vpn + docker network issue/behaviour on Arch / Omarchy

[drupalshift]

Hey folks,
there’s a common networking issue/default behaviour on Arch (and Omarchy by extension) when using VPN services alongside docker
Most vpn apps have a “bypass local network” feature but they only detect interfaces and routes based on the current gateway/subnet (like 192.x.x.x) docker runs its own networks in the 172.16.0.0/12 range which most vpn clients don’t recognize as local so containers can’t reach the internet or be accessed locally while the vpn is active.

SUBNET="172.16.0.0/12"
IFACE="docker0"

sudo ip route add $SUBNET dev $IFACE table 2022 2>/dev/null
sudo ip rule add to $SUBNET lookup main priority 100 2>/dev/null

I made this bash for myself and run it everytime using sudo

Would it make sense for Omarchy to include this as a default behavior, given the target audience (devs switching from mac / windows where this just works) ? or is there any scenario where this could break something ?

I don’t really know shit about networking or devops there’s a whole bunch of other stuff like Minikube, Podman, LXC, etc ... that might behave differently or have their own quirks so if someone who actually knows this stuff can take a look and point out where this might break or how to do it properly that’d be awesome

I know that omarchy uses systemd-networkd below is just some of my GPT ramblings that I thought I’d drop here maybe someone more experienced with networking could take a quick look and spot any potential opportunities or extra directives worth considering :

GPT Solution

---

I asked how to deteck docker bridge and make it persist

Detecting the Docker bridge interface dynamically.
Making the routing configuration persistent across reboots or VPN reconnects.

# Detect Docker bridge interface (usually docker0)
IFACE=$(ip -o link show | awk -F': ' '/docker/ {print $2; exit}')

# Detect Docker's subnet from the default "bridge" network
SUBNET=$(docker network inspect bridge -f '{{(index .IPAM.Config 0).Subnet}}')

# Apply routing rule and route
sudo ip route add $SUBNET dev $IFACE table 2022 2>/dev/null
sudo ip rule add to $SUBNET lookup main priority 100 2>/dev/null

• ip -o link show lists network interfaces; we extract the first one with “docker” in its name.
• docker network inspect bridge queries Docker for the subnet used by the default bridge network.
• The route and rule commands tell the system to keep Docker’s network traffic local, rather than letting the VPN override it.

Making it Persistent

There are several ways to ensure this setup survives reboots or VPN reconnects:

Systemd Service (recommended):
Create a small unit file in /etc/systemd/system/docker-vpn-bypass.service that runs this script at boot or after Docker starts.

NetworkManager Dispatcher Script:
Place it under /etc/NetworkManager/dispatcher.d/ so it runs automatically when a VPN connection comes up.

VPN Hook Scripts:
Some VPN clients (like OpenVPN and WireGuard) support up or PostUp directives, where you can directly add these route and rule commands.

Each approach ensures Docker’s network remains accessible regardless of VPN configuration changes.

End Of GPT

---