Heuristic42
Blog
Opengl
Meta
Rendering
0
comment
Dec 15 at 4:39
Matrices
Hello! Are you looking to elevate your online business with a p…
–
anonymous
comment
Nov 27 at 0:30
DerBard: Custom Split Mechanical Keyboard Prototype
hello
–
anonymous
comment
Nov 19 at 15:47
Matrices
[deleted]
–
anonymous
created
Oct 20 at 20:30
Iterators: pointers vs cursors
You're already doing both of these by hand. This post emphaisze…
–
pknowles
comment
Oct 10 at 10:27
Matrices
[deleted]
–
anonymous
comment
Oct 4 at 19:12
Matrices
[deleted]
–
anonymous
comment
Sep 30 at 18:51
Matrices
[deleted]
–
anonymous
comment
Sep 23 at 16:15
Matrices
[deleted]
–
anonymous
comment
Sep 21 at 6:52
Contributing
I kind of predicted what was bound to happen when my favourite …
–
anonymous
comment
Sep 7 at 1:21
Route contention when running docker and a VPN
Thank you for this. Between this and the overwriting of iptabl…
–
anonymous
comment
Sep 6 at 17:57
Making a real EMF Reader
Sorry for the random quoted text comments. I am one of those p…
–
anonymous
comment
Sep 6 at 17:48
Making a real EMF Reader
["ove! Play a tone with a buzzer and has 5 LEDs to show the “EM…
–
anonymous
comment
Sep 6 at 17:47
Making a real EMF Reader
["easure direction Measure the magnetic fie"](#q107-644-685)
–
anonymous
comment
Aug 20 at 17:01
Matrices
[deleted]
–
anonymous
comment
Aug 11 at 22:32
Matrices
[deleted]
–
anonymous
edited
Jun 8 at 22:29
Rethinking writing files with memory mapping and C++
This post introduces the motivation behind the [decodless C++ o…
–
admin
created
Jun 8 at 22:16
Rethinking writing files with memory mapping and C++
This post introduces the motivation behind the [decodless C++ o…
–
pknowles
comment
Jun 5 at 13:36
Contributing
[deleted]
–
anonymous
comment
Apr 19 at 11:24
Matrices
[deleted]
–
anonymous
comment
Apr 13 at 0:25
Matrices
[deleted]
–
anonymous
comment
Apr 5 at 9:43
Matrices
[deleted]
–
anonymous
comment
Mar 27 at 17:19
Matrices
[deleted]
–
anonymous
comment
Mar 25 at 4:59
Matrices
[deleted]
–
anonymous
comment
Mar 5 at 15:39
Matrices
[deleted]
–
anonymous
…
View All
Log in
Route contention when running docker and a VPN
leave this field blank to prove your humanity
Article title
*
Article revisions must have a non-empty title
Article body
*
Things have improved since the original post. It may have been updating docker or a change to work's VPN config, but boy was it frustrating before. Both the VPN and docker need to route traffic away from the outside internet and into their own system. - The VPN ideally wants to set a default route so everything goes to it, except for a few specific ranges. Exceptions include the IP to the VPN server that the virtual network runs over and maybe IPs on your local network. - Docker wants to route a range of addresses internally, so you can communicate with containerized apps. Firstly, what are these routes? # What are the routes? ip route -n # on windows route print You'll likely see something like this: Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 enp5s0 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0 These routes are defaults set up by the system, before a VPN or docker runs. The first is the default route, which says route traffic destined to anywhere (Destination `0.0.0.0`, Genmask `0.0.0.0`) to the router's IP on my local network which is `192.168.1.254`, found through the physical network device "enp5s0". The second says to route communications destined for the local network `192.168.1.*` (`*` due to the `0` in the Genmask/subnet mask, which matches the mask the router assigned this machine) to the default route. At first glance this does nothing since that traffic would go there anyway, but I have a hunch this is allocating that range so that future routes know to avoid it. Note the Metrics of `100` allows for other routes to override these two with a lower number. # Docker Docker allows you to "containerize" apps, running them in separate individual environments. This is really nice for repeatability: you can run the same container on a different system and expect it to still work. There are some security arguments too, but it's no magic bullet. The problem is that at some point you need to connect to the app running in the container. Typically this is done through networking. In an attempt to make the UX seamless, docker routes IP address ranges from the real network into its virtual bridge network(s) that connect the containers. Ideally the default would be a tiny default range that is rarely used, or even have it ask you. Instead, docker's default is a giant range, `172.17.0.0/16` to `172.30.0.0/16` which are often already in use over a large VPN. Destination Gateway Genmask Flags Metric Ref Use Iface ... 