Firezone Docker, ipvlan, with masquerade disabled for split-tunnel vpn

On the off chance anyone else has issues routing packets while using ipvlans.

I could see return packets making it to the docker host and being passed to the vlan interface on the docker host but never passed into the container.

I had no direct limitation or use case to use ipvlans over macvlans. As such I converted over to macvlans and everything is now routing as expected. I believe the container having a MAC address allows the docker host to route things correctly. Whereas with ipvlans the container shared the hosts’ MAC address resulting in the packets thinking they had reached their final destination once they hit the hosts eth0 device.

Additionally the sysctls declarations in the docker-compose file are not needed when using macvlans (they may not be needed with ipvlans either, untested). No changes to the sysctl.conf file on the host either. These were troubleshooting steps I tried and reverted after the macvlan change.

A route on the common gateway is still necessary to direct the WG client IPs to the Firezone container.