-
Create a openvpn server for connect to ๐ private networks
-
This project uses kylemanna openvpn ๐ docker image
-
We want ๐ deploy an docker application in the โ๏ธ cloud restricting the access via VPN (it is an internal company app)
-
In the clients we only want to โช๏ธ redirect the traffic to the VPN when we go to the url of the internal application, the rest going through the ๐ local network
-
Create a VPN server and specify the IP ๐ฃ๏ธ route of the internal app
-
In the internal app server, we restrict all ๐ connections IPs except of the VPN server (image from heavymetaldev)
sudo apt update && sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER && newgrp docker
๐ Note: We recommend not setup with root user (you can create user with sudo permissions following next ๐ฆฎ guide)
git clone https://github.com/imageneratext/docker_openvpn.git
export PUBLIC_SERVER_IP=$(curl ifconfig.me.)
export ROUTE="route 222.222.222.222 255.255.255.255"
docker-compose run --rm openvpn ovpn_genconfig -N -d -u udp://${PUBLIC_SERVER_IP} -p "route 172.17.0.0 255.255.0.0" -p ${ROUTE}
๐ Notes:
PUBLIC_SERVER_IP
is the ๐ public IP of VPN server (it could specify the domain)ROUTE
indicates the domain/IP which the VPN will ๐ฃ๏ธ route the traffic from client (it can be a IPs range likeROUTE="route 222.222.222.0 255.255.255.0"
or several-p
arguments). Once run, we also can add routes โ๏ธ editing the config fileopenvpn-data/conf/openvpn.conf
- The route
172.17.0.0 255.255.0.0
is the default ๐ docker subnet
Run the next command and set a CA passphrase (it ask โ serveral comfirmations)
docker-compose run --rm openvpn ovpn_initpki
docker-compose up -d openvpn
-
โ Generate one providing a password for the client and specifying the CA passphrase
export CLIENT_NAME="client_1" ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME"
๐ Note: To generate it without password add
nopass
argument -
๐ฅ Get and copy
.ovpn
file to local hostssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_getclient $CLIENT_NAME" > $CLIENT_NAME.ovpn
# Keep the corresponding certificate, key and files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME"
# Remove the corresponding certificate, key and req files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME remove"
๐ Renew CA certificate (source)
docker exec -it openvpn sh
mv /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req.backup.1
mv /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key.backup.1
mv /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt.backup.1
cd /etc/openvpn
easyrsa build-server-full $PUBLIC_SERVER_IP nopass
-
๐ Enable client VPN via shell
sudo apt-get install openvpn sudo openvpn --config "$CLIENT_NAME.ovpn"
-
Install network-manager-openvpn
sudo apt-get -y install network-manager-openvpn
-
Open ๐ถ network settings and add a new VPN target
-
Click in "Import from file".
-
Set the user ๐ password.
-
Go to IPv4 section and โ check "Use this connection only for resources on its network" (this let us โช๏ธ redirect to VPN only traffic of routes added).
For automatically ๐ turn on VPN
-
๐ Run
nm-connection-editor
-
โก Click in "Wired connection 1".
-
Go to "General" tab, โ๏ธ check "Automatically connect to VPN" and choose the desired connection.
-
Ensure โ check "Store the password for all users" in vpn settings to avoid secrets request errors.
-
Check external interface (e.g:
eth0
)ip route list default # eg output: default via 139.59.160.1 dev eth0 proto static
-
๐ Restricts connections to all IPs except of the VPN server via
iptables
how say in docker ๐ docsudo iptables -I DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP
๐ Note: This restrict outbound connections during image ๐ข building, follow this ๐ฆฎ guide or configure ๐งโ๐ firewall rules in your cloud service for restrict it
-
โค๏ธ Useful commands
# to show iptables rules sudo iptables -L --line-numbers # to remove iptables rules sudo iptables -D DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP
-
๐ฌ Issue and ๐ tutorial for specify openvpn routes
-
Kylemanna openvpn docker image ๐ doc and
โถ๏ธ video tutorial -
Kylemanna openvpn ๐ docker-compose doc