Open naftulikay opened 5 years ago
+1, would love to see this feature.
I'm not sure if there's a workaround by using Docker networking; perhaps if it were possible to create the virtual NIC outside of the container and then grant the container the ability to modify that NIC, maybe this would make it possible to not need /dev/net/tun
mounted into the container.
+1 because of this limitation we aren't able to use fargate with ECS. We are going with workaround of using ECS + Ec2 based solution
+1, We would like to migrate our VPN server from EC2 to Fargate.
Any update on this? I did not even mange to get access to /dev/net/tun when using ECS with EC2 does anyone know what do configure there?
I don't believe that the --device
attribute is needed in this case, for example, in the container you can easily add:
mkdir -p /dev/net;
mknod /dev/net/tun c 10 200;
..and this would standup a local (to the container) interface Boringtun can use: I've built a container that does exactly this: https://github.com/irctrakz/docker-wireguard-tiny
The bigger problem is that --cap-add=NET_ADMIN
is unsupported on the Fargate instances per: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_linuxparameters (If I'm wrong on this, awesome!)
Tell us about your request
Cloudflare made an excellent userspace implementation of the WireGuard VPN named BoringTun which doesn't require a kernel module. I'd like to run BoringTun inside of a Fargate container so that I don't have to worry about paying for and managing VMs.
My goal is to provide a lightweight VPN that I can use for secure internet browsing when I'm traveling or to bypass corporate firewalls.
Since
--device
is not supported for the Fargate launch type, I am unable to use BoringTun in Fargate.Which service(s) is this request for?
Fargate/ECS.
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I want to be able to host a VPN in Fargate to support up to a few clients at a time. WireGuard is an excellent VPN implementation and BoringTun is a fully in-userspace implementation. It requires
CAP_NET_ADMIN
as well as/dev/net/tun
to create the virtual interface.Fargate does not support
device
mappings. I understand the security problems with device mappings, but if Fargate was able to allow only a small subset of devices, that would be extremely helpful and would solve my issue.Are you currently working around this issue?
Unable to use Fargate.
Additional context
My
docker-compose.yml
:Attachments
c.f. the BoringTun issue I filed: https://github.com/cloudflare/boringtun/issues/69