Container IPs not accessible when using Citrix Secure Access VPN

[onigoetz]

Describe the bug

When running a container (such as docker run -d -p 8080:80 nginx) I can access the container through localhost:8080 but not through its IP on http://192.168.215.3

This works when the VPN is not connected, which makes me think that it must come from the VPN.

To Reproduce

1. Disconnect from "Citrix Secure Access VPN"
2. Run container docker run -d -p 8080:80 nginx
3. Access the IP : curl -v http://192.168.215.3 / curl -v http://localhost:8080 -> all good
4. Start VPN connection
5. Access the IP:
   1. curl -v http://localhost:8080: Works
   2. curl -v http://192.168.215.3: Timeout, "Couldn't connect to server"

Expected behavior

I expected container IPs to work out of the box

Diagnostic report (REQUIRED)

OrbStack info:
Version: 1.9.3
Commit: a0a450c6dd5de825fa779798b3b570c14f944020 (v1.9.3)

System info:
macOS: 15.2 (24C101)
CPU: arm64, 11 cores
CPU model: Apple M3 Pro
Model: Mac15,6
Memory: 36 GiB

Full report: https://orbstack.dev/_admin/diag/orbstack-diagreport_2025-01-13T14-24-16.137128Z.zip

Screenshots and additional context (optional)

1. The VPN has an option "Local Lan Access" which is set to "Disabled" by the administrator -> could this be related?
2. I tried to restart OrbStack after the VPN was started: still not working
3. I tried to change the "bip" option of Docker to 172.17.0.1/24: also not working

I can provide additional information such as a netstat -rn when the VPN isn't connected on request

[slinorb]

Likely the VPN blocks the private networks. Try to use the local domains: curl -v http://nginx.orb.local. Docs at https://docs.orbstack.dev/docker/domains.

[onigoetz]

Indeed this seems to work, but only because it goes through ipv6:

curl -v http://lucid_knuth.orb.local
* Host lucid_knuth.orb.local:80 was resolved.
* IPv6: fd07:b51a:cc66:0:a617:db5e:c613:f806
* IPv4: 198.19.248.6
*   Trying 198.19.248.6:80...
*   Trying [fd07:b51a:cc66:0:a617:db5e:c613:f806]:80...
* Connected to lucid_knuth.orb.local (fd07:b51a:cc66:0:a617:db5e:c613:f806) port 80
> GET / HTTP/1.1
> Host: lucid_knuth.orb.local
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx/1.27.3

If I try to access the ipv6 IP it works:

curl -v "http://[fd07:b51a:cc66:0:a617:db5e:c613:f806]:80"
*   Trying [fd07:b51a:cc66:0:a617:db5e:c613:f806]:80...
* Connected to fd07:b51a:cc66:0:a617:db5e:c613:f806 (fd07:b51a:cc66:0:a617:db5e:c613:f806) port 80
> GET / HTTP/1.1
> Host: [fd07:b51a:cc66:0:a617:db5e:c613:f806]
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK

Also, I'm surprised to see this 198.19.248.6 IP, where does this come from?

So that means that because of my VPN I have no way of accessing by IP?
Would it have a chance to work if I configured bip outside of the common "private" IPs range (192. / 172. / 10.) ?

[onigoetz]

Also, here's the route for these two addresses:

❯ route get 198.19.248.6
   route to: 198.19.248.6
destination: 198.19.248.0
       mask: 255.255.254.0
  interface: bridge100
      flags: <UP,DONE,CLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500    -20352 
❯ route get -inet6 fd07:b51a:cc66:0:a617:db5e:c613:f806
   route to: fd07:b51a:cc66:0:a617:db5e:c613:f806
destination: fd07:b51a:cc66:0:a617:db5e:c613:f806
  interface: bridge100
      flags: <UP,HOST,DONE,LLINFO,WASCLONED,IFSCOPE,IFREF>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0