containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[ecs] [request]: Support /dev/net/tun Device in Fargate

Open naftulikay opened this issue 5 years ago • 4 comments

Tell us about your request

Cloudflare made an excellent userspace implementation of the WireGuard VPN named BoringTun which doesn't require a kernel module. I'd like to run BoringTun inside of a Fargate container so that I don't have to worry about paying for and managing VMs.

My goal is to provide a lightweight VPN that I can use for secure internet browsing when I'm traveling or to bypass corporate firewalls.

Since --device is not supported for the Fargate launch type, I am unable to use BoringTun in Fargate.

Which service(s) is this request for?

Fargate/ECS.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

I want to be able to host a VPN in Fargate to support up to a few clients at a time. WireGuard is an excellent VPN implementation and BoringTun is a fully in-userspace implementation. It requires CAP_NET_ADMIN as well as /dev/net/tun to create the virtual interface.

Fargate does not support device mappings. I understand the security problems with device mappings, but if Fargate was able to allow only a small subset of devices, that would be extremely helpful and would solve my issue.

Are you currently working around this issue?

Unable to use Fargate.

Additional context

My docker-compose.yml:

---
version: '3'
services:
  missioncontrol:
    build: .
    image: naftulikay/missioncontrol:latest
    container_name: missioncontrol
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.rp_filter=2
    cap_add:
      - net_admin
    ports:
      - '22022:22'
      - '51820:51820'
    devices:
      - /dev/net/tun

Attachments

c.f. the BoringTun issue I filed: https://github.com/cloudflare/boringtun/issues/69

naftulikay avatar Apr 05 '19 00:04 naftulikay

+1, would love to see this feature.

tkisason avatar Apr 11 '19 07:04 tkisason

I'm not sure if there's a workaround by using Docker networking; perhaps if it were possible to create the virtual NIC outside of the container and then grant the container the ability to modify that NIC, maybe this would make it possible to not need /dev/net/tun mounted into the container.

naftulikay avatar Apr 11 '19 17:04 naftulikay

+1 because of this limitation we aren't able to use fargate with ECS. We are going with workaround of using ECS + Ec2 based solution

prashilgupta avatar Jul 20 '21 18:07 prashilgupta

+1, We would like to migrate our VPN server from EC2 to Fargate.

marvelph avatar Sep 04 '22 03:09 marvelph

Any update on this? I did not even mange to get access to /dev/net/tun when using ECS with EC2 does anyone know what do configure there?

enricoschaaf avatar Oct 10 '22 13:10 enricoschaaf

I don't believe that the --device attribute is needed in this case, for example, in the container you can easily add:

mkdir -p /dev/net; mknod /dev/net/tun c 10 200;

..and this would standup a local (to the container) interface Boringtun can use: I've built a container that does exactly this: https://github.com/irctrakz/docker-wireguard-tiny

The bigger problem is that --cap-add=NET_ADMIN is unsupported on the Fargate instances per: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_linuxparameters (If I'm wrong on this, awesome!)

irctrakz avatar Feb 16 '23 17:02 irctrakz