Default router override a.k.a full tunnel

[metya]

In the docker run, there are several published ports including 9993/udp
The network works, but full tunnel a.k.a default router override doesn't.

How to make this work inside the container?

When I run docker with `--net=host1, it doesn't work at all, even though the network doesn't connect.

[kmahyyg]

--net=host will use net namespace of host computer, which equals to run on the host computer. Not host1. Also, please tell me more about your usage and situation.

[metya]

I'm sorry! It was a typo.
I mean --net=host.

I know that it uses the namespace of the host computer, but it just doesn't work at all for me, that's strange I know, but it seems I can't fix it.
But with published ports, it works. So I want to use a full tunnel with only published ports from the container. Is it possible?

[kmahyyg]

I'm not that familiar with Linux network stack, maybe need some testing of this.

[kmahyyg]

And also I still don't know the situation you would like to use on, please give me more details if possible. Thanks.

[metya]

Sure!

In ZeroTier there is the option to route all traffic to all clients of the certain network through one of the connected clients. i.e. like VPN. For example through the controller, there ZeroTier docker with ztcui is hosted. So all traffic with the option Allow Default Router Override is turned on on clients goes to the internet from the controller network. It is very useful if you want to have something like VPN with created networks through ZeroTier.
Here is the detailed version of my description from docs https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693

The problem is, that it doesn't work inside the docker container with published only port 9993/udp for some reason. Ideally, it should work with the flag --net=host, but in my case, it doesn't work either, but I think it is a problem with my host network, and it doesn't matter for now, because it is not a good way to map container network to the host.
For example, the OpenVPN server in a container works perfectly with just published port 1194/udp.

So I wonder if is there a way to get a working full tunnel inside a container just with some published ports.

[metya]

Let me know if I should provide more information about anything :)

[kmahyyg]

Sorry for the late response, recently, I'm really busy with my work and have no time to try to find the root cause, I suggest you search for something like:

• route all traffic into a docker

On my personal point of view, docker use iptables to map port to outside. The underlying virtual network interface is a tun. So you might need to find a way like this:

1. route other traffic on your other machine to current host
2. enable ip forwarding on kernel, allow forward operation in iptables
3. do NAT for incoming traffic to make sure the traffic dest and src can be found inside the container (this might be the key point for this question)

please leave this issue open, I will help you solve as best as I can when I'm spare.

Thanks for your question.