-
-
Save jinnko/1a25d37cf0ffd9d67d6149ebcf37ea8f to your computer and use it in GitHub Desktop.
Fix connectivity from docker network through host IPSec / Strongswan VPN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Link up docker network via IPSec VPN on docker-host | |
# | |
# Usage: [dry_run=1] [debug=1] vpn-docker-fix [<a-docker-network-name-or-id>] | |
# | |
# Env Variables: | |
# docker_network - Defaults to docker0 | |
# dry_run - Set to 1 to have a dry run, just printing out the iptables command | |
# debug - Set to 1 to see bash substitutions | |
set -eu | |
_log_stderr() { | |
echo "$*" >&2 | |
} | |
_dry_run() { | |
( [ "$dry_run" = 1 ] || [ "$debug" = 1 ] ) && _log_stderr "$*" | |
[ "$dry_run" = 1 ] || eval "$@" | |
} | |
if [ "${debug:=0}" = 1 ]; then | |
set -x | |
dry_run=${dry_run:=1} | |
fi | |
: ${dry_run:=0} | |
: ${docker_network:=${1:docker0}} | |
net_hash=$(docker network ls -qf "Name=${docker_network}") | |
if [ -z "$net_hash" ]; then | |
_log_stderr "Docker network '$docker_network' not found" | |
return 1 | |
else | |
docker_network="br-$net_hash" | |
fi | |
# vpnSubnet - VPN's CIDR | |
vpnSubnet=( $(ip route list table 220 | grep -o '^[0-9.]*/[0-9]*') ) | |
if [ "${#vpnSubnet}" -eq 0 ]; then | |
_log_stderr "VPN not active" | |
else | |
# defaultRouteInterface - the active host network interface connecting to the VPN | |
defaultRouteInterface="$(ip route show | awk '/^default/ { print $5 }')" | |
# dockerSubnet - docker network's CIDR, one you want to grant access to your VPN | |
dockerSubnet="$(ip route show | awk '/'"dev $docker_network"'/ { print $1 }')" | |
# virtualIP - virtual IP address of the host in the VPN | |
#virtualIP="$(ifconfig | grep -o 'P-t-P:[^ ]*' | cut -d: -f2)" | |
virtualIP="$(ip route show table 220 | awk '/'"dev $defaultRouteInterface"'/ {print $9}' | uniq)" | |
for subnet in "${vpnSubnet[@]}"; do | |
_dry_run sudo iptables -j SNAT -t nat -I POSTROUTING 1 -o "$defaultRouteInterface" -d "$subnet" -s "$dockerSubnet" --to-source "$virtualIP" | |
done | |
fi | |
[ "$debug" = 1 ] && set +x |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment