DEV Community

a2n
a2n

Posted on

VPN, Docker, and a cold coffee

#docker #vpn #linux #programming

Today I had a hard time understanding why my VPN was connected but I couldn’t reach my DB sitting just behind it.

Very simple situation:

  • you launch your PC, coffee’s hot
  • start your VPN
  • open your code and do some stuff
  • need to check something in a tool protected by the VPN
  • hu ho, why can’t I reach the site?
  • check the VPN logs — nothing weird
  • double-check the VPN config
  • recreate a VPN user
  • try with another Wi-Fi
  • coffee’s cold

Then I reboot my PC, connect to the VPN… and suddenly the site works.

Why that?

"Simply" because of Docker! More specifically: Docker networks.

When I launched Docker, it created a network using the same IP range as my VPN.

We can confirm the problem with a few commands.

ip route show (while connected to the VPN) gives us an idea of the VPN’s IP range.

If we run it after launching Docker, we’ll usually see something like 172.17.0.0/16 to 172.11.0.0/16 for Docker.

You can double-check with ip addr:

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
Enter fullscreen mode Exit fullscreen mode

Next, if needed, we can find which Docker network is using which IP by listing all networks with docker network list and inspecting them using docker network inspect {network_id}.

In the resulting JSON, look at the subnet and gateway keys to identify which network is conflicting with your local one.

If you created the network manually, you can simply edit your config.
If not (like in my case), we can take a more general approach by updating Docker’s configuration itself.

Open (or create) /etc/docker/daemon.json and edit the default-address-pools key:

{
  "default-address-pools": [
    {
      "base": "172.240.0.0/16", // choose any IP range you prefer
      "size": 24
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Before restarting Docker, run docker network prune to remove all unused networks from your setup — those can still hold onto old IPs even after changing the config.

If the prune doesn’t remove the “bad” network, you can delete it manually.

Finally, restart Docker (eg: systemd): systemctl restart docker

And voilà — now I just need to reheat my coffee, but at least my setup works! ☕

Top comments (0)