Skip to content

๐Ÿ”’ Open VPN server for connecting to private networks

Notifications You must be signed in to change notification settings

imageneratext/docker_openvpn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

12 Commits
ย 
ย 
ย 
ย 

Repository files navigation

๐Ÿ”’ Docker openvpn server

  • Create a openvpn server for connect to ๐Ÿ”— private networks

  • This project uses kylemanna openvpn ๐Ÿ‹ docker image

โ„น๏ธ Context

๐Ÿ˜ฌ Problem

  • We want ๐Ÿš€ deploy an docker application in the โ˜๏ธ cloud restricting the access via VPN (it is an internal company app)

  • In the clients we only want to โ†ช๏ธ redirect the traffic to the VPN when we go to the url of the internal application, the rest going through the ๐Ÿ“ local network

๐Ÿ’ผ Solution

  • Create a VPN server and specify the IP ๐Ÿ›ฃ๏ธ route of the internal app

  • In the internal app server, we restrict all ๐Ÿ”Œ connections IPs except of the VPN server (image from heavymetaldev)

vpn_diagram

โš™๏ธ Configure open vpn server

๐Ÿง Intall linux dependencies

sudo apt update && sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER && newgrp docker

๐Ÿ“ Note: We recommend not setup with root user (you can create user with sudo permissions following next ๐Ÿฆฎ guide)

๐Ÿ“ฅ Clone project

git clone https://github.com/imageneratext/docker_openvpn.git

๐Ÿ‘จโ€๐Ÿ”ง Configure open-vpn

export PUBLIC_SERVER_IP=$(curl ifconfig.me.)
export ROUTE="route 222.222.222.222 255.255.255.255"
docker-compose run --rm openvpn ovpn_genconfig -N -d -u udp://${PUBLIC_SERVER_IP} -p "route 172.17.0.0 255.255.0.0" -p ${ROUTE}

๐Ÿ“ Notes:

  • PUBLIC_SERVER_IP is the ๐Ÿ“ public IP of VPN server (it could specify the domain)
  • ROUTE indicates the domain/IP which the VPN will ๐Ÿ›ฃ๏ธ route the traffic from client (it can be a IPs range like ROUTE="route 222.222.222.0 255.255.255.0" or several -p arguments). Once run, we also can add routes โœ๏ธ editing the config file openvpn-data/conf/openvpn.conf
  • The route 172.17.0.0 255.255.0.0 is the default ๐Ÿ‹ docker subnet

๐Ÿ”‘ Create CA key passphrase

Run the next command and set a CA passphrase (it ask โœ… serveral comfirmations)

docker-compose run --rm openvpn ovpn_initpki

๐Ÿ†™ Up open-vpn server

docker-compose up -d openvpn

๐Ÿ‘ค Create and copy client certificates

  • โž• Generate one providing a password for the client and specifying the CA passphrase

    export CLIENT_NAME="client_1"
    ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME"

    ๐Ÿ“ Note: To generate it without password add nopass argument

  • ๐Ÿ“ฅ Get and copy .ovpn file to local host

    ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_getclient $CLIENT_NAME" > $CLIENT_NAME.ovpn

๐Ÿงน Revoke client certificates

# Keep the corresponding certificate, key and files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME"

# Remove the corresponding certificate, key and req files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME remove"

๐Ÿ†• Renew CA certificate (source)

docker exec -it openvpn sh

mv /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req.backup.1
mv /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key.backup.1
mv /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt.backup.1


cd /etc/openvpn
easyrsa build-server-full $PUBLIC_SERVER_IP nopass

๐Ÿ’ป Configure the client

  • ๐Ÿ”› Enable client VPN via shell

    sudo apt-get install openvpn
    sudo openvpn --config "$CLIENT_NAME.ovpn"

๐Ÿ–ฑ๏ธ Configure client with GUI (Ubuntu)

  1. Install network-manager-openvpn

    sudo apt-get -y install network-manager-openvpn
  2. Open ๐Ÿ“ถ network settings and add a new VPN target

  3. Click in "Import from file".

    See imagevpn_settings_ubuntu_

  4. Set the user ๐Ÿ”‘ password.

    See imagepass_vpn_settings

  5. Go to IPv4 section and โœ… check "Use this connection only for resources on its network" (this let us โ†ช๏ธ redirect to VPN only traffic of routes added).

    See imageipv4_vpn_setting

For automatically ๐Ÿ”› turn on VPN

  1. ๐Ÿš Run nm-connection-editor

  2. โžก Click in "Wired connection 1".

    See imagenetwork_connection

  3. Go to "General" tab, โ˜‘๏ธ check "Automatically connect to VPN" and choose the desired connection.

    See imagewired_connection

  4. Ensure โœ… check "Store the password for all users" in vpn settings to avoid secrets request errors.

    See imagepass_save_vpn_config

๐Ÿ“ฑ Configure internal app

  • Check external interface (e.g: eth0)

    ip route list default
    # eg output: default via 139.59.160.1 dev eth0 proto static
  • ๐Ÿ” Restricts connections to all IPs except of the VPN server via iptables how say in docker ๐Ÿ“˜ doc

    sudo iptables -I DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP

    ๐Ÿ“ Note: This restrict outbound connections during image ๐Ÿข building, follow this ๐Ÿฆฎ guide or configure ๐Ÿง‘โ€๐Ÿš’ firewall rules in your cloud service for restrict it

  • โค๏ธ Useful commands

    # to show iptables rules
    sudo iptables -L --line-numbers
    
    # to remove iptables rules
    sudo iptables -D DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP

๐Ÿ–‡๏ธ References

About

๐Ÿ”’ Open VPN server for connecting to private networks

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published