Current situation:
I've got a Wireguard client container set up, which is hooked to my VPN provider. Next to that I got bunch of other containers, a few select of them that I want to take use of this VPN connection - like e.g. my Pihole container, to prevent any leaks with outgoing DNS requests.
Per this linuxserver.io tutorial, I was setting up table based traffic routing to have individual containers sending their non-local requests through the VPN container, which has a fixed IP in the Docker network. To en- or disable a containers connection with the VPN container, I wrote a shell script which overrides the gateway of a container via ip route to the VPN one or back to the default Docker gateway.
This approach works fine so far, but has of course issues:
- Overrides are not persistent; by stopping/restarting a container or the Docker host itself, the routing will be reset.
- In case the VPN container or the connection to the provider is down, networking for linked containers will be as well.
- There's barely any overview and control over which containers are currently routing traffic through the VPN container.
Apart from that, I stumbled over another hurdle with the Wireguard client - setting up any more than one IP mask in the Allowed IPs field causes the connection to fail for some reason, effectively preventing me to exclude local IPs for them to still being routed within the the local network. My GitHub issue on this has so far been unresponded, so I did a simple workaround by excluding those IPs one stage earlier, when setting up the container based IP routings with aforementioned shell script. Whatever approach will replace that script will have to handle IP exclusion as well.
Looking for solutions:
I haven't been for long in the Docker game yet, and maybe there is a really simple approach for that, but recently I've been looking fordifferent methods on how to achieve routing select containers through a specific one in a more reliable, less hacky way:
- Setting up another Docker network for traffic to be sent to the VPN container. This seems like a simple, native approach, but I'm not exactly sure if it is actually feasible to hook a container on to multiple networks, as some threads online claim it's not - according to one compose networking doc example it seems to be though. One way or another, IP routing has to be handled somewhere down the line, and I don't see where this is supposed to happen.
- Using a proxy server. Apart from that I have no experience in handling proxy servers, I'd like to prevent setting up another container for this, as my Docker landscape is already quite loaded for my host machine to handle. Maybe it might be possible to reuse my Nginx or Swag containers as forward proxy though? There's also a Wireproxy image which could replace my current Wireguard client. Nontheless, I'm not sure if IP exclusion is a thing that proxy servers can deal with, although in the case of Nginx, this should work.
- My original idea isn't any less hacky though; I'd set up a small PHP-based web application to read out the containers' routing status and toggle it accordingly. While this would highly customize dealing with the routing for me, it is hardly feasible as my Apache container will not able to read any routings from other containers, but I also have no idea how to set this up on the host machine appropriately without interfering with any of the OMV stuff. This will more likely also put me in front off permission based issues as well.
Now before I try and maybe fail through any of these approaches, does someone maybe have a clue how this quite specific request can be best dealt with?
Any hints and ideas would be greatly appreciated!