linux – Networking to and from the OpenVPN Docker container with macvlan

I'm trying to network a container in the process of running kylemanna / docker-openvpn to a test system. The container runs on a gateway physically connected to the DUT.

The gateway has interfaces like this:

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link / loopback 00: 00: 00: 00: 00: 00 breakfast: 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 host range low
valid_lft forever Preferred_lft forever
inet6 :: scope host 1/128
valid_lft forever Preferred_lft forever
2: uplink:  mtu 1500 qdisc state mq group UP default qlen 1000
link / ether 00: 0e: c4: d4: b2: 53 brd ff: ff: ff: ff: ff: ff
inet 10.2.40.87/22 uplink global scope
valid_lft forever Preferred_lft forever
inet6 fe80 :: 20th: c4ff: fed4: b253 / 64 reach link
valid_lft forever Preferred_lft forever
3: wlan0:  mtu 1500 queue queue status qdisc DOWN group default qlen 1000
link / ether 18: f4: 6a: 83: 7c: dd brd ff: ff: ff: ff: ff: ff
inet 192.168.2.1/24 global scope wlan0
valid_lft forever Preferred_lft forever
4: pvs5-plc:  mtu 1500 qdisc state mq group DOWN default qlen 1000
link / ether 00: 0e: c4: d4: b2: 54 brd ff: ff: ff: ff: ff: ff
inet 192.168.1.1/24 overall scope pvs5-plc
valid_lft forever Preferred_lft forever
5: pvs5-lan:  mtu 1500 qdisc state mq group UP default qlen 1000
link / ether 00: 0e: c4: d4: b2: 55 brd ff: ff: ff: ff: ff: ff
inet 172.27.153.173/24 brd 172.27.153.255 global reach noprefixroute pvs5-lan
valid_lft forever Preferred_lft forever
inet6 fe80 :: 20th: c4ff: fed4: b255 / 64 reach link
valid_lft forever Preferred_lft forever
6: pvs5-wan:  mtu 1500 qdisc state mq group UP default qlen 1000
link / ether 00: 0e: c4: d4: b2: 56 brd ff: ff: ff: ff: ff: ff
inet 192.168.0.1/24 overall scope pvs5-wan
valid_lft forever Preferred_lft forever
inet6 fe80 :: 20th: c4ff: fed4: b256 / 64 reach link
valid_lft forever Preferred_lft forever
7: docker0:  mtu 1500 qdisc noqueue state DOWN default group
link / ether 02: 42: 40: 61: 4c: 18 brd ff: ff: ff: ff: ff: ff
inet 172.17.0.1/16 brd 172.17.255.255 global reach docker0
valid_lft forever Preferred_lft forever

$ ip route
default via 10.2.40.1 dev uplink proto static
default value via 172.27.153.1 metric proto dhcp of dev pvs5-lan src 172.27.153.173 metric 205
10.2.40.0/22 ​​dev uplink proto kernel scope link src 10.2.40.87
10.2.40.1 static range link prot uplink proto
169.254.0.0/16 dev docker0 scope link src 169.254.16.125 metric 207
169.254.0.0/16 dev veth242d1f4 scope link src 169.254.84.156 metric 209
172.17.0.0/16 dev proto kernel range link docker0 src 172.17.0.1
172.27.153.0/24 dev pvs5-lan proto dhcp scope link src 172.27.153.173 metric 205
192.168.0.0/24 dev src 192.168.0.1 proton core scope pvs5-wan link
192.168.1.0/24 dev pvs5-plc proto kernel link link src 192.168.1.1 linkdown
192.168.2.0/24 dev wlan0 kernel proto scope link src 192.168.2.1 linkdown

The container:

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link / loopback 00: 00: 00: 00: 00: 00 breakfast: 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 host range low
valid_lft forever Preferred_lft forever
2: tun0:  mtu 1500 qdisc state pfifo_fast group unknown qlen default 100
link / none
inet 192.168.255.1 peer 192.168.255.2/32 scope global tun0
valid_lft forever Preferred_lft forever
8: eth0 @ if9:  mtu 1500 qdisc noqueue state UP default group
link / ether 02: 42: ac: 11: 00: 02 brd ff: ff: ff: ff: ff: ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 global scope eth0
valid_lft forever Preferred_lft forever
10: eth1 @ if5:  mtu 1500 qdisc noqueue state UP default group
link / ether 02: 42: ac: 1b: 99: 80 brd ff: ff: ff: ff: ff: ff link-netnsid 0
inet 172.27.153.128/24 brd 172.27.153.255 global scope eth1
valid_lft forever Preferred_lft forever

$ ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 kernel scope link proto src 172.17.0.2
172.27.153.0/24 dev eth1 proto src core reach link 172.27.153.128
192.168.255.0/24 via 192.168.255.2 dev tun0
192.168.255.2 dev tun0 proto kernel scope link src 192.168.255.1

The DUT:

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link / loopback 00: 00: 00: 00: 00: 00 breakfast: 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 host range low
valid_lft forever Preferred_lft forever
inet6 :: scope host 1/128
valid_lft forever Preferred_lft forever
2: can0:  mtu 16 qdisc state noop group DOWN default qlen 10
link / can
3: eth0:  mtu 1500 qdisc status pfifo_fast UP default group qlen 1000
link / ether 00: 22: f2: 0b: 31: 5th brd ff: ff: ff: ff: ff: ff
inet6 fe80 :: 222: f2ff: fe0b: 315e / 64 reach link
valid_lft forever Preferred_lft forever
5: sit0 @ NONE:  mtu 1480 qdisc noop state DOWN default group qlen 1
link / sit 0.0.0.0 brd 0.0.0.0
6: lan0 @ eth0:  mtu 1500 qdisc noqueue state UP default group qlen 1000
link / ether 00: 22: f2: 0b: 31: 5th brd ff: ff: ff: ff: ff: ff
inet 172.27.153.1/24 brd 172.27.153.255 global scope lan0
valid_lft forever Preferred_lft forever
inet6 fe80 :: 222: f2ff: fe0b: 315e / 64 reach link
valid_lft forever Preferred_lft forever
7: wan0 @ eth0:  mtu 1500 qdisc noqueue state UP default group qlen 1000
link / ether 00: 22: f2: 0b: 31: 5f brd ff: ff: ff: ff: ff: ff
inet 169.254.59.148/16 brd 169.254.255.255 global scope wan0
valid_lft forever Preferred_lft forever
inet6 fe80 :: 222: f2ff: fe0b: scope link 315f / 64
valid_lft forever Preferred_lft forever
8: sta0:  mtu 1500 qdisc status pfifo_fast UP default group qlen 1000
link / ether cc: 4b: 73: 52: 3f: 7f brd ff: ff: ff: ff: ff: ff
inet 10.2.217.237/21 brd 10.2.223.255 global scope sta0
valid_lft forever Preferred_lft forever
inet6 fe80 :: ce4b: 73ff: fe52: link of the scope 3f7f / 64
valid_lft forever Preferred_lft forever
9: wwan0:  mtu 1500 qdisc status pfifo_fast group UNKNOWN default qlen 1000
link / none
inet 10.43.36.140/29 brd 10.43.36.143 global scope wwan0
valid_lft forever Preferred_lft forever
10: ap0:  mtu 1500 qdisc status pfifo_fast group UNKNOWN default qlen 1000
link / ether this: 4b: 73: 52: 3f: 7f brd ff: ff: ff: ff: ff: ff
inet 172.27.152.1/24 brd 172.27.152.255 global scope ap0
valid_lft forever Preferred_lft forever
inet6 fe80 :: cc4b: 73ff: fe52: scope link 3f7f / 64
valid_lft forever Preferred_lft forever

$ ip route
default via 10.2.216.1 dev sta0
4.2.2.2 via 10.2.216.1 dev sta0
8.8.8.8 via 10.2.216.1 dev sta0
10.2.10.9 via 10.2.216.1 dev sta0
10.2.10.10 via 10.2.216.1 dev sta0
10.2.216.0/21 dev sta0 proto kernel scope link src 10.2.217.237
10.2.216.1 extension link dev sta0
10.43.36.136/29 dev wwan0 proto kernel scope link src 10.43.36.140
10.43.36.141 dev wwan0 scope link
169.254.0.0/16 dev wan0 proto kernel scope link src 169.254.59.148
172.27.152.0/24 dev ap0 proto kernel scope link src 172.27.152.1
172.27.153.0/24 dev lan0 kernel range link proto src 172.27.153.1

I'm halfway, I think …

$ tcpdump -i pvs5-lan
23: 43: 30.838412 IP 192.168.255.6> 172.27.153.1: ICMP echo request, id 17309, seq 1, length 64

But the DUT obviously does not know how to answer. Do I have NAT packets on the MacVlan in one way or another …?

I can not change the networking on the DUT, but the test gateway and the container are working properly. The DUT should therefore see packets from 172.27.153.0/24. Is this a case of correct use for macvlans?