Hendrik Haddorp February 2016

How to tunnel to into the private network of my docker containers on Bluemix?

I have some docker containers running on Bluemix using private IP addresses. I would now like to setup a tunnel from my laptop (running linux) to access the private network on Bluemix.

I had first created a container running an ssh-server. Using ssh -D I was able to setup a SOCKS5 proxy connection. This worked fine with Chrome but not all applications support a SOCKS proxy.

(google-chrome --proxy-server=socks5://localhost:<tunnel port>)

So I tried to create a container with an OpenVPN server. Unfortunately this does not work on Bluemix as the containers are not running privileged and thus can not create a tun device.

Bluemix also has a VPN and a Secure Gateway service, which sound promising but so far I could not figure out how to get those working.

Does anybody know if it is possible to make the private docker network available locally and how to connect to that?

Answers


v.bontempi February 2016

Generally speaking containers should be used to implement services available to external applications (an APIs service, or a runtime, or a dbms, or something like that).

According to this, what you could achieve is a set of services available for you on different containers, and a single container working as SSH tunnel gateway, making your local environment connected to it using SSH and defining a set of local and remote SSH ports forwarding, with different policies according to the service/port and the IP of the service.

It should work for all the services, and you haven't to use a socks proxy to forward requests to different hosts: using remote SSH forwarding your SSH endpoint will redirect your requests to the right service inside the local/private lan. I found that this guide describes correctly how to work with local&remote port forwarding.

http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html

About the OpenVPN solution, as you already know it is not possible to use software requiring privileged mode on containers, because it couldn't be allowed on Bluemix due to security reasons: if you wish to have this kind of solution I strongly suggest you to use OpenVPN on a VM on Bluemix UK region (still beta but an architecture expected to be the final architecture as soon as VM service will become GA service)

I think that these options are the ones available on Bluemix to achieve what you describe without using the VPN service suggested by @bill-wentworth

Post Status

Asked in February 2016
Viewed 3,818 times
Voted 14
Answered 1 times

Search




Leave an answer