I saw you added to docker the ability to do mknod, so I was hoping that would allow me to run my tinc VPN which uses tun. It starts up but says 'File descriptor in bad state' .

So I tried this test which I believe also uses tun socat -d -d TCP-LISTEN:11443,reuseaddr TUN:192.168.255.1/24,up & but after running that I get no tun0 in my ifconfig output.

Now I saw this project and you are using --privileged. So I guess that means I just am not going to get a VPN in my containers without --privileged? I am not sure people are going to use my system if it requires --privileged.

Thanks for you work on this and any ideas you have.

Hi Jason,

--privileged is required for almost any kind of VPN (except hacks involving LD_PRELOAD and e.g. SOCKS proxies).

Sorry!

What I am thinking of doing is running --privileged on a separate container (call it container a_net for example) and then using --net=container:a_net on a non-privileged container.

This would be less 'insecure' than just running all of my containers as privileged, but I don't know really. What do you think of the security implications of using --net=container:someprivleged?

You can totally do that; and I was about to suggest it! But it doesn't change the crux of the issue, i.e. your users need to trust your VPN image.

Ok great, thanks. I was more concerned about trusting the users not to
"get out" of their container too easily.

On Tue, Jul 15, 2014 at 6:00 PM, Jérôme Petazzoni notifications@github.com
wrote:

You can totally do that; and I was about to suggest it! But it doesn't
change the crux of the issue, i.e. your users need to trust your VPN image.

—
Reply to this email directly or view it on GitHub
#9 (comment).