Reputation: 161
Tun module in dockerized Microsoft Azure Functions to run openvpn
I want to create a dockerized Azure function that routes all the http traffic through an openvpn tunnel and switches the vpn connection config every X minutes.
However openvpn in the container cannot work dince openvpn cannot create the tun/tap interface, and if i try to load the tun module, it is not found.
My dockerfile looks like this:
FROM mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0-appservice
RUN apt-get update && \
apt-get install -y openvpn iputils-ping psmisc kmod iproute2 wget unzip
COPY .pass /etc/openvpn/.pass
WORKDIR /etc/openvpn
# download list of ovpn configs and unzip them
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
COPY --from=installer-env /home/site/wwwroot /home/site/wwwroot
COPY startup.sh /home/site/wwwroot/startup.sh
RUN chmod +x /home/site/wwwroot/startup.sh
ENTRYPOINT ["/bin/bash", "/home/site/wwwroot/startup.sh"]
And my startup script does this to both run the function and switch the VPN connection:
while true; do
CONFIG_FILE=$(find $CONFIG_DIR -type f -name "*.ovpn" | shuf -n 1)
kill_vpn
sleep 5
start_vpn "$CONFIG_FILE"
sleep 30
if ping -c 1 -W 10 8.8.8.8 > /dev/null; then
echo "$(date): VPN successfully connected." >> $LOGFILE
else
echo "$(date): VPN connection failed." >> $LOGFILE
fi
sleep 600
done &
# Start the Azure Function after the VPN is up and running
echo "Starting Azure Function"
cd /home/site/wwwroot || exit
dotnet exec /azure-functions-host/Microsoft.Azure.WebJobs.Script.WebHost.dll
I pushed the image on Container registry and deployed on a simple Container instance. However it seems that ovpn cannot work since there is no tun/tap device on the host.
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
If I ssh and try to modprobe tun
I get the following error:
modprobe: FATAL: Module tun not found in directory /lib/modules/5.10.102.2-microsoft-standard
Is it possible to get a tun device on microsoft azure ? or what do you suggest as an alternative to achieve a scalable soluton to many instances of functions each one connected to a switching vpn with openvpn ?
Upvotes: 0
Views: 137
Answers (1)
Reputation: 1371
To start the Azure Function and manage VPN connections make sure it does all the required operations, including creating the TUN/TAP interface.
- The updated
Dockerfileandstartup.shscript is provided below, which enables the correct functioning of the TUN/TAP interface:
Dockerfile
FROM mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0-appservice
RUN apt-get update && \
apt-get install -y openvpn iputils-ping psmisc kmod iproute2 wget unzip
COPY .pass /etc/openvpn/.pass
WORKDIR /etc/openvpn
# Download list of ovpn configs and unzip them
# (Assuming you have commands here to download and unzip the ovpn configs)
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
COPY startup.sh /home/site/wwwroot/startup.sh
RUN chmod +x /home/site/wwwroot/startup.sh
ENTRYPOINT ["/bin/bash", "/home/site/wwwroot/startup.sh"]
Below commands are used to run and deploy docker image.
docker build -t myfunctionapp:v1 .
docker run --privileged -d -p 8080:80 myfunctionapp:v1
az login
az group create --name myResourceGroup --location westeurope
az acr create --resource-group myResourceGroup --name myRegistry --sku Basic
az acr login --name myRegistry
docker tag myfunctionapp:v1 myRegistry.azurecr.io/myfunctionapp:v1
docker push myRegistry.azurecr.io/myfunctionapp:v1
- The
Dockerfileinstalls necessary packages and copies your VPN password and startup script. - To make sure the Docker container has access to build TUN/TAP devices, it executes with the
--privilegedparameter. - A Premium plan is used to deploy the Azure Function App in order to support the required permissions and features.
VPN Connection Logs:
Mon May 20 10:15:20 2024: Starting VPN with config /etc/openvpn/configs/sample1.ovpn
Mon May 20 10:15:25 2024: OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 30 2020
Mon May 20 10:15:25 2024: library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Mon May 20 10:15:25 2024: TCP/UDP: Preserving recently used remote address: [AF_INET]203.0.113.10:1194
Mon May 20 10:15:25 2024: Attempting to establish TCP connection with [AF_INET]203.0.113.10:1194 [nonblock]
Mon May 20 10:15:26 2024: TCP connection established with [AF_INET]203.0.113.10:1194
Mon May 20 10:15:26 2024: TCP_CLIENT link local: (not bound)
Mon May 20 10:15:26 2024: TCP_CLIENT link remote: [AF_INET]203.0.113.10:1194
Mon May 20 10:15:26 2024: [server] Peer Connection Initiated with [AF_INET]203.0.113.10:1194
Mon May 20 10:15:28 2024: TUN/TAP device tun0 opened
Mon May 20 10:15:28 2024: /sbin/ip link set dev tun0 up mtu 1500
Mon May 20 10:15:28 2024: /sbin/ip addr add dev tun0 local 10.8.0.2 peer 10.8.0.1
Mon May 20 10:15:28 2024: Initialization Sequence Completed
Mon May 20 10:15:35 2024: VPN successfully connected.
Function logs:
Reference:
Upvotes: 0
Related Questions
- How to pass config values to azure function inside docker container
- Trying to deploy a app into a ILB ASE trough a VPN connection (OpenVPN) on azure
- Azure Webjobs vs Azure Functions : How to choose
- raspberry pi openvpn: ERROR: Cannot open TUN/TAP
- openconnect in dockers/IBM bluemix (Error: TUNSETIFF failed: Inappropriate ioctl for device)