Route traffic through OpenVPN docker

6/17/2020

I would like to setup a VPN server and route all the clients traffic through the VPN.

In order to do that, I run a VPN server using the OpenVPN docker image kylemanna/openvpn. My docker runs on Kubernetes and doesn't share the host network. I also added the NET_ADMIN capability and enabled privileged mode.

In order to configure my docker image as a gateway, I configured NAT (inside the docker) using iptables

iptables -I FORWARD -i tun0 -o eth0 -s 192.168.255.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 192.168.255.0/24 -j MASQUERADE

Unfortunately something is going wrong. I can perfectly connects to the VPN and ping to any public IP. I can also curl to any HTTP traffic without any problems. If I curl http://ifconfig.co, I can also see that my IP changed to the IP of my server. So until here everything works as expected.

But it only works on HTTP traffic, if I try to curl google using HTTP, I got a response, but using HTTPS, I do not get any response back. I checked it out with tcpdump, and the packets arrives back on the client side.

When I curl in verbose mode google, that's what happens before it hangs:

curl -v https://www.google.com
*   Trying 172.217.20.100:443...
* TCP_NODELAY set
* Connected to www.google.com (172.217.20.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

Does someone have an idea how to debug this / why HTTPS is not working while HTTP works ?

Thank you

-- cmoi
docker
iptables
kubernetes
openvpn

0 Answers