1

I am trying to come up with a solution to bypass the vpn tunnel in the incoming and outgoing docker container.

The VPN I'm using is Mullvad VPN and in the split tunneling section they have addressed how to exclude outgoing traffic for certain ips. This does not work for my docker container as my container's traffic is routed through the tunnel created by Mullvad VPN.

This is my nftables config:

define EXCLUDED_IPS = {
   # An ip to bypass
   1.2.3.4,
}
define CONTAINER_IPS = {
   # Local Proxy
   10.10.5.0/24,
}

table inet excludeTraffic {
  chain excludeOutgoing {
    type route hook output priority 0; policy accept;
    ip daddr $EXCLUDED_IPS ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
  # I have created this chain which is not working
  chain excludeContainerFromTunnel {
    type route hook output priority -5; policy accept;
    ip daddr $CONTAINER_IPS ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
  }
}

The container's network is bound to 10.10.5.1 and is a bridge network with the subnet of 10.10.5.0/24.

EDIT: output of ip rule:

$ ip rule
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0x6d6f6c65 lookup 1836018789
32766:  from all lookup main
32767:  from all lookup default
Farhood ET
  • 111
  • 4
  • @A.B Added the required changes. Can you look into this? – Farhood ET Jul 03 '23 at 04:03
  • I'd need additional information (still while the tunnel is up) to be sure of the various settings. `ip -br link; ip -4 -br addr; ip route; ip route show table 1836018789` and also `sysctl -ar '\.rp_filter' | grep -v '0 *$'` (which might have an empty output if there's nothing to care about). – A.B Jul 03 '23 at 05:32
  • @A.B I have created a specific network for this that docker uses (a bridge that binds to a certain ip in the docker [the gateway ip here]). I don't think my issue is that much complex other than I'm trying to mark packets inside my local network. – Farhood ET Jul 03 '23 at 06:05
  • At last check, Docker doesn't support nftables. It's managing traffic with iptables, conntrack, bridges, ipvsadm, and routing: https://github.com/moby/moby/issues/26824 – BMitch Jul 03 '23 at 13:57

1 Answers1

0

Have you tried just disabling the vpn ? As I understand having tried something like this before, the adapters traffic on a vpn connection gets consumed, there is not bypassing it via the same adapter. Would be interesting if you could create a virtual adapter however the used the same nic, and then give it membership to the network you're trying to communicate with.

I am assuming you want your machine to be able to connect to the internet as well and the lan, but not to use the VPN route for the one or have it block the other ?

MysteriousMadCoder
  • 129
  • 6
  • I don't want to disable the vpn that's the point. I want to have the vpn running for all of the system processes except that docker container. – Farhood ET Jun 25 '23 at 07:57
  • that is going to be the issue. to accomplish this you'd have to find out how to control network device assignment by process, i'm not sure that is possible. I tried something to similiar to this and if the tunnel is up it pushes ALL traffic to it, otherwise the whole point of the vpn would not work. the only way you could do this is with another machine or if a guest machine was using a vpn, so far as I know. – MysteriousMadCoder Jun 25 '23 at 19:47