LXC vs VM for an OpenVPN server

[alefello]

Hello everybody
I want to setup an OpenVPN server to access my network from outside but I'm thinking about performance vs security.
I don't know if an unprivileged container is sufficiently secure comparing to a VM to run my OpenVPN server. Of course container is better for performance, but what about security? My doubt regards the /dev/tun device being created on the host and anyway sharing the kernel too.
Thank you

 

[oguz]

hi,

I don't know if an unprivileged container is sufficiently secure comparing to a VM to run my OpenVPN server. Of course container is better for performance, but what about security? My doubt regards the /dev/tun device being created on the host and anyway sharing the kernel too.

unless you're handing command shells on your VPN container to unknown people, it should be relatively safe to run a VPN server on an unprivileged container
i would just make sure that nothing else important runs on it (just make another container/VM).
you can take a look here if you decide to go with the container [0]

[0]: https://pve.proxmox.com/wiki/OpenVPN_in_LXC

 

[LnxBil]

The only security-concern I can think of at the top of my head is this:
A LX(C) container is more secure with respect to KSM (Kernel same page merging) attacks. In a VM another VM could an attacker get information about your used keys by running attacks against the latency of same-page-merged memory blocks.

You could also reduce the attack surface by reducing the memory and space consumption (less stuff is less vunerable). If you e.g. use Alpine Linux as the container OS, you will get a working OpenVPN server with about 32 MB of storage and also 16 MB of RAM. You could end up by having NO ports open besides OpenVPN and still have full firewalling capabilities inside of LXC.