What's the feature 🧐
I run gluetun in my Kubernetes cluster which uses Cilium for network policies. I'm aware that gluetun does its own iptables-based rules, but I would like to also configure Cilium based policies. My VPN provider is ProtonVPN and they have a lot of VPN servers. My goal is to configure a network policy that effectively says "only VPN traffic is allowed to leave from these containers". To achieve this, I've created a giant network policy that lists all the IP addresses for ProtonVPN and allows traffic to all of them. This works, but it's clunky and I now have to make sure it gets updated regularly.
Cilium does, however, offer an alternative: You can allow DNS resolution for something like *.protonvpn.com and then Cilium keeps track of DNS resolution (e.g. node-nl-47.protonvpn.net) and dynamically manages that list of IPs. Then you can allow traffic to certain domains and if the IP address was previously resolved to that domain, Cilium will allow it. That would suit me perfectly. However, from my testing, I don't think gluetun does this DNS resolution (and why would it, servers.json already contains the IP addresses).
So my feature request is kind of silly: Would you be open to having an option that performs DNS resolution before connecting to a VPN IP?
Extra information and references
An example policy when using IPs:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
spec:
...
egress:
# List every single IP here that gluetun might connect to
- toCIDR:
- 103.69.224.2/32
- ... <lots of IP addresses here>
- 93.190.140.104/32
toPorts:
- ports:
- port: "51820"
protocol: UDPInstead of hundreds of IP addresses, something like this would likely suffice:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
spec:
...
egress:
# Allow DNS resolution for the VPN server
- toCIDR:
- 1.1.1.1/32
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchName: "raw.githubusercontent.com"
- matchName: "ipinfo.io"
- matchPattern: "*.protonvpn.net"
- matchName: "api.protonmail.ch"
- toFQDNs:
- matchPattern: "*.protonvpn.net"
toPorts:
- ports:
- port: "51820"
protocol: UDP
What's the feature 🧐
I run gluetun in my Kubernetes cluster which uses Cilium for network policies. I'm aware that gluetun does its own iptables-based rules, but I would like to also configure Cilium based policies. My VPN provider is ProtonVPN and they have a lot of VPN servers. My goal is to configure a network policy that effectively says "only VPN traffic is allowed to leave from these containers". To achieve this, I've created a giant network policy that lists all the IP addresses for ProtonVPN and allows traffic to all of them. This works, but it's clunky and I now have to make sure it gets updated regularly.
Cilium does, however, offer an alternative: You can allow DNS resolution for something like
*.protonvpn.comand then Cilium keeps track of DNS resolution (e.g.node-nl-47.protonvpn.net) and dynamically manages that list of IPs. Then you can allow traffic to certain domains and if the IP address was previously resolved to that domain, Cilium will allow it. That would suit me perfectly. However, from my testing, I don't think gluetun does this DNS resolution (and why would it,servers.jsonalready contains the IP addresses).So my feature request is kind of silly: Would you be open to having an option that performs DNS resolution before connecting to a VPN IP?
Extra information and references
An example policy when using IPs:
Instead of hundreds of IP addresses, something like this would likely suffice: