[SOLVED] iptables rules for two different lxc containers

netpumber · 05-02-2017, 11:55 PM

Hi.

I'm running two lxc containers onto a VPS machine. The first one (192.168.1.2) is running an openvpn server while the second one (192.168.1.4) is running a web server.
Until now i used only the openvpn lxc and had these iptables rules for forwarding the traffic:

Code:

# Generated by iptables-save v1.4.21 on Fri Apr 28 16:07:58 2017
*filter
:INPUT ACCEPT [1189211:150089991]
:FORWARD ACCEPT [902865:826112449]
:OUTPUT ACCEPT [1324099:212970374]
COMMIT
# Completed on Fri Apr 28 16:07:58 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:07:58 2017
*nat
:PREROUTING ACCEPT [36:1998]
:INPUT ACCEPT [17:858]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

Now, that I want to set up the web server, i added this iptables rule in order to forward http traffic to web server container.

Code:

iptables -t nat -A PREROUTING -p tcp -m conntrack --ctstate NEW --dport 80 -j DNAT --to-destination 192.168.1.4:80

The thing is that while the forwarding to port 80 seems to work (I can visit nginx's welcome page), openvpn clients doesn't have proper internet connection (although they can ping outside world). And by this, I mean that sites loads very slow and some others don't load at all ( It seems that http traffic is getting lost somewhere). If I remove the above rule everything in the openvpn client connection is working as expected.

P.S : The final rules are these

Code:

# Generated by iptables-save v1.4.21 on Fri Apr 28 16:39:24 2017
*filter
:INPUT ACCEPT [1190228:150215153]
:FORWARD ACCEPT [902877:826113261]
:OUTPUT ACCEPT [1325229:213163664]
COMMIT
# Completed on Fri Apr 28 16:39:24 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:39:24 2017
*nat
:PREROUTING ACCEPT [1:44]
:INPUT ACCEPT [1:44]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 28 16:39:24 2017

Are these rules that I've set correct ? What's your opinion ? Any idea is welcomed.

lazydog · 05-04-2017, 12:18 PM

You rules above should be changed to the following:

Code:

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80

Since you are not using a STATEFUL firewall the use of conntrack'ing isn't required.
You just need the redirect to ensure it goes to the right place.

Now if you are exposing this machine where the firewall resides to the internet then I would strongly suggest you reconsider your firewall as it protect nothing.

netpumber · 05-05-2017, 03:02 AM

Thank you for answering again. I added your rule and it has the same behavior as with mine one. I'm doing this post through VPN but some other sites like http://ocw.uci.edu/courses cannot load.
I cannot understand why this is happening. Maybe I cannot have both of these services on the same server or maybe there is somewhere else the problem. But know I'm thinking of it and testing it if i remove the rule you said to me, all sites work properly through VPN. What a mystery !

Quote:

Now if you are exposing this machine where the firewall resides to the internet then I would strongly suggest you reconsider your firewall as it protect nothing.

Yes I'm going to set filter rules later. Firstly i wanted to see if i can make these two services work in parallel.

lazydog · 05-05-2017, 10:15 AM

IO don't know your network so to say this or that would not be that much of a help.
How about you give me the layout of your network and were all of these devices/sites are located?

netpumber · 05-06-2017, 06:48 AM

OK. Here we go:

@HOST

Quote:

/etc/network/interfaces

Code:

# interfaces(5) file used by ifup(8) and ifdown(8)
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# Bridge interface
auto br0
iface br0 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
bridge_ports none
bridge_fd 2.0
bridge_maxwait 1

Quote:

ifconfig

Code:

br0       Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2024:18ff:febf:2d13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1673515 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1208123 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1449954305 (1.3 GiB)  TX bytes:1404563219 (1.3 GiB)

eth0      Link encap:Ethernet  HWaddr de:2b:44:3f:a0:03  
          inet addr:10.8.44.199  Bcast:10.255.255.255  Mask:255.255.255.254
          inet6 addr: 2001:bc8:4700:2300::9:1107/127 Scope:Global
          inet6 addr: fe80::dc2b:44ff:fe3f:a003/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1342115 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1822875 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1423509279 (1.3 GiB)  TX bytes:1499532697 (1.3 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vethON999A Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet6 addr: fe80::fc41:c4ff:fe74:ff27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1362 (1.3 KiB)  TX bytes:1458 (1.4 KiB)

vethVPN   Link encap:Ethernet  HWaddr fe:cd:03:40:b8:ca  
          inet6 addr: fe80::fccd:3ff:fe40:b8ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1673693 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1207923 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1473374063 (1.3 GiB)  TX bytes:1404541466 (1.3 GiB)

