SplitTunnel

Docker VPN Conflict

Why Containers Lose Internet

SplitTunnel Team·6 min read·Updated January 2026

Key Takeaways

  • VPNs override Docker's network routes, breaking container internet access

  • Docker Desktop uses a VM with its own networking that conflicts with VPN routes

  • Split tunneling can route Docker traffic direct while work apps use VPN

Fix Docker Now

Why Docker Breaks When VPN Connects

Docker Desktop runs containers inside a Linux VM on your Mac. That VM has its own network stack and relies on macOS routing to reach the internet.

When your VPN connects, it modifies the macOS routing table. Docker's routes get overridden or blocked. Suddenly, your containers can't reach anything outside your machine.

Common Symptoms

You'll know you have this problem when:

  • docker pull hangs or times out

  • Containers can't reach external APIs

  • apt-get update fails inside containers

  • Build steps requiring network downloads fail

  • DNS resolution fails inside containers

Diagnosing the Issue

Test if VPN is causing the problem:

bash
# Test container internet access
docker run --rm alpine ping -c 3 8.8.8.8

# Test DNS resolution
docker run --rm alpine nslookup google.com

If these fail with VPN connected but work with VPN disconnected, you've confirmed VPN is the culprit.

Understanding the Conflict

Docker Desktop's NAT networking routes container traffic through macOS. When VPN takes over the default gateway, Docker traffic gets sent through the VPN tunnel.

The problem: VPN servers can't route Docker's internal IP addresses (172.17.x.x). The packets go in but never come back.

Fix 1: Manual Route for Docker Subnet

You can add a manual route to bypass VPN for Docker's subnet:

bash
# Find Docker subnet
docker network inspect bridge | grep Subnet

# Add route (example for 172.17.0.0/16)
sudo route add -net 172.17.0.0/16 -interface en0

This route resets every time VPN reconnects or your Mac restarts. You'd need to run this command repeatedly.

Fix 2: Route Docker Direct with SplitTunnel

The most reliable fix: route Docker Desktop outside the VPN tunnel entirely.

1

Install SplitTunnel on your Mac

2

Add Docker Desktop to "Direct" routing

3

Containers regain internet access while VPN stays connected

Docker traffic bypasses VPN. Work apps stay on VPN. No manual routes needed.

Verifying the Fix

After setting up SplitTunnel:

bash
# Connect your VPN first

# Test Docker pull
docker pull alpine
# Should succeed quickly

# Test container internet access
docker run --rm alpine wget -q -O- http://example.com
# Should return HTML

Docker Compose Considerations

For multi-container setups:

  • Internal container-to-container networking usually works fine

  • External access (APIs, databases, registries) needs the SplitTunnel fix

  • Cloud database connections benefit from direct routing

Frequently Asked Questions

Get Back to Coding

Route Docker direct while work apps stay on VPN. No more network conflicts.

Start Free Trial

7-day free trial · Cancel anytime

Related Guides

Localhost Not Working on VPN

Fix development server access issues

Docker Containers Can't Reach Internet

Troubleshoot container networking

Development Server on VPN

Run dev servers while connected