Docker network problem when AirVPN is running

[toyah 0]

Hi,

 

Ubuntu 17.10

AirVPN 2.13.6, running through Eddie

 

When I try to start my app in Docker using "docker-compose up", I get an error:

ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network

If I disable network lock and stop Eddie, Docker will start up just fine.

 

After Googling I found a possible explanation and solution in https://stackoverflow.com/questions/45692255/how-make-openvpn-work-with-docker.

With my minimal VPN and network knowledge I'm unable to judge if this is a valid and safe solution.

 

Can anyone knowledgeable comment on this solution?

 

[Staff 10430]

After Googling I found a possible explanation and solution in https://stackoverflow.com/questions/45692255/how-make-openvpn-work-with-docker.

With my minimal VPN and network knowledge I'm unable to judge if this is a valid and safe solution.

 

Can anyone knowledgeable comment on this solution?

 

Hello,

 

it looks very unsafe. The script removes the tunneling routes to the VPN gateway, so your system traffic will not be necessarily tunneled over AirVPN. Comment by grisha explains the problem as well.

 

Kind regards

[toyah 0]

Ok, if it looks unsafe to you I won't apply it

 

I'm not sure how to configure grisha's proposal...

 

I suddenly had a bright moment.

Docker uses 172.0.0.0/24 for networking.

The "ip route" command shows that the two apps in my Docker container use 172.17.0.0/16 and 172.18.0.0/16.

I'm ok if traffic to and from these apps don't go through VPN.

 

So I added 172.17.0.0/16 and 172.18.0.0/16 to Routes with destination 'Outside the VPN tunnel'.

And that works!

Almost...

It fails when I activate Network Lock, as Docker tries to append to iptables...

 

So I guess I can't run Docker when I also want network lock

[krapans 0]

Any success in the end with network lock?

[toyah 0]

Nope...

I'm still unable to run Docker with active Network Lock.

[p1pb0y 0]

This worked for me, with network lock: https://stackoverflow.com/a/57152380

Debian 11
Docker-compose 1.25.0

[toyah 0]

Nice, tx for posting!
Not working with Docker right now, but when I pick it up again I'll try it out.

[p1pb0y 0]

No problem. A bit of a hassle with multi-container setup, you will need to use the legacy --link option, as described in the docker docs at https://docs.docker.com/network/drivers/bridge/

But better than any other options I could find

[curteousdragon 0]

On 7/14/2023 at 8:04 AM, p1pb0y said:

This worked for me, with network lock: https://stackoverflow.com/a/57152380

Debian 11
Docker-compose 1.25.0

While this does allow my containers to run, Eddie forces Docker's DNS to be funneled through the VPN tunnel by default:

ollama 23-01-2026 0:05:42 $ docker exec -it openwebui /bin/bash
root@cbc2b35dbaf3:/app/backend# cat /etc/resolv.conf 
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 10.24.198.1

# Based on host file: '/etc/resolv.conf' (legacy)
# Overrides: []
root@cbc2b35dbaf3:/app/backend# exit
exit                                                                                                                                                                   
ollama 23-01-2026 0:07:23 $ ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.24.198.90  netmask 255.255.255.0  destination 10.24.198.90
        inet6 fe80::dd69:3985:9114:816a  prefixlen 64  scopeid 0x20<link>
        inet6 fde6:7a:7d20:14c6::1058  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 6733  bytes 3810080 (3.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6667  bytes 1138370 (1.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

As a result, docker containers can't resolve each other's names anymore. This isn't very useful as docker compose stacks often need that internal DNS to talk to each other.

[Staff 10430]

11 hours ago, curteousdragon said:

Eddie forces Docker's DNS to be funneled through the VPN tunnel by default

Hello!

You can modify this behavior in Eddie's "Preferences" > "DNS" window.

Kind regards