🔒 Docker openvpn server

• Create a openvpn server for connect to 🔗 private networks

• This project uses kylemanna openvpn 🐋 docker image

ℹ️ Context

😬 Problem

• We want 🚀 deploy an docker application in the ☁️ cloud restricting the access via VPN (it is an internal company app)

• In the clients we only want to ↪️ redirect the traffic to the VPN when we go to the url of the internal application, the rest going through the 📍 local network

💼 Solution

• Create a VPN server and specify the IP 🛣️ route of the internal app

• In the internal app server, we restrict all 🔌 connections IPs except of the VPN server (image from heavymetaldev)

⚙️ Configure open vpn server

🐧 Intall linux dependencies

sudo apt update && sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER && newgrp docker

📝 Note: We recommend not setup with root user (you can create user with sudo permissions following next 🦮 guide)

📥 Clone project

git clone https://github.com/imageneratext/docker_openvpn.git

👨‍🔧 Configure open-vpn

export PUBLIC_SERVER_IP=$(curl ifconfig.me.)
export ROUTE="route 222.222.222.222 255.255.255.255"
docker-compose run --rm openvpn ovpn_genconfig -N -d -u udp://${PUBLIC_SERVER_IP} -p "route 172.17.0.0 255.255.0.0" -p ${ROUTE}

📝 Notes:

• PUBLIC_SERVER_IP is the 📍 public IP of VPN server (it could specify the domain)
• ROUTE indicates the domain/IP which the VPN will 🛣️ route the traffic from client (it can be a IPs range like ROUTE="route 222.222.222.0 255.255.255.0" or several -p arguments). Once run, we also can add routes ✏️ editing the config file openvpn-data/conf/openvpn.conf
• The route 172.17.0.0 255.255.0.0 is the default 🐋 docker subnet

🔑 Create CA key passphrase

Run the next command and set a CA passphrase (it ask ✅ serveral comfirmations)

docker-compose run --rm openvpn ovpn_initpki

🆙 Up open-vpn server

docker-compose up -d openvpn

👤 Create and copy client certificates

• ➕ Generate one providing a password for the client and specifying the CA passphrase

  export CLIENT_NAME="client_1"
  ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn easyrsa build-client-full $CLIENT_NAME"

  📝 Note: To generate it without password add nopass argument

• 📥 Get and copy .ovpn file to local host

  ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_getclient $CLIENT_NAME" > $CLIENT_NAME.ovpn

🧹 Revoke client certificates

# Keep the corresponding certificate, key and files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME"

# Remove the corresponding certificate, key and req files
ssh user@public_server_ip "cd docker_openvpn && docker-compose run --rm openvpn ovpn_revokeclient $CLIENT_NAME remove"

🆕 Renew CA certificate (source)

docker exec -it openvpn sh

mv /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req /etc/openvpn/pki/reqs/$PUBLIC_SERVER_IP.req.backup.1
mv /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key /etc/openvpn/pki/private/$PUBLIC_SERVER_IP.key.backup.1
mv /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt /etc/openvpn/pki/issued/$PUBLIC_SERVER_IP.crt.backup.1


cd /etc/openvpn
easyrsa build-server-full $PUBLIC_SERVER_IP nopass

💻 Configure the client

• 🔛 Enable client VPN via shell

  sudo apt-get install openvpn
  sudo openvpn --config "$CLIENT_NAME.ovpn"

🖱️ Configure client with GUI (Ubuntu)

1. Install network-manager-openvpn

   sudo apt-get -y install network-manager-openvpn

2. Open 📶 network settings and add a new VPN target

3. Click in "Import from file".

   See image

   

4. Set the user 🔑 password.

   See image

   

5. Go to IPv4 section and ✅ check "Use this connection only for resources on its network" (this let us ↪️ redirect to VPN only traffic of routes added).

   See image

   

For automatically 🔛 turn on VPN

1. 🐚 Run nm-connection-editor

2. ➡ Click in "Wired connection 1".

   See image

   

3. Go to "General" tab, ☑️ check "Automatically connect to VPN" and choose the desired connection.

   See image

   

4. Ensure ✅ check "Store the password for all users" in vpn settings to avoid secrets request errors.

   See image

   

📱 Configure internal app

• Check external interface (e.g: eth0)

  ip route list default
  # eg output: default via 139.59.160.1 dev eth0 proto static

• 🔐 Restricts connections to all IPs except of the VPN server via iptables how say in docker 📘 doc

  sudo iptables -I DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP

  📝 Note: This restrict outbound connections during image 🏢 building, follow this 🦮 guide or configure 🧑‍🚒 firewall rules in your cloud service for restrict it

• ❤️ Useful commands

  # to show iptables rules
  sudo iptables -L --line-numbers
  
  # to remove iptables rules
  sudo iptables -D DOCKER-USER -i eth0 ! -s 111.111.111.111 -j DROP

🖇️ References

• 💬 Issue and 📙 tutorial for specify openvpn routes

• Kylemanna openvpn docker image 📄 doc and ▶️ video tutorial

• Kylemanna openvpn 🐙 docker-compose doc