I'm using an OpenVPN server in a Docker container for multiple client connections. This container is located in a specific Docker network in which I have a web server as client target.
I want to publish the host name of my web server to clients so that they won't need to know its IP address in order to reach it. To do so, I want to open the Docker's native DNS server to the OpenVPN clients and push to them the OpenVPN's IP as DNS server.
However, the Docker DNS server resides in the OpenVPN container, listening on 127.0.0.11 (with iptables internal redirections but that's another story).
Thus, in the OpenVPN server container, I need to add an iptables rule in order to forward a DNS request coming from the external OpenVPN IP to the internal 127.0.0.11 one.
But such an internal forward requires me to execute the following command:
sysctl -w net.ipv4.conf.tun0.route_localnet=1
Using the only NET_ADMIN capability when running docker run (--cap-add=NET_ADMIN), I get the following error message:
sysctl: error setting key 'net.ipv4.conf.tun0.route_localnet': Read-only file system
However, this perfectly works using the --privileged flag, but the one is too permissive.
Is there any Linux capability that can do the trick without using the --privileged flag?
I couldn't find the answer in the Linux capabilities manual.
I found a solution, using the --sysctl's docker run option
Solution in docker-compose.yml:
sysctls:
- net.ipv4.conf.tun0.route_localnet=1 # Doesn't work as tun0 doesn't
# exist yet at container start time
- net.ipv4.conf.default.route_localnet=1 # Workaround.