Epic: VPN

[gaktive]

Running Rancher Desktop on systems that rely on VPNs has proven to be tricky. We'll use this epic to help track the various issues that pop up.

• Rancher Desktop issues when connected to company VPN #722
• Rancher doesn't work on VPN / Corporate Proxy #995

[evertonlperes]

Here's a list of VPN software reported by the users:

• Cisco AnyConnect
• OpenVPN
• ZScaler VPN
• Checkpoint Endpoint Security
• Tailscale
• SAS Corporate Firewall

[agracey]

For Cisco, here's a potential workaround: https://gist.github.com/pyther/b7c03579a5ea55fe431561b502ec1ba8

[mirraxian]

Rancher Desktop on Windows while connected to Cisco AnyConnect 4.10.x or newer is confirmed working when the "Allow local (LAN) acess when using VPN (if configured)" user preferences is set and BypassVirtualSubnetsOnlyV4 Custom Attribute is set according to Cisco's documentation:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f

[rwxrob]

It's worth noting that Docker Desktop is not susceptible to this bug at all. In fact, by running Linux in a workspace container under Docker Desktop one can automatically gain the benefits of the VPN state without any scripted changes at all. I'm not sure why that is, but I'm very disappointed to discover that Rancher Desktop is definitely not a drop-in replacement for Docker Desktop for enterprises using Cisco Anyconnect. The instructions to get around the problem defeat the very objective of an easy-to-use, turn-key Docker installation on Mac and Windows.

[vickimfox]

Docker Desktop fixes the WSL2 VPN problem using "vpnkit" (https://github.com/moby/vpnkit).

There is an example of how to use "vpnkit" provided by "wsl-vpnkit" (https://github.com/sakai135/wsl-vpnkit).

[mattfarina]

@rwxrob working with the system VPN is quite a hard problem. Docker Desktop has had years to work on it and has done a fantastic job. I've personally learned more about networking on Mac, Windows, and Linux (which are each different) than I expected going into this.

@vickimfox we're familiar with vpnkit. Rancher Desktop lets you use both containerd and dockerd. vpnkit is wired to work with dockerd. This makes sense for the project given it's under Moby and developed for Docker Desktop. This is one of the many nuances you have with it.

We're working on the problem and, for various reasons, there isn't a quick fix. It is a priority.

[plaisted]

Using Rancher Desktop 1.0 and Cisco AnyConnect with wsl-vpnkit appears to be working at a high level. kubectl works from windows after updating contexts to point to localhost instead of the wsl2 IP. Nerdctl worked without any changes.

[Jan-Pleva]

We need this VPN feature. Is it in plan?

[micxer]

Still broken on macOS with AyConnect. 😢

[Nino-K]

@micxer we have introduced an experimental feature in 1.8.1 that should fix your VPN issue. The feature will be fully baked in our next few upcoming releases. As I mentioned it is experimental and the downside is the port forwarding for all the publish ports has to be performed manually as mentioned here: #4096 (comment)

[micxer]

Seems to be working now. Thanks.