diff --git a/pkg/vpnkit-expose-port/Dockerfile b/pkg/vpnkit-expose-port/Dockerfile
new file mode 100644
index 000000000..eb481a340
--- /dev/null
+++ b/pkg/vpnkit-expose-port/Dockerfile
@@ -0,0 +1,15 @@
+FROM linuxkit/alpine:c608d404c1cb36cce0c7d9303e30b52c9d81ccf0 AS mirror
+
+RUN apk add --no-cache go musl-dev git build-base
+ENV GOPATH=/go PATH=$PATH:/go/bin 
+ENV COMMIT=db7b7b0f8147f29360d69dc81af9e2877647f0de
+
+RUN git clone https://github.com/moby/vpnkit.git /go/src/github.com/moby/vpnkit && \
+    cd /go/src/github.com/moby/vpnkit && \
+    git checkout $COMMIT && \
+    cd go && \
+    make build/vpnkit-iptables-wrapper.linux build/vpnkit-expose-port.linux
+
+FROM scratch
+COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-iptables-wrapper.linux /usr/bin/vpnkit-iptables-wrapper
+COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-expose-port.linux /usr/bin/vpnkit-expose-port
diff --git a/pkg/vpnkit-expose-port/Makefile b/pkg/vpnkit-expose-port/Makefile
new file mode 100644
index 000000000..95f3b6f97
--- /dev/null
+++ b/pkg/vpnkit-expose-port/Makefile
@@ -0,0 +1,6 @@
+IMAGE=vpnkit-expose-port
+DEPS=$(wildcard *.go)
+NETWORK=1
+
+include ../package.mk
+
diff --git a/pkg/vpnkit-expose-port/README.md b/pkg/vpnkit-expose-port/README.md
new file mode 100644
index 000000000..7e0e2ae11
--- /dev/null
+++ b/pkg/vpnkit-expose-port/README.md
@@ -0,0 +1,9 @@
+### vpnkit-expose-port
+
+This init-package provides `vpnkit-expose-port` and `vpnkit-iptables-wrapper` from [vpnkit](http://github.com/moby/vpnkit.git). The binaries are installed on the host in `/usr/local/bin` and can be bind mounted into a container with `dockerd`.
+
+`vpnkit-expose-port` is a userland proxy that opens ports on the host by demand. To enable it, start `dockerd` with `--userland-proxy-path` pointing to the bind mounted binary.
+
+`vpnkit-iptables-wrapper` is a wrapper for iptables that opens ports via vpnkit for swarm services. It has to be bind mounted as `iptables` in $PATH before the regular `iptables` binary.
+
+To coordinate with `vpnkit` both tools require access to the 9P port configuration mount point.