Skip to content

VPN Routing

Docker containers do not inherit the host machine's VPN connection. The vpn-start.sh script solves this by establishing a VPN tunnel that Docker traffic can route through.

The Problem

Host VPN Does Not Route Docker Traffic

When you connect to a VPN on your host machine (e.g., via OpenVPN GUI or WireGuard app), only host-level network traffic is routed through the tunnel. Docker containers use their own network namespace and bridge (docker0), which bypasses the host VPN entirely.

This means pentest tools running inside the pentest-tools container will connect directly to the internet, not through your VPN -- even if the host shows an active VPN connection.

vpn-start.sh

The vpn-start.sh script manages VPN connections that Docker containers can route through.

Usage

# Start OpenVPN with a named profile
./vpn-start.sh --vpn office

# Start WireGuard with a named profile
./vpn-start.sh --vpn home --wg

# Stop all VPN connections
./vpn-start.sh --stop

Flags

Flag Description
--vpn <name> Profile name (matches filename in vpn/profiles/)
--wg Use WireGuard instead of OpenVPN
--stop Stop all active VPN connections

VPN Profiles

Location

VPN configuration files are stored in:

vpn/profiles/

This directory is gitignored to prevent accidental credential exposure.

OpenVPN

Place .ovpn files in vpn/profiles/:

vpn/profiles/office.ovpn
vpn/profiles/lab.ovpn

The profile name used with --vpn matches the filename without the extension:

# Uses vpn/profiles/office.ovpn
./vpn-start.sh --vpn office

WireGuard

Place .conf files in vpn/profiles/:

vpn/profiles/home.conf

Use the --wg flag to select WireGuard:

# Uses vpn/profiles/home.conf
./vpn-start.sh --vpn home --wg

Credential Files

If an .ovpn profile requires username/password authentication, create a corresponding auth file:

vpn/profiles/<name>-auth.txt

The auth file contains two lines:

username
password

Example

For vpn/profiles/office.ovpn:

vpn/profiles/office-auth.txt

Contents:

john.doe@company.com
MyVPNPassword123!

Security

Auth files are gitignored along with the rest of vpn/profiles/. Never commit VPN credentials.

Setup Guide

For full setup instructions, see README.md Step 7. The general process:

  1. Place your VPN config file in vpn/profiles/
  2. If the config needs credentials, create the -auth.txt file
  3. Run ./vpn-start.sh --vpn <name> (add --wg for WireGuard)

  4. Verify connectivity from inside Docker:

    # Check that Docker traffic routes through VPN
docker run --rm pentest-tools curl -s https://ifconfig.me

  5. Compare the IP with your VPN's expected exit IP

Stopping VPN

./vpn-start.sh --stop

This terminates all active VPN connections managed by the script.

Troubleshooting

Issue Solution
Docker traffic bypasses VPN Ensure you used vpn-start.sh, not the host VPN client
Connection timeout Check that the .ovpn/.conf file is valid and the VPN server is reachable
Auth failure Verify the -auth.txt file exists and contains correct credentials
DNS resolution fails inside container The VPN may push DNS settings that Docker does not pick up -- check resolv.conf inside the container
WireGuard not found Ensure WireGuard tools are installed on the host (wg-quick)