Quote:

/var/lib/lxc/WEB/config

Code:

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r jessie
# For additional config options, please look at lxc.container.conf(5)
#lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/WEB/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.mount = /var/lib/lxc/WEB/fstab
lxc.utsname = WEB
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
lxc.start.auto = 0

# Network config
lxc.network.type = veth
lxc.network.name = veth0
lxc.network.flags = up
lxc.network.link = br0

## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm

Quote:

/var/lib/lxc/VPN/config

Code:

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r jessie
# For additional config options, please look at lxc.container.conf(5)
#lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/VPN/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.mount = /var/lib/lxc/VPN/fstab
lxc.utsname = VPN
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
lxc.start.auto = 1

lxc.network.type = veth
lxc.network.veth.pair = vethVPN
lxc.network.name = veth0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:42:1d:a7
lxc.network.link = br0

## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm

Quote:

brctl show

Code:

bridge name	bridge id		STP enabled	interfaces
br0		8000.fe41c474ff27	no		vethON999A
							vethVPN

@GUESTS

WEB

Quote:

/etc/network/interfaces

Code:

auto lo
iface lo inet loopback

auto veth0
iface veth0 inet static
address 192.168.1.4
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1

VPN

Quote:

/etc/network/interfaces

Code:

auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto veth0
iface veth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1

lazydog · 05-07-2017, 12:12 AM

I was more referring to a diagram of the layout.
The above is good too.

netpumber · 05-08-2017, 01:51 AM

I cannot understand what diagram you expected. It is just a VPS with two LXC-containers on it. What else ?

lazydog · 05-08-2017, 09:17 AM

Sorry it was a late night for me and I didn't want your post to go unanswered since I looked at it.

One thing I looked at was you have created 2 container with the same IP Address. Shouldn't you be using different IP Address for different containers? I would think yes as I would imply that a container is the same thing as a VM and your VM's require unique addresses so should your containers.

Try setting up different IP Address for each container and then adjust your firewall accordingly.

netpumber · 05-09-2017, 02:01 AM

Thank you for trying help me.

Quote:

One thing I looked at was you have created 2 container with the same IP Address

Where did you see that ?

Web container has the 192.168.1.4 while the VPN one has the 192.168.1.2

lazydog · 05-09-2017, 11:01 AM

Can you give me the output from the following

Code:

ifconfig
ifconfig -a
route -n

netpumber · 05-10-2017, 02:38 AM

ifconfig

Code:

br0       Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2024:18ff:febf:2d13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1919505 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1411499 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1627560306 (1.5 GiB)  TX bytes:1579557320 (1.4 GiB)

eth0      Link encap:Ethernet  HWaddr de:2b:44:3f:a0:03  
          inet addr:10.8.44.199  Bcast:10.255.255.255  Mask:255.255.255.254
          inet6 addr: 2001:bc8:4700:2300::9:1107/127 Scope:Global
          inet6 addr: fe80::dc2b:44ff:fe3f:a003/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1893267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2466698 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1692438668 (1.5 GiB)  TX bytes:1752059738 (1.6 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vethON999A Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet6 addr: fe80::fc41:c4ff:fe74:ff27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:249354 (243.5 KiB)  TX bytes:354380 (346.0 KiB)

vethVPN   Link encap:Ethernet  HWaddr fe:cd:03:40:b8:ca  
          inet6 addr: fe80::fccd:3ff:fe40:b8ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1918692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1409259 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1654308602 (1.5 GiB)  TX bytes:1579319493 (1.4 GiB)

ifconfig -a

Code:

