Skip to content

Latest commit

 

History

History
177 lines (110 loc) · 7.25 KB

README.md

File metadata and controls

177 lines (110 loc) · 7.25 KB

🔒 Docker openvpn server

ℹ️ Context

😬 Problem

  • We want 🚀 deploy an docker application in the ☁️ cloud restricting the access via VPN (it is an internal company app)

  • In the clients we only want to ↪️ redirect the traffic to the VPN when we go to the url of the internal application, the rest going through the 📍 local network

💼 Solution

  • Create a VPN server and specify the IP 🛣️ route of the internal app

  • In the internal app server, we restrict all 🔌 connections IPs except of the VPN server (image from heavymetaldev)

vpn_diagram

⚙️ Configure open vpn server

🐧 Intall linux dependencies

sudo apt update && sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER && newgrp docker

📝 Note: We recommend not setup with root user (you can create user with sudo permissions following next 🦮 guide)

📥 Clone project

git clone https://github.com/imageneratext/docker_openvpn.git

👨‍🔧 Configure open-vpn

export PUBLIC_SERVER_IP=$(curl ifconfig.me.)
export ROUTE="route 222.222.222.222 255.255.255.255"
docker-compose run --rm openvpn ovpn_genconfig -N -d -u udp://${PUBLIC_SERVER_IP} -p "route 172.17.0.0 255.255.0.0" -p ${ROUTE}

📝 Notes:

  • PUBLIC_SERVER_IP is the 📍 public IP of VPN server (it could specify the domain)
  • ROUTE indicates the domain/IP which the VPN will 🛣️ route the traffic from client (it can be a IPs range like ROUTE="route 222.222.222.0 255.255.255.0" or several -p arguments). Once run, we also can add routes ✏️ editing the config file openvpn-data/conf/openvpn.conf
  • The route 172.17.0.0 255.255.0.0 is the default 🐋 docker subnet

🔑 Create CA key passphrase

Run the next command and set a CA passphrase (it ask ✅ serveral comfirmations)

docker-compose run --rm openvpn ovpn_initpki

🆙 Up open-vpn server

docker-compose up -d openvpn

👤 Create and copy client certificates

  • ➕ Generate one providing a password for the client and specifying the CA passphrase

    export CLIENT_NAME="client_1"
    ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME"

    📝 Note: To generate it without password add nopass argument

  • 📥 Get and copy .ovpn file to local host

    ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_getclient $CLIENT_NAME" > $CLIENT_NAME.ovpn

🧹 Revoke client certificates

# Keep the corresponding certificate, key and files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME"

# Remove the corresponding certificate, key and req files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME remove"

🆕 Renew CA certificate (source)

docker exec -it openvpn sh

mv /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req.backup.1
mv /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key.backup.1
mv /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt.backup.1


cd /etc/openvpn
easyrsa build-server-full $PUBLIC_SERVER_IP nopass

💻 Configure the client

  • 🔛 Enable client VPN via shell

    sudo apt-get install openvpn
    sudo openvpn --config "$CLIENT_NAME.ovpn"

🖱️ Configure client with GUI (Ubuntu)

  1. Install network-manager-openvpn

    sudo apt-get -y install network-manager-openvpn
  2. Open 📶 network settings and add a new VPN target

  3. Click in "Import from file".

    See imagevpn_settings_ubuntu_

  4. Set the user 🔑 password.

    See imagepass_vpn_settings

  5. Go to IPv4 section and ✅ check "Use this connection only for resources on its network" (this let us ↪️ redirect to VPN only traffic of routes added).

    See imageipv4_vpn_setting

For automatically 🔛 turn on VPN

  1. 🐚 Run nm-connection-editor

  2. ➡ Click in "Wired connection 1".

    See imagenetwork_connection

  3. Go to "General" tab, ☑️ check "Automatically connect to VPN" and choose the desired connection.

    See imagewired_connection

  4. Ensure ✅ check "Store the password for all users" in vpn settings to avoid secrets request errors.

    See imagepass_save_vpn_config

📱 Configure internal app

  • Check external interface (e.g: eth0)

    ip route list default
    # eg output: default via 139.59.160.1 dev eth0 proto static
  • 🔐 Restricts connections to all IPs except of the VPN server via iptables how say in docker 📘 doc

    sudo iptables -I DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP

    📝 Note: This restrict outbound connections during image 🏢 building, follow this 🦮 guide or configure 🧑‍🚒 firewall rules in your cloud service for restrict it

  • ❤️ Useful commands

    # to show iptables rules
    sudo iptables -L --line-numbers
    
    # to remove iptables rules
    sudo iptables -D DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP

🖇️ References