Routing Docker Image Pulls Through a VPN Tunnel#

A quick method for bypassing network restrictions that blocked Docker from directly accessing container registries.

Note

AI Usage Notice: This post uses AI for research assistance, going beyond my standard grammar-only policy.

Fast Workaround: This post documents a specific technical problem I faced and how I solved it. The solution is tailored to my particular local environment and not a comprehensive guide for all scenarios.

Overcoming Network Restrictions#

This note outlines a way to overcome network firewall restrictions that were preventing Docker from accessing container registries directly. I’m documenting this primarily for my own future reference, but it should work for anyone facing similar networking challenges, such as corporate environments with restricted VPN access policies or home labs where only one system has VPN setup.

The Problem#

I had two machines:

Machine A: Linux server running Docker, needing to pull container images
Machine B: another system with sharing VPN connection active

The Docker couldn’t directly access public container registries due to the firewall, but my Mac with VPN (WireGuard) could access everything. I needed a way to route Docker’s traffic through the VPN-enabled machine.

The Solution: SSH SOCKS Proxy#

An easy solution it to create an SSH SOCKS proxy tunnel from the Docker host to the VPN-enabled Mac, then configuring Docker daemon to use this proxy.

Step 1: Enable SSH on Machine B#

I am using MacOS. So I simply turn on Remote Login in the System Settings > General > Sharing. For Linux, it is usually installed and running.

Command: enable and start ssh#

sudo systemctl enable ssh
sudo systemctl start ssh

# Verify SSH is running
sudo systemctl status ssh

Step 2: Create SSH SOCKS Tunnel on Machine A#

On your Docker host (Machine A), create an SSH tunnel:

Command: Create SOCKS proxy#

ssh -f -D 1081 -N username@MACHINE_A_IP_ADDRESS

-D 1081 creates a SOCKS proxy on local port 1081.

Step 3: Configure Docker Daemon to Use the Proxy#

Create systemd override configuration for Docker:

Command: Create SOCKS proxy#

sudo mkdir -p /etc/systemd/system/docker.service.d
sudo nano /etc/systemd/system/docker.service.d/http-proxy.conf

Add the following content to instruct docker to use proxy:

[Service]
Environment="HTTP_PROXY=socks5://127.0.0.1:1081"
Environment="HTTPS_PROXY=socks5://127.0.0.1:1081"
Environment="NO_PROXY=localhost,127.0.0.1"

After changing proxy settings, you may need to restart the Docker daemon (Some corporate proxies may require additional SSL certificate configuration):

sudo systemctl daemon-reload
sudo systemctl restart docker

Step 4: Test the Setup#

You may verify the SOCKS proxy is working:

curl --socks5 127.0.0.1:1081 http://ifconfig.me

This should return your VPN’s IP address.

While success on this step should indicate correct setup of using proxy, you may try pulling an image:

docker pull jc21/nginx-proxy-manager:latest

Setting Up a Private Docker Registry Deploying a Local Kubernetes Cluster on Ubuntu Servers

About

With Tags

On the Same Topic

Recently Written