0Answer
  • 12
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Docker + VPN LAN to LAN

We just migrated our applications to a Docker environment. I have many containers running my Python Application in my VM. (4 containers per VM). This is a multi-tenant application.

This application requires to connect to specific customer infrastructure via an IPSEC tunnel. (Use SSH and HTTPS). This mean that each customer is assigned a container and only this container can reach remote network via IPSEC tunnel.

In a Virtual Machine world, I had OpenSwan installed an enable VPN LAN to LAN. My VPN established direct connectivity to remote concentrator and I reserved 1 VM per customer.

Now with Docker infrastructure, in which we our app is a microservice, is it ok to follow the same logic and install OpenSWAN in same Docker container as my App ? Or it makes sense to install OpenSWAN and have this container route the traffic?

Before:

VM - App + OpenSWAN

VPN <------> VM

Now:

VM - [Docker App1] [Docker App2]

After:

VM - [Docker App1 + OpenSwan] [Docker App2 + OpenSwan]

VPN <------> [Docker App1 + OpenSwan]

      • 2
    • All IPsec functions aside from key exchange happen in the kernel. As such, you cannot "install" IPsec inside of a container, as the container doesn't have its own kernel. You'll need to terminate the tunnel at the host and then use some other mechanism to segment and restrict traffic.
    • Make sure you know what you're doing, and what the security ramifications are of running containers in privileged mode (which this tutorial requires). This is not something to take lightly - you could very easily unintentionally give your customers' processes root access to your server.
      • 1
    • Agree. I have seen this topic raised before wouldn't it be the same security considerations as of running everything in a vm anyways ?

Trending Tags