Creating a VPN Gateway with a Unikernel running WireGuard

Interestingly enough nanovms published an article going over exactly what chatGPT thought was impossible, running a vpn inside a unikernel. Creating a VPN Gateway with a Unikernel running WireGuard

I mentioned chatGPT, because I’m no expert in any of this, and to add some color I’ll explain how I got here.

I wanted a network layer solution for being able block access to certain websites. Think services like BlockSite & LeechBlockNG. Figured spinning up a VPN server with an allowlist should do the job. I’ve been in serverless land for some time and tried to see how this idea might fit into this model. Performance and security being top of mind, I was brought to NanoVms.

But from my research I was under the impression that a VPN gateway within a unikernel was impossible due to the lack of access to low level network level APIs. This article, through a series of patches was able to achieve a vpn within a unikernel. At the end of the article is mentions that IP masquerading is on the roadmap.

A couple of questions,

  1. Where can I see this Roadmap
  2. Would IP masquerading make it so that these patches done in this tutorial unnecessary?
  3. Is the idea of a serverless VPN possible with unikernls? If so, how so?
  1. We don’t really have a public roadmap. The majority of our work is all customer driven.

  2. It would get rid of the ip forwarding step but you can still create these gateways as-is - as in this tutorial should still work.

  3. It depends on what you mean by ‘serverless’. There are typically two things that people think of when they think of serverless: One is a ‘hands-off’/‘no-server’ like instance and in that case yes it would fit quite well. The other thing that people think of for serverless is something that spins up on a request basis and on that front I don’t know if it would make a ton of sense unless you are the one offering it as a service to others. Something still needs to handle incoming connections and if it’s just one person using it it doesn’t really make sense to instantiate new instances like that but if you’re serving many different users than it makes a lot more sense.

So I suppose it comes down to what you’re really trying to do.