Connect FastAPI container to Surfshark container

[anson416]

Hi. I am trying to create a container that uses Surfshark to access some websites, and exposes a FastAPI endpoint that allows my host computer to access the data retrieved without actually connecting to any VPN. My docker-compose.yml looks like this:

services:
  vpn:
    image: ilteoood/docker-surfshark:1.8.1
    container_name: surfshark
    environment:
      - SURFSHARK_USER=<SURFSHARK_USER>
      - SURFSHARK_PASSWORD=<SURFSHARK_PASSWORD>
      - SURFSHARK_COUNTRY=<SURFSHARK_COUNTRY>
      - SURFSHARK_CITY=<SURFSHARK_CITY>
      - CONNECTION_TYPE=<CONNECTION_TYPE>
      - LAN_NETWORK=192.168.0.0/24 # Optional - Used to access attached containers web ui
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    ports:
      - 8000:8000 # For FastAPI
    restart: unless-stopped
    dns:
      - 1.1.1.1

Using

docker compose -f docker-compose.yml -p surfshark up

gives me

surfshark  | --2024-10-08 18:11:30--  https://my.surfshark.com/vpn/api/v1/server/configurations
surfshark  | Resolving my.surfshark.com (my.surfshark.com)... 172.64.148.91, 104.18.39.165, 2606:4700:4400::6812:27a5, ...
surfshark  | Connecting to my.surfshark.com (my.surfshark.com)|172.64.148.91|:443... connected.
surfshark  | HTTP request sent, awaiting response... 200 OK
surfshark  | Length: 619148 (605K) [application/zip]
surfshark  | Saving to: 'ovpn_configs.zip'
surfshark  | 
surfshark  |      0K .......... .......... .......... .......... ..........  8% 2.62M 0s
surfshark  |     50K .......... .......... .......... .......... .......... 16%  131M 0s
surfshark  |    100K .......... .......... .......... .......... .......... 24% 7.44M 0s
surfshark  |    150K .......... .......... .......... .......... .......... 33% 39.3M 0s
surfshark  |    200K .......... .......... .......... .......... .......... 41% 26.7M 0s
surfshark  |    250K .......... .......... .......... .......... .......... 49% 8.91M 0s
surfshark  |    300K .......... .......... .......... .......... .......... 57% 32.6M 0s
surfshark  |    350K .......... .......... .......... .......... .......... 66% 20.4M 0s
surfshark  |    400K .......... .......... .......... .......... .......... 74% 21.2M 0s
surfshark  |    450K .......... .......... .......... .......... .......... 82% 66.9M 0s
surfshark  |    500K .......... .......... .......... .......... .......... 90% 9.84M 0s
surfshark  |    550K .......... .......... .......... .......... .......... 99%  299M 0s
surfshark  |    600K ....                                                  100% 9.06M=0.05s
surfshark  | 
surfshark  | 2024-10-08 18:11:30 (12.8 MB/s) - 'ovpn_configs.zip' saved [619148/619148]
surfshark  | 
surfshark  | Archive:  ovpn_configs.zip
surfshark  |   inflating: ovpn_configs/al-tia.prod.surfshark.com_tcp.ovpn  
surfshark  |   inflating: ovpn_configs/al-tia.prod.surfshark.com_udp.ovpn  
...
surfshark  |   inflating: ovpn_configs/vn-hcm.prod.surfshark.com_tcp.ovpn  
surfshark  |   inflating: ovpn_configs/vn-hcm.prod.surfshark.com_udp.ovpn  
surfshark  | Chose: ca-van.prod.surfshark.com_udp.ovpn
surfshark  | Adding ip route add 192.168.0.0/24 via 172.18.0.1 dev eth0 for attached container web ui access
surfshark  | Do not forget to expose the ports for attached container web ui access
surfshark  | 2024-10-08 18:11:30 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
surfshark  | 2024-10-08 18:11:30 WARNING: file 'vpn-auth.txt' is group or others accessible
surfshark  | 2024-10-08 18:11:30 OpenVPN 2.6.11 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
surfshark  | 2024-10-08 18:11:30 library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
surfshark  | 2024-10-08 18:11:30 WARNING: --ping should normally be used with --ping-restart or --ping-exit
surfshark  | 2024-10-08 18:11:30 TCP/UDP: Preserving recently used remote address: [AF_INET]216.246.31.12:1194
surfshark  | 2024-10-08 18:11:30 Socket Buffers: R=[212992->212992] S=[212992->212992]
surfshark  | 2024-10-08 18:11:30 UDPv4 link local: (not bound)
surfshark  | 2024-10-08 18:11:30 UDPv4 link remote: [AF_INET]216.246.31.12:1194
surfshark  | 2024-10-08 18:11:30 TLS: Initial packet from [AF_INET]216.246.31.12:1194, sid=cf843e87 8f938cdd
surfshark  | 2024-10-08 18:11:30 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
surfshark  | 2024-10-08 18:11:30 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
surfshark  | 2024-10-08 18:11:30 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
surfshark  | 2024-10-08 18:11:30 VERIFY KU OK
surfshark  | 2024-10-08 18:11:30 Validating certificate extended key usage
surfshark  | 2024-10-08 18:11:30 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
surfshark  | 2024-10-08 18:11:30 VERIFY EKU OK
surfshark  | 2024-10-08 18:11:30 VERIFY OK: depth=0, CN=ca-van-v085.prod.surfshark.com
surfshark  | 2024-10-08 18:11:30 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
surfshark  | 2024-10-08 18:11:30 [ca-van-v085.prod.surfshark.com] Peer Connection Initiated with [AF_INET]216.246.31.12:1194
surfshark  | 2024-10-08 18:11:30 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
surfshark  | 2024-10-08 18:11:30 TLS: tls_multi_process: initial untrusted session promoted to trusted
surfshark  | 2024-10-08 18:11:31 SENT CONTROL [ca-van-v085.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
surfshark  | 2024-10-08 18:11:31 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
surfshark  | 2024-10-08 18:11:31 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.6.11)
surfshark  | 2024-10-08 18:11:31 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
surfshark  | 2024-10-08 18:11:31 Socket Buffers: R=[212992->425984] S=[212992->425984]
surfshark  | 2024-10-08 18:11:31 OPTIONS IMPORT: --ifconfig/up options modified
surfshark  | 2024-10-08 18:11:31 OPTIONS IMPORT: route options modified
surfshark  | 2024-10-08 18:11:31 OPTIONS IMPORT: route-related options modified
surfshark  | 2024-10-08 18:11:31 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
surfshark  | 2024-10-08 18:11:31 OPTIONS IMPORT: tun-mtu set to 1500
surfshark  | 2024-10-08 18:11:31 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:02
surfshark  | 2024-10-08 18:11:31 TUN/TAP device tun0 opened
surfshark  | 2024-10-08 18:11:31 /sbin/ip link set dev tun0 up mtu 1500
surfshark  | 2024-10-08 18:11:31 /sbin/ip link set dev tun0 up
surfshark  | 2024-10-08 18:11:31 /sbin/ip addr add dev tun0 10.8.8.2/24
surfshark  | 2024-10-08 18:11:31 /sbin/ip route add 216.246.31.12/32 via 172.18.0.1
surfshark  | 2024-10-08 18:11:31 /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
surfshark  | 2024-10-08 18:11:31 /sbin/ip route add 128.0.0.0/1 via 10.8.8.1
surfshark  | 2024-10-08 18:11:31 Initialization Sequence Completed
surfshark  | 2024-10-08 18:11:31 Data Channel: cipher 'AES-256-GCM', peer-id: 0
surfshark  | 2024-10-08 18:11:31 Timers: ping 60, ping-restart 180
surfshark  | 2024-10-08 18:11:31 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt

Then I create a Dockerfile for my FastAPI container:

FROM python:3.10.15-slim-bullseye

RUN apt-get update && \
    apt-get upgrade -y && \
    pip install --no-cache-dir -U pip setuptools wheel && \
    pip install --no-cache-dir "fastapi[standard]"

WORKDIR /app
COPY main.py /app/

ENTRYPOINT [ "fastapi", "run", "main.py", "--host", "0.0.0.0", "--port", "8000" ]

where my main.py is the sample script provided by FastAPI:

from typing import Union

from fastapi import FastAPI

app = FastAPI()


@app.get("/")
def read_root():
    return {"Hello": "World"}


@app.get("/items/{item_id}")
def read_item(item_id: int, q: Union[str, None] = None):
    return {"item_id": item_id, "q": q}

After

docker build -t app .

and

docker run -it --rm --net container:surfshark app

I tried to visit http://127.0.0.1:8000, but didn't work. I also tried to use the IP address of the Surfshark container (from docker inspect), but still didn't work. Is there any configuration mistake in the docker-compose.yml?

[ilteoood]

You are specifying a LAN IP address of 192.168.x.x but you are trying to access it using 127.0.0.1, try with your machine IP instead.

[anson416]

Since I am using MacOS, I got my machine's IP (192.168.0.181) using

ipconfig getifaddr en0

However, visiting 192.168.0.181:8000 didn't show anything. Though, my browser didn't the page cannot be loaded, but instead kept loading.

[anson416]

And is it not possible to be able to visit the simple localhost:8000?

[ilteoood]

Sorry for the delay, lots of things happened in these months.
Btw, are you sure that your service and the vpn server are on the same network?

In the example provided in the README.md, you can see this configuration network_mode: service:surfshark to make it happen