Unable to connect to docker on Anyconnect VPN

Question

I am using docker toolbox on windows for docker related development. This works fine when I am on home or office network but doesn't work when I am using anyconnect VPN to connect to office network. Please let me know if there is a network setting which can be changed to make it work.

Answer 1

I've really like OpenConnect (which supports more configuration options than network-manager-openconnect). Even hideous installations that require csd-wrapper usually work well.

AnyConnect breaks docker networks in a weird way and they stay broken even after you exit the VPN (even if you stop vpnagentd afterwards).

The workaround is to stop docker, clear all its networks and bridges and only then start the AnyConnect VPN. You can start docker after the VPN session ends and it will re-create all necessary stuff.

I created a script to workaround this unfortunate behavior that does exactly this:

#!/bin/sh
# usage: 
#   vpn.sh [start]
#   vpn.sh stop    

if [ "$1" = "stop" ]; then
    /opt/cisco/anyconnect/vpn/vpn disconnect
    sudo systemctl stop vpnagentd
    echo "Cisco VPN stopped"
    echo "Starting docker"
    sudo systemctl start docker
else
    echo "Stopping docker"
    sudo systemctl stop docker
    bridges=$(sudo brctl show | cut -f1 | tail -n +2)
    for b in $bridges; do
        sudo nmcli connection delete $b
        sudo ip link set dev $b down
        sudo brctl delbr $b
    done
    echo "Starting Cisco VPN"
    sudo systemctl start vpnagentd
    /opt/cisco/anyconnect/vpn/vpn connect 'VPN-NAME'
fi

Note: A VPN admin can prevent you from using OpenConnect and force you to use Cisco AnyConnect only but you might a better experience if LocalLanAccess is enabled in your VPN profile.

Answer 2

The following worked for me.

Try using OpenConnect instead of Anyconnect:

sudo apt install openconnect
sudo apt install network-manager-openconnect

and then (for Ubuntu 16 at least) comment out the line dns=dnsmasq, so it becomes like this:

$ cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq

Then add a connection using NetworkManager to your VPN provider and connect. (NetworkManager -> Edit connections -> Add. Then select Connection type to be VPN -> Cisco Annyconnect)

Reboot and reconnect, and now docker containers should have access to internet.

Answer 3

Docker adds an entry by default to the routing table, which forwards all traffic with destination 172.17.X.X through the loopback address. In your case, if the IP address assigned to your computer by AnyConnect begins with 172.17 the two subnets overlap and Docker freezes the vpn connection (you can check that by looking at your IP assigned by anyconnect and compare it with the routing table of the docker machine).

If that's the case, you can change the default subnet used by Docker by adding the following to the %programdata%\docker\config\daemon.json

{
  "default-address-pools":
  [
    {"base":"10.10.0.0/16","size":24}
  ]
}

After those configuration changes restart the Docker service and verify that the new subset has been set (you can use netstat -rn).

Article for the steps in Linux here.