADDRESS: 'xxx'
      CITY: 'Gothenburg'
      OWNED: 'yes'
      FIREWALL_OUTBOUND_SUBNETS: '192.168.1.0/24'
      FIREWALL_DEBUG: 'on'
      LOG_LEVEL: 'debug'
   networks:
      macvlan:
        ipv4_address: 192.168.1.240
    ports:
      - "8080:8080/tcp"

service logs

2021/12/11 07:44:21 INFO routing: default route found: interface eth0, gateway 192.168.1.1
2021/12/11 07:44:21 INFO routing: local ethernet link found: eth0
2021/12/11 07:44:21 INFO routing: local ipnet found: 192.168.1.0/24
2021/12/11 07:44:21 INFO routing: default route found: interface eth0, gateway 192.168.1.1
2021/12/11 07:44:21 DEBUG routing: ip rule add from 192.168.1.240/32 lookup 200 pref 100
2021/12/11 07:44:21 INFO routing: adding route for 0.0.0.0/0
2021/12/11 07:44:21 DEBUG routing: ip route replace 0.0.0.0/0 via 192.168.1.1 dev eth0 table 200
2021/12/11 07:44:21 INFO firewall: firewall disabled, only updating allowed subnets internal list
2021/12/11 07:44:21 INFO routing: default route found: interface eth0, gateway 192.168.1.1
2021/12/11 07:44:21 INFO routing: adding route for 192.168.1.0/24
2021/12/11 07:44:21 DEBUG routing: ip route replace 192.168.1.0/24 via 192.168.1.1 dev eth0 table 199
2021/12/11 07:44:21 DEBUG routing: ip rule add to 192.168.1.0/24 lookup 199 pref 99
2021/12/11 07:44:21 INFO firewall: enabling...
2021/12/11 07:44:21 DEBUG firewall: iptables --policy INPUT DROP
2021/12/11 07:44:21 DEBUG firewall: iptables --policy OUTPUT DROP
2021/12/11 07:44:21 DEBUG firewall: iptables --policy FORWARD DROP
2021/12/11 07:44:21 DEBUG firewall: ip6tables --policy INPUT DROP
2021/12/11 07:44:21 DEBUG firewall: ip6tables --policy OUTPUT DROP
2021/12/11 07:44:21 DEBUG firewall: ip6tables --policy FORWARD DROP
2021/12/11 07:44:21 DEBUG firewall: iptables --append INPUT -i lo -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: ip6tables --append INPUT -i lo -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: iptables --append OUTPUT -o lo -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: ip6tables --append OUTPUT -o lo -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: iptables --append OUTPUT -o eth0 -s 192.168.1.240 -d 192.168.1.0/24 -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: iptables --append OUTPUT -o eth0 -s 192.168.1.240 -d 192.168.1.0/24 -j ACCEPT
2021/12/11 07:44:21 DEBUG firewall: iptables --append INPUT -i eth0 -d 192.168.1.0/24 -j ACCEPT
2021/12/11 07:44:21 INFO firewall: enabled successfully

ip tables info

docker exec gluetun sh -c 'iptables -nvL'
Chain INPUT (policy DROP 182 packets, 36205 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1990  142K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
18685   24M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   86 12129 ACCEPT     all  --  eth0   *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     tcp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:58247
    0     0 ACCEPT     udp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:58247
    0     0 ACCEPT     tcp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:54963
    0     0 ACCEPT     udp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:54963

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 7 packets, 420 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1990  142K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
12076 1142K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    192.168.1.240        192.168.1.0/24      
    0     0 ACCEPT     all  --  *      eth0    192.168.1.240        192.168.1.0/24      
    1   176 ACCEPT     udp  --  *      eth0    0.0.0.0/0            185.213.154.69       udp dpt:51820
   64  3848 ACCEPT     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0           

ip route info

docker exec gluetun sh -c 'ip route show'
default via 192.168.1.1 dev eth0 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.240 

[qdm12]

I have no idea! Although what's your ui on 8080? Are you sure you have something running on that port?

If you do, then I don't know why it doesn't work. Maybe ask on Docker forums 🤔?

[arpitgupta]

Only if i knew more about iptables may be i could figure it out. I have another openvpn image where i am using the same setup where this is working. However even for that image the following change https://github.com/dperson/openvpn-client/pull/317/files caused the same issue for me, so then i just built a custom image from an older commit. I will see if i can figure out whats up.

[arpitgupta]

Some more info. Even with firewall off I see the same issue. I have confirmed there is a service running on the port as i did a curl call on that port from within the container and got data back. Now i need to debug why I cannot make that call from outside the container.

