SplitTunnel

Docker Containers Can't Reach Internet on VPN?

Here's Why and How to Fix It

SplitTunnel Team·6 min read·Updated January 2026

Key Takeaways

  • VPN route changes override Docker's network configuration

  • Containers lose their path to the internet through the VPN tunnel

  • Split tunneling keeps Docker networking independent of VPN

Fix Docker

Why Docker Loses Internet on VPN

Docker Desktop runs containers inside a Linux VM on your Mac. That VM has its own network routing that relies on macOS to reach the internet.

When VPN connects, it changes the macOS routing table. Docker's routes get overridden. Containers lose their path to the outside world.

Symptoms

You'll see these failures:

  • docker build fails downloading packages

  • apt-get update times out inside containers

  • curl from container returns nothing

  • pip install hangs indefinitely

  • Any network operation inside a container fails

Testing Container Connectivity

bash
# Quick connectivity test
docker run --rm alpine ping -c 3 8.8.8.8

# DNS test
docker run --rm alpine nslookup google.com

# HTTP test
docker run --rm curlimages/curl curl -I https://google.com

Run these before and after VPN connects. If they fail after VPN—you've found the problem.

Understanding the Network Flow

Normal flow: Container → Docker VM → macOS → Internet. With VPN: Container → Docker VM → macOS → VPN → broken.

The VPN doesn't know about Docker's internal networks (172.17.x.x). Traffic gets lost or blocked.

Fix 1: Restart Docker After VPN

Sometimes simply restarting Docker helps:

bash
# Restart Docker Desktop from menu bar
# Or use terminal
killall Docker && open /Applications/Docker.app

This may re-establish routes, but it's a temporary fix at best.

Fix 2: Configure Docker DNS

If the issue is DNS-specific:

json
// ~/.docker/daemon.json
{
  "dns": ["8.8.8.8", "8.8.4.4"]
}

Restart Docker after making this change. Helps with DNS issues but doesn't fix routing.

Fix 3: Use Host Network (Limited)

bash
docker run --network host myimage

This makes the container use host networking directly. But you lose container network isolation, and it's not practical for most use cases.

Fix 4: Route Docker Direct (Best)

The most reliable fix: route Docker Desktop outside the VPN tunnel entirely.

1

Install SplitTunnel on your Mac

2

Add Docker Desktop to "Direct" routing

3

Containers have direct internet access

4

Work apps still use VPN

Docker networking works exactly as it should. No restarts, no DNS hacks.

Building Images on VPN

dockerfile
# Dockerfile
FROM node:18
RUN npm install  # This needs internet access

Without a fix, builds hang at any network operation. With SplitTunnel, builds complete normally.

Docker Compose Considerations

yaml
# docker-compose.yml
services:
  web:
    build: .
    depends_on:
      - db
  db:
    image: postgres:15  # Needs to pull from registry

Both build stage and runtime need internet access. SplitTunnel fixes both.

Multi-Container Networking

  • Container-to-container: Usually unaffected by VPN

  • Container-to-internet: Fixed by SplitTunnel

  • Container-to-host: Works with direct routing

Verifying the Fix

After setting up SplitTunnel with Docker Desktop routed direct:

bash
# Connect VPN

# Test connectivity
docker run --rm alpine ping -c 3 8.8.8.8
# Should succeed

# Test DNS
docker run --rm alpine nslookup google.com
# Should resolve

# Test a build
docker build -t test .
# Should complete normally

Frequently Asked Questions

Restore Container Networking

Route Docker direct while work apps stay on VPN. Containers just work.

Start Free Trial

7-day free trial · Cancel anytime

Related Guides

Docker VPN Conflict

Why containers lose internet

Kubernetes VPN Access

Fix kubectl and cluster connectivity

Development Server on VPN

Run dev servers while connected