Docker container cannot access internet behind cisco vpn

Question

My setup:

• Linux Mint 20
• Docker version 19.03.12
• Cisco AnyConnect 4.3.05017

My Issue:

When I connect to my company's VPN I cannot access the internet through my docker containers. e.g. running docker run -it ubuntu apt update will fail with the message "Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
Temporary failure resolving 'archive.ubuntu.com'"

Disconnecting from VPN does not fix the issue. (see workaround #2)

I have two workarounds:

1. running docker with docker run -it --net=host ubuntu apt update will work fine, however, that is not a suitable workaround for my company's scripts and build system. It will do for ad-hoc jobs.
2. Disconnect from the VPN and run the following script (from https://github.com/moby/moby/issues/36151):

# /bin/bash
docker system prune -a
systemctl stop docker
iptables -F
ip link set docker0 down
brctl delbr docker0
systemctl start docker

will allow it to work again - but then I don't have access to my company's internal servers, which is also needed to build our software.

I have tried these things:

• Added DNS to daemon.json (My docker container has no internet)
• Fixing the resolv.conf (My docker container has no internet)
• https://superuser.com/questions/1130898/no-internet-connection-inside-docker-containers
• Docker container can only access internet with --net=host
• https://stackoverflow.com/a/35519951/9496422
• and basically any other hit on the first two pages of google searching for "docker container no internet behind vpn"

Answer 1

On my machine(Ubuntu) with Cisco AnyConnect and Docker, i found that VPN incorrectly works with iptables, so my bridge networks doesnt work.

Workaround is to add these rules:

 iptables -I FORWARD -i docker0 -j ACCEPT
 iptables -I FORWARD -o docker0 -j ACCEPT

docker0 is a name of the default docker bridge network, for custom networks you need to replace "docker0" by network's interface name. Usually this name starts with "br-".