Docker, DNS and VPN Question

Hey everyone! I have a question for anyone proficient in Docker. I have a small swarm cluster in the cloud (digital ocean). I want to put a few internal apps and some open source apps onto the system for remote support teams. I don’t want to run anything on prem which would avoid this issue, I want to be able to access anything from anywhere in the world.

Here is what I have working.

I have a few apps. Some internal, Wordpress (CRM plugin), Invoice Ninja, Mattermost, We can, redash. These apps all use nginx instances for reverse proxy with HTTPS termination and everything works fine and awesome. Right now several are facing public internet as a test/mockup without issue and I can point a domain to it and it opens the correct instance etc.

My next step is to put a VPN instance infront of the stack to wall it off from the public. Whenever I do this, with either a docker container openVPN I have DNS issues. I can login to VPN, make users and get to the endpoints with IP addresses but because the openVPN instance has it’s own DNS for machines connecting in I cannot resolve the docker DNS names of the services. Everytime an instance updates its IP can change so I really need to configure DNS with Docker.

Has anyone encountered this use case? I have tried several fixes online that didn’t work. I would like to use internal docker DNS somehow but also thought of configuring dnsmasq or similar system to have a common DNS with docker but I am kind of stuck. I like using docker but for these use cases it is very time consuming to work around since all the documentation is mostly for forward facing web services not internal ones.

Another option is keeping endpoints public and securing them. However the challenge is supporting these 3rd party apps with additional layer of authentication is difficult. I wonder if using a client side cert with Nginx is viable for security. I would like to wrap a layer of app security around them but I am not finding the correct tools. I did find this project that seems to do what I want but the documentation is sparse

I would appreciate any support. I want to do the most time efficient way possible by maintaining a good layer of security for these apps.