Route container traffic through OpenVPN tunnel on host

#1

I just installed Devilbox. And I’m very pleased with it so far. There are three things at the moment that I can not resolve. I have to add that I’m a Docker newbie. This is the first ever try at it.

  1. With the host’s OpenVPN tunnel down, or never started, both containers still have access to the internet. While the host has not. The containers also shouldn’t have access to the internet.
  2. I can’t find out where to mount my deployment folder at the end of a container’s boot procedure.
  3. I can not ssh/scp from the host, to the containers. sshd doesn’t seem to be installed.

To 1.
What are my options to route all internet traffic (non-local) through the hosts’s VPN tunnel?
I found this GitHub repo dperson/openvpn-client kylemanna/docker-openvpn. But I see that as a last resort. I’d rather have a network config solution to the problem. Also, docker0 always has status down. I was told that this is a bridge. On an Arch Linux host, I tried setting up an new bridge with netctl, ip, brctl, and systemd-networkd. But each time this was even worse than without the bridge in various ways. All access, or no access.

To 2.
On each save from my editor, changed files are deployed from the project folder to its related deployment folder. Currently these deployment folders are mounted by KVM VMs. Either with CIFS, or Autofs + sshfs, during VM bootup or on access. The webservers have access rights to the deployment folders, and are therefore always up-to-date with every save.

To 3.
I can live with number 3. Because I can pull files/folders from the host instead of pushing to the containers. And for console activities I can use docker exec, or Devilbox’s shell script.

EDITED: To replace OpenVPN container repo url.

#2

Not really sure what you want to achieve. I have internet on the host and on the Docker container without the need for OpenVPN.

This requires probably some more detail as I have no idea what you mean by a deployment folder

There are no additional SSH daemons running on the container. The whole point of containers is to only have a single process (PID 1), which is currently a bit off on the PHP image as some other tools also need to run, but it uses supervisord to work around that.

But you’ve figured the answer already by doing it via docker-compose exec <container name> bash or the bundled shell script. Just some refresher here: https://devilbox.readthedocs.io/en/latest/intermediate/work-inside-the-php-container.html

#3

The issue is not that there is no internet access/traffic possible without OpenVPN. This is about the VPN kill-switch being circumvented by either Docker, Devilbox, or both. Before I installed Docker and Devilbox, there was already an OpenVPN tunnel in use on the host. I want all internet traffic, from and to the host, and from and to the containers, to go through the OpenVPN tunnel that runs on the host. As it is now, only the traffic from and to the host is routed through the OpenVPN tunnel. If the OpenVPN tunnel is down, there should be no internet access possible at all. As it it is now, the containers always have internet access.

deployment folder, as in deployed from development environment, to test or staging environment. My full projects are in folder X. The deliverables for testing are deployed to folder Y on save in my editor. The deliverables for staging are deployed to folder Z manually (scripted).
Folder X (development and design) is never ever mounted by a KVM VM, nor by a Docker container. While deployment folders Y and Z are always mounted at VM or container boot. The webservers have access rights to the mounted deployment folders Y and Z. It’s where they serve files from. So the webservers are always up-to-date, but they never contain code or data. Folders X, Y, and Z can be right next to each other, or each could be on a different partition, or each on a different drive, or remote. Or a mix of all of these.