Route traffic from one docker container through a VPN (provided by a second container)

I need to understand how to make two docker containers work with a scenario like this:

There is a branch office with a router and a client. The network is 192.168.190.0/24 and the addresses are 1 and 57.

There is somewhere else a VM facing on the internet with public IP X.Y.Z.K and the docker environment installed on top. Inside there are two containers. The first one is a web server facing only on a private network with address 192.168.80.2. The other container has connection on the private network with address 192.168.80.44 and exposes its 1194 port on the other network interface to the public IP.

I need to be able to make 192.168.190.57 open the pages on 192.168.80.2.

The VPN part works fine (the router connects and is pingable from the client) and I don't need help on that.

This is a mockup for my docker-compose file.

version: '2'
services:

  openvpn:
    image: mycompany/openvpn
    restart: 'always'
    cap_add:
      - NET_ADMIN
    ports:
      - '1194:1194/udp'
    networks:
      nat:
      private_net:
          ipv4_address: '192.168.80.44'

  coredns:
    image: 'nginx'
    restart: 'always'
    links:
      - openvpn:private_net_vpn
    networks:
      private_net:
        ipv4_address: '192.168.80.2'

networks:
  private_net:
    internal: true
    ipam:
      config:
        - subnet: '192.168.80.0/24'
  nat:

Scenario described before

At the end I discovered the issue.

By default if you define a network internal: true it means that some iptables rules will be enacted to block all the containers on the lan segment from getting out of it.

At the beginning I thought it was just the route from, let's say, 192.168.80.2 to 192.168.80.1 (the ip assigned to the host machine for that lan segment) and then to the internet. Reading carefully all the iptables rules I found that the forwarding is also disabled.

Removing the internal: true allowed the container to route through the VPN as expected at the cost of allowing the web server to access directly the public internet.

Yes, I do. 192.168.190.57 can ping the VPN server as well. Moreover, the VPN server can ping 192.168.80.2.

can you traceroute web server from vpn client ? also try to curl, ping may be blocked on container

No, I was not able. No protocol at all (icmp, tcp, udp) worked the way it was configured. But I figured it out. More on my own answer below.

What image of openvpn are you using ? Did you tried the web proxy method described here Docker Hub

If you look closely to the scheme in the image you could see that the docker container for the VPN is a server, not a client. I don’t think that image would work for me.

ok, do you have this entry in push 'route 192.168.80.0 255.255.255.0' in your openvpn server configuration file ?