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 Note the Metric of `0` is the highest priority. After starting a docker container(s) with some networks, a few extra bridge adaptors get created: 172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-d931e01f7003 172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-2a456e1bfa07 ## Removing routes by hand I've seen a few times docker is unable to start, saying there are no more routes available. Typically [configuring docker](#configure_docker) clears this up, but that's not easy to understand and get right. I also used to see docker not removing temporary adapters when stopping the containers or the service. That is, you can break your system by starting a container and stopping it and the docker demon won't fix anything. Clearing up the mess docker made was hard. Honestly a reboot is just easier. Anyway, the manual way is to delete the routes and adapters it made. You could be a chump and delete routes manually , but there can be a lot. # E.g. sudo ip route del 172.19.0.0 br-5094d9589bea sudo route del -net 172.19.0.0 netmask 255.255.0.0 dev br-5094d9589bea ... A faster shotgun approach is to delete all routes 💪. Be careful with this one as it really is all routes. You'll need to disconnect and reconnect your loopback/LAN/WiFi/VPN connection(s) right after for the regular default routes to be recreated. This re-creates the default routes. # Careful. This deletes everything! Don't run unless you're physically at the machine. sudo ip route flush table 0 # Re-create default routes for loopback and other adapters ip link set lo down ip link set lo up ... other adapters Failing to restart `lo` results in weird `bind: Cannot assign requested address` issues from local port forwarding or `Error: Failed to find a free local port for dynamic forwarding` from vscode. # VPNs VPNs have a similar issue. They want to route all traffic through to their internal interface. After connecting, you will likely see this: Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0 0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 enp5s0 ... 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0 This says route all traffic to `tun0` with metric `0`, skipping the default route for `enp5s0` with metric `100`. The VPN server is also allowed to push arbitrary additional routes to be added after connecting. These can end up conflicting with docker's routes or vice versa, depending on the order added --- starting the VPN or docker service first. See [Docker not working with a VPN due to network issues](https://stackoverflow.com/questions/63259263/docker-not-working-with-a-vpn-due-to-network-issues). Tangentially, I'm yet to understand how traffic from the virtual network to `192.168.1.254` doesn't just route through `tun0` again --- if you know please comment. # Solutions The root of the problem seems to be an allocation issue. Docker needs to pick a range of IPs to use, but it can't know ahead of time which might be suddenly be used by a VPN or other local network. Similarly, the VPN doesn't know that you may start the docker service after connecting. Really, it's up to the user to configure what ranges to use. Personally I think the meta cause of these problems is docker trying to be "automagic" about making networking work. There is some fundamental complexity in what it's doing and this may just need to be taught. ## Configure docker Edit `/etc/docker/daemon.json` and add something like the following from [stack overflow](https://stackoverflow.com/questions/50730426/docker-bridge-connection-breaks-the-internet/67224830#67224830). I'm still pretty confused by what these actually do. I expect something here tells docker what default ranges to forward. Somewhere it needs a real IP to give its virtual interface to route IPs to. It also needs to assign virtual IPs within its internal network(s). Why does docker need so many bridge adapters 🤷. Reading the [docs](https://docs.docker.com/network/drivers/bridge/#use-the-default-bridge-network) might help. { "bip": "192.168.1.5/24", "fixed-cidr": "192.168.1.5/25", "default-address-pools":[ {"base":"192.168.2.5/24","size":28} ] } [Edit] maybe use a "bip" of `.2.5`? I hit yet another conflict with my home network and the above recently. See what I mean, re. frustrating. "bip": "192.168.2.5/24", "fixed-cidr": "192.168.2.5/25",
Toggle Preview
Edit message
*
A description of the changes made
Discard Draft
Save Draft
leave this field blank to prove your humanity
Flag
the thing you clicked
for moderator attention.
Reason choice:
Spam, promoting, advertising without disclosure
Rude, inappropriate, generally offensive
Too arrogant or demeaning to others
Other
Reason:
The reason for raising the flag
Error