[qdm12]

That's strange. It's most likely due to how Docker handles 'network containers' with macvlan networks. Maybe try your luck on Docker forums. Please let me know of you manage to solve it, I'll add a section on the wiki page about it. Good luck!

[arpitgupta]

Ya i will reach out. What is interesting is that i have 4 other containers running via the same macvlan network without an issues. One of them is a openvpn container. So i think it might be a mix of system + docker image.

[arpitgupta]

Also confirmed works fine with bridge network. So this issue is specific to macvlan.

docker exec -it gluetun sh -c 'iptables -nvL'
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  720 51197 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 7806   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   15   900 ACCEPT     all  --  eth0   *       0.0.0.0/0            172.19.0.0/16       
    0     0 ACCEPT     tcp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:58247
    0     0 ACCEPT     udp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:58247
    0     0 ACCEPT     tcp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:54963
    0     0 ACCEPT     udp  --  wg0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:54963

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  720 51197 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 4800 2252K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    172.19.0.2           172.19.0.0/16       
    9   540 ACCEPT     all  --  *      eth0    172.19.0.2           192.168.1.0/24      
    1   176 ACCEPT     udp  --  *      eth0    0.0.0.0/0            185.213.154.66       udp dpt:51820
   29  1748 ACCEPT     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0    

[RobHofmann]

@arpitgupta did you ever find a solution to this? I'm running into the same issue!

[arpitgupta]

unfortunately not. I even posted in docker forums and no luck. Switched to bridge mode.

[RobHofmann]

Alright I have something working:

# Create normal network
docker network create -d macvlan --subnet=192.168.0.0/19 --ip-range=192.168.7.0/25 --gateway=192.168.0.1 --aux-address 'host=192.168.7.127' -o parent=ens160 eth1macvlan
# Create network which should be routed through the VPN
docker network create -d macvlan --subnet=192.168.0.0/19 --ip-range=192.168.7.128/25 --gateway=192.168.7.13 -o parent=ens192 eth1macvlanvpn

sysctl -w net.ipv4.ip_forward=1
docker run -d --name=vpn --network=eth1macvlan --ip=192.168.7.13 --cap-add=NET_ADMIN --device /dev/net/tun -e VPN_SERVICE_PROVIDER=windscribe -e VPN_TYPE=openvpn -e OPENVPN_USER=myuser -e OPENVPN_PASSWORD=mypass -e SERVER_REGIONS=MyRegion qmcgaw/gluetun
docker exec "vpn" iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
docker exec "vpn" iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
docker exec "vpn" iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
docker exec "vpn" iptables -A FORWARD -i 'eth0' -o 'tun0' -s 192.168.0.0/19 -d 0.0.0.0/0 -j ACCEPT

After running the above script you should have 2 networks (1 which goes through your normal gateway and 1 that goes through the (Gluetun) VPN client container. You can now run this dummy container to see if it works:

docker run --name=ubuntu --net=eth1macvlanvpn --ip=192.168.7.135 --rm -it ubuntu:latest /bin/bash

Now running this command will give you the outbound IP from the VPN tunnel:

apt-get update && apt-get -y install curl && curl ipinfo.io/ip

I'm not sure if this is "safe"

EDIT: Edited the post to the latest state i'm running.

[RobHofmann]

when using -e FIREWALL=on and using this command it seems to work:

docker exec "vpn" iptables --policy FORWARD ACCEPT

So it seems to have to do with the FORWARD chain.

[RobHofmann]

This also seems to work:

docker exec "vpn" iptables -A FORWARD -i 'eth0' -o 'tun0' -s 192.168.0.0/19 -d 0.0.0.0/0 -j ACCEPT

I hope someone can explain if this is dangerous to do & how i can test the killswitch.

[BobWs]

Would you mind sharing a small tutorial on how to install and setup this up?

[sallygal1]

I'm also trying to achieve a similar setup, I want to route all outgoing traffic through the VPN, while still allowing to access the local dashboards via a separate IP address through macvlan:

  mycontainer:
      image: mycontainer      
      container_name: mycontainer
      networks:
        - mymacvlan:
            ipv4_address: 192.168.X.X
      network_mode: "service:gluetun"

This is my container, I can see it has the ipv4 address assigned in portainer but it's not reachable. I can only reach it through gluetun's ip address. Does anyone know if it's possible to achieve what I need?

[BobWs]

Did you manage to get this to work? I’m looking for something similar. I would like to setup a DOcker VPN Container to act as an router/gateway for all my other devices on my LAN Network.

[qdm12]

See #381 perhaps

[BobWs]

See #381 perhaps

Thanks for pointing out #381 I already have read that, but it isn’t clear how it works. There is nothing further in there that describes if and how it is working or how to setup the container. I couldn’t find anything on the wiki.