Docker + VPN LAN to LAN

Question

We just migrated our applications to a Docker environment. I have many containers running my Python Application in my VM. (4 containers per VM). This is a multi-tenant application.

This application requires to connect to specific customer infrastructure via an IPSEC tunnel. (Use SSH and HTTPS). This mean that each customer is assigned a container and only this container can reach remote network via IPSEC tunnel.

In a Virtual Machine world, I had OpenSwan installed an enable VPN LAN to LAN. My VPN established direct connectivity to remote concentrator and I reserved 1 VM per customer.

Now with Docker infrastructure, in which we our app is a microservice, is it ok to follow the same logic and install OpenSWAN in same Docker container as my App ? Or it makes sense to install OpenSWAN and have this container route the traffic?

Before:

VM - App + OpenSWAN

VPN <------> VM

Now:

VM - [Docker App1] [Docker App2]

After:

VM - [Docker App1 + OpenSwan] [Docker App2 + OpenSwan]

VPN <------> [Docker App1 + OpenSwan]

All IPsec functions aside from key exchange happen in the kernel. As such, you cannot "install" IPsec inside of a container, as the container doesn't have its own kernel. You'll need to terminate the tunnel at the host and then use some other mechanism to segment and restrict traffic. — EEAA, May 03 '16 at 23:02
I found this tutorial: https://github.com/philpl/docker-strongswan I will give it a try, this is StrongSwan though. — gogasca, May 04 '16 at 21:16
Make sure you know what you're doing, and what the security ramifications are of running containers in privileged mode (which this tutorial requires). This is not something to take lightly - you could very easily unintentionally give your customers' processes root access to your server. — EEAA, May 04 '16 at 21:20
Agree. I have seen this topic raised before wouldn't it be the same security considerations as of running everything in a vm anyways ? — gogasca, May 04 '16 at 21:41

Docker + VPN LAN to LAN

0 Answers0