Why VPNs Cannot be Used with Docker Executor on CircleCI


VPN connections are only possible using machine executors, windows, and macOS but why can't docker executor also use VPN on CircleCI? This limitation is due to the use of unprivileged LXC containers that CircleCI uses and the creation of TUN/TAP devices required by VPNs that utilize privileged permission.



CircleCI utilizes Unprivileged LXC containers, which offer enhanced security by restricting container access to other containers and the host machine. In this setup, the container's root user (UID 0) is mapped to an unprivileged user outside the container, ensuring limited access to resources.

However, VPNs require the creation of TUN/TAP devices, which involves mounting specific filesystems, creating device nodes, and utilizing the host root user (UID 0) privileges. Since CircleCI maps UID 0 to an unprivileged user, the necessary permissions for setting up the VPN are not available.


To address this limitation, CircleCI recommends using the IP Ranges feature. This feature provides a specific IP for the Docker executor, allowing users to achieve similar functionality without relying on VPNs.


Additional Notes:

It's important to note that as long as CircleCI uses unprivileged LXC containers, the creation of TUN/TAP devices within the Docker executor will not be supported. This limitation is inherent to the design and security measures implemented by CircleCI.

We value customer feedback and understand the need for VPN support within Docker containers. We encourage users to share their specific use cases and requirements by submitting a feature request on our request board. Your input will help us better understand and address your needs regarding VPN functionality. Please provide your feedback and use case details on the feature request page: Enabling VPN Support from Docker Containers.


Additional Resources:

Was this article helpful?
6 out of 7 found this helpful



Article is closed for comments.