br0       Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2024:18ff:febf:2d13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1919505 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1411499 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1627560306 (1.5 GiB)  TX bytes:1579557320 (1.4 GiB)

eth0      Link encap:Ethernet  HWaddr de:2b:44:3f:a0:03  
          inet addr:10.8.44.199  Bcast:10.255.255.255  Mask:255.255.255.254
          inet6 addr: 2001:bc8:4700:2300::9:1107/127 Scope:Global
          inet6 addr: fe80::dc2b:44ff:fe3f:a003/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1893304 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2466722 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1692441578 (1.5 GiB)  TX bytes:1752065866 (1.6 GiB)

ip6_vti0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ip6gre0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1448  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ip6tnl0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1452  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vethON999A Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet6 addr: fe80::fc41:c4ff:fe74:ff27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:249354 (243.5 KiB)  TX bytes:354380 (346.0 KiB)

vethVPN   Link encap:Ethernet  HWaddr fe:cd:03:40:b8:ca  
          inet6 addr: fe80::fccd:3ff:fe40:b8ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1918692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1409259 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1654308602 (1.5 GiB)  TX bytes:1579319493 (1.4 GiB)

route -n

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.44.198     0.0.0.0         UG    0      0        0 eth0
10.8.44.198     0.0.0.0         255.255.255.254 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0

lazydog · 05-10-2017, 08:17 AM

Quote:

Originally Posted by netpumber

@GUESTS

WEB

Code:

auto lo
iface lo inet loopback

auto veth0
iface veth0 inet static
address 192.168.1.4
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1

VPN

Code:

auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto veth0
iface veth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1

Quote:

Originally Posted by netpumber

ifconfig

Code:

vethON999A Link encap:Ethernet  HWaddr fe:41:c4:74:ff:27  
          inet6 addr: fe80::fc41:c4ff:fe74:ff27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:249354 (243.5 KiB)  TX bytes:354380 (346.0 KiB)

vethVPN   Link encap:Ethernet  HWaddr fe:cd:03:40:b8:ca  
          inet6 addr: fe80::fccd:3ff:fe40:b8ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1918692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1409259 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1654308602 (1.5 GiB)  TX bytes:1579319493 (1.4 GiB)

Above you will see that I highlighted a few thing. In your config you name the interfaces the same for both containers which I believe is not possible as every container needs it own interface. Second you see the interfaces are also named something different then what you have configured for your containers. How are you binding vethVPN to your VPN container and same with the other container and interface?

netpumber · 05-11-2017, 01:19 AM

vethVPN and veth0N999A are the virtual interfaces from Host's perspective for VPN and web container respectively.

Now if i run the ifconfig inside the containers I'm getting :

For VPN :

Quote:

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
inet6 addr: fe80::9b94:2b7a:5d84:1e8d/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:696119 errors:0 dropped:0 overruns:0 frame:0
TX packets:1214836 errors:0 dropped:28 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:50481453 (48.1 MiB) TX bytes:1480859672 (1.3 GiB)

veth0 Link encap:Ethernet HWaddr 00:16:3e:42:1d:a7
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe42:1da7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1409465 errors:0 dropped:0 overruns:0 frame:0
TX packets:1918876 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1579335235 (1.4 GiB) TX bytes:1654321173 (1.5 GiB)

and for Web

Quote:

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

veth0 Link encap:Ethernet HWaddr 1a:2c:9d:70:88:d3
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::182c:9dff:fe70:88d3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5908 errors:0 dropped:0 overruns:0 frame:0
TX packets:4577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:558378 (545.2 KiB) TX bytes:390018 (380.8 KiB)

You see? They both have the same name inside the container and I don't believe that this is the problem, but I might be wrong.

lazydog · 05-11-2017, 12:34 PM

Something else that sticks out is you have a tun0 interface in the VPN container but not the WEB container.
And if I'm not mistaking you said that the VPN worked as long as that was the only container.

netpumber · 05-12-2017, 02:42 AM

tun0 interface has nothing to do with this. tun0 interface is the interface that openvpn server needs for its clients. WEB container doesn't need something like that.
The problem i believe lies in iptables part.