-
Create a openvpn server for connect to 🔗 private networks
-
This project uses kylemanna openvpn 🐋 docker image
-
We want 🚀 deploy an docker application in the ☁️ cloud restricting the access via VPN (it is an internal company app)
-
In the clients we only want to ↪️ redirect the traffic to the VPN when we go to the url of the internal application, the rest going through the 📍 local network
-
Create a VPN server and specify the IP 🛣️ route of the internal app
-
In the internal app server, we restrict all 🔌 connections IPs except of the VPN server (image from heavymetaldev)
sudo apt update && sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER && newgrp docker
📝 Note: We recommend not setup with root user (you can create user with sudo permissions following next 🦮 guide)
git clone https://github.com/imageneratext/docker_openvpn.git
export PUBLIC_SERVER_IP=$(curl ifconfig.me.)
export ROUTE="route 222.222.222.222 255.255.255.255"
docker-compose run --rm openvpn ovpn_genconfig -N -d -u udp://${PUBLIC_SERVER_IP} -p "route 172.17.0.0 255.255.0.0" -p ${ROUTE}
📝 Notes:
PUBLIC_SERVER_IP
is the 📍 public IP of VPN server (it could specify the domain)ROUTE
indicates the domain/IP which the VPN will 🛣️ route the traffic from client (it can be a IPs range likeROUTE="route 222.222.222.0 255.255.255.0"
or several-p
arguments). Once run, we also can add routes ✏️ editing the config fileopenvpn-data/conf/openvpn.conf
- The route
172.17.0.0 255.255.0.0
is the default 🐋 docker subnet
Run the next command and set a CA passphrase (it ask ✅ serveral comfirmations)
docker-compose run --rm openvpn ovpn_initpki
docker-compose up -d openvpn
-
➕ Generate one providing a password for the client and specifying the CA passphrase
export CLIENT_NAME="client_1" ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME"
📝 Note: To generate it without password add
nopass
argument -
📥 Get and copy
.ovpn
file to local hostssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_getclient $CLIENT_NAME" > $CLIENT_NAME.ovpn
# Keep the corresponding certificate, key and files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME"
# Remove the corresponding certificate, key and req files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME remove"
🆕 Renew CA certificate (source)
docker exec -it openvpn sh
mv /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req.backup.1
mv /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key.backup.1
mv /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt.backup.1
cd /etc/openvpn
easyrsa build-server-full $PUBLIC_SERVER_IP nopass
-
🔛 Enable client VPN via shell
sudo apt-get install openvpn sudo openvpn --config "$CLIENT_NAME.ovpn"
-
Install network-manager-openvpn
sudo apt-get -y install network-manager-openvpn
-
Open 📶 network settings and add a new VPN target
-
Click in "Import from file".
-
Set the user 🔑 password.
-
Go to IPv4 section and ✅ check "Use this connection only for resources on its network" (this let us ↪️ redirect to VPN only traffic of routes added).
For automatically 🔛 turn on VPN
-
🐚 Run
nm-connection-editor
-
➡ Click in "Wired connection 1".
-
Go to "General" tab, ☑️ check "Automatically connect to VPN" and choose the desired connection.
-
Ensure ✅ check "Store the password for all users" in vpn settings to avoid secrets request errors.
-
Check external interface (e.g:
eth0
)ip route list default # eg output: default via 139.59.160.1 dev eth0 proto static
-
🔐 Restricts connections to all IPs except of the VPN server via
iptables
how say in docker 📘 docsudo iptables -I DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP
📝 Note: This restrict outbound connections during image 🏢 building, follow this 🦮 guide or configure 🧑🚒 firewall rules in your cloud service for restrict it
-
❤️ Useful commands
# to show iptables rules sudo iptables -L --line-numbers # to remove iptables rules sudo iptables -D DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP
-
💬 Issue and 📙 tutorial for specify openvpn routes
-
Kylemanna openvpn 🐙 docker-compose doc