Why Container Linux Demands Container-Friendly VPN Solutions
Container Linux (formerly CoreOS) is an immutable, minimal distribution designed for containerised workloads and clustered environments. There’s no traditional package manager—you manage updates atomically via update_engine and deploy applications in Docker/CRI-O containers or specialized “toolbox” containers. Users are typically DevOps engineers or SREs operating headless servers GUI desktop environments are uncommon. On Container Linux you rely heavily on systemd for services, kernel modules must already be built into the image, and any additional binaries often run in containers or via static releases.
Given these constraints, the ideal VPNs for Container Linux are those that:
- Offer statically compiled clients or official Docker/OCI images
- Integrate cleanly with
systemdor run as a container with--cap-add=NET_ADMIN - Require minimal on-host footprint (no extra package manager dependencies)
Top VPNs for Container Linux at a Glance
| VPN | Protocol | Deployment Model | Systemd Integration | Official Docs |
|---|---|---|---|---|
| WireGuard | WireGuard | Static binary or container | Yes, via wg-quick@.service |
WireGuard Docs |
| Tailscale | WireGuard | Static binary systemd | Yes, tailscaled.service |
Tailscale KB |
| OpenVPN | OpenVPN | Docker container | Yes, via container systemd unit | OpenVPN Guides |
Why These VPNs Suit Container Linux
- WireGuard: Built into modern kernels, tiny static userland tools, easy systemd integration.
- Tailscale: Official static binaries, auto-updates, peer-to-peer mesh via WireGuard, simple
systemdservice. - OpenVPN: Ubiquitous, official Docker images, flexible routing ideal if you’re already containerising other services.
Installing and Configuring WireGuard
Since Container Linux kernels often include WireGuard modules, you can use a small container or static release.
1. Fetch the Static Tools
# Download and extract official WireGuard tools curl -LO https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20220118.tar.xz tar xf wireguard-tools-.tar.xz cd wireguard-tools- make cp tools/wg /usr/local/bin/ cp tools/wg-quick /usr/local/bin/
2. Create Your WireGuard Config
# /etc/wireguard/wg0.conf [Interface] PrivateKey = YOUR_PRIVATE_KEY Address = 10.0.0.2/24 DNS = 1.1.1.1 [Peer] PublicKey = SERVER_PUBLIC_KEY Endpoint = vpn.example.com:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
3. Enable and Start the Service
# Create systemd unit link ln -s /usr/local/bin/wg-quick /etc/systemd/system/wg-quick@wg0.service # Enable and start systemctl enable wg-quick@wg0 systemctl start wg-quick@wg0 # Verify status wg show
Installing and Configuring Tailscale
Tailscale provides a static tarball that runs cleanly on immutable distros. It spins up tailscaled under systemd.
1. Download and Install Binaries
# Fetch the latest Tailscale tarball curl -fsSL https://pkgs.tailscale.com/stable/tailscale_amd64.tgz tar xz -C /usr/local/bin # Ensure binaries are executable chmod x /usr/local/bin/tailscaled /usr/local/bin/tailscale
2. Enable the Daemon
# Create a systemd drop-in for tailscaled cat << EOF > /etc/systemd/system/tailscaled.service [Unit] Description=Tailscale node agent After=network-online.target Wants=network-online.target [Service] ExecStart=/usr/local/bin/tailscaled Restart=on-failure [Install] WantedBy=multi-user.target EOF # Reload and enable systemctl daemon-reload systemctl enable --now tailscaled
3. Authenticate and Connect
# Log in to your Tailscale account tailscale up --authkey tskey-yourAuthKey --advertise-exit-node # Check status tailscale status
Using OpenVPN via Docker
OpenVPN can run entirely in a container. You’ll mount your .ovpn file or credentials into a client image.
docker run -d --name openvpn-client --cap-add=NET_ADMIN -v /etc/openvpn/client:/etc/openvpn --device /dev/net/tun dperson/openvpn-client -f -r -c /etc/openvpn/client/myconfig.ovpn
If you wish to manage it via systemd, wrap the docker run command inside an [Unit] file under /etc/systemd/system/openvpn-client.service, then systemctl enable --now openvpn-client.
Conclusion
On Container Linux, lean, containerised or static-binary VPN solutions shine. WireGuard and Tailscale integrate seamlessly with systemd and require minimal host modifications, while OpenVPN in a container offers maximum flexibility. Pick the one matching your operational model and enjoy secure, encrypted connectivity on your immutable infrastructure.
Leave a Reply