3

I've got a CentOS 7 VM running strongSwan which sets up a VPN tunnel between our LAN and Google Compute Engine (Google Cloud VPN). This makes local machines on the LAN accessible by GCE instances and vice versa.

I'd like to run strongSwan in a Docker container instead of the resource hungry VM. However, I'm pretty sure I cannot make the container aware of our LAN and therefore not make GCE instances access the machines on our LAN (and vice versa) - as the VPN tunnel would only be created between the container's network and Google's network.

Am I correct or can this somehow be achieved?

fredrik
  • 731
  • 15
  • 20

1 Answers1

3

strongSwan uses IPsec in tunnel mode, which (on Linux) requires loading and using a few kernel modules. Loading the module and configuring it is not something you can do inside a normal container. You can get around this by making the container privileged and using a "host" mode network so that the container can see the tunnel it creates(docker run --privileged --net=host), but essentially this disables the isolation between the container and it's host, so it's probably not what you want.

maxf
  • 227
  • 2
  • 5