I already have a VPN setup for secure access to my EC2 hosts, and your requirement to use an SSH tunnel on top of that is a big burden to adopting Docker for AWS on my team. We’ve already covered securing our connections to AWS, please let us access the Docker remote API directly?

You can use socat in a container to forward the docker daemon socket to a tcp port. Here’s a sketch using docker run:

docker run -p 2376:2376 -d -v /var/run/docker.sock:/var/run/docker.sock verb/socat:alpine TCP-LISTEN:2376,reuseaddr,fork UNIX-CLIENT:/var/run/docker.sock

You have to be extremely careful when doing this, to avoid exposing un-authenticated Docker daemon endpoints on the public internet. In particular, if you used the above with docker service create, the 2376 port could be auto-configured by the Docker for AWS loadbalancer integration. You would want to run any service in global mode and confined to manager nodes and ensuring that the port is exposed to the internet.