So I am a bit new to the VPN stuff and am currently getting a little desperate.
For what I want to do. I have rented a little server somewhere (static IP, Domain and everything). Now I want to run some services on that server via docker. Those services should not just be accessible by everyone, but only with a valid VPN connection to the server. (The firewall currently blocks access to those ports from the outside)
From what I understand I could achieve this with a VPN and Port Forwarding, but It can certainly be that I missunderstood something on a fundamental level.
Anyway, I have a OpenVPN-Server running via docker compose:
version: '2'
services:
openvpn:
cap_add:
- NET_ADMIN
image: kylemanna/openvpn
container_name: openvpn
ports:
- "1194:1194/udp"
restart: always
volumes:
- ./openvpn-data/conf:/etc/openvpn
I followed This Tutorial to configure it. I can connect to the VPN using the client software just fine, but now I don't know how to configure it, so that once I am connected I can call a service on Port 8080 on the Server for example.
I did not really find any answers that helped me set it up so far, so I hope someone here can help me. I tried running the service in the same docker network, and configure the VPN, but that did not work.
Thank you in advance and have a nice day.
Providing specifics after "Blind Spots" question
The OpenVPN.conf
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/www.mysite.com.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/www.mysite.com.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
### Push Configurations Below
push "dhcp-option DNS 192.168.13.6"
push "dhcp-option DOMAIN mysite.com"
push "route 192.168.192.0 255.255.255.0"
For the troubleshooting results: After I fixed the compression problem I've found, every of the steps mentioned here is satisfied.
For what I achieved and what I want to achieve. The last part of the config file push "route 192.168.192.0 255.255.255.0"
adds a docker network, which I defined and to which the openVPN container as well as some other containers are connected (All of this transpires on the server of course).
When my openVPN client is connected, it gets the IP 192.168.192.6, as expected and I can ping the gateway of 192.168.192.0/20 at 192.168.192.1 as well as all the containers which are connected to said docker network. This works fine now. What I have not been able to achieve is to connect to one of those containers ports.
So for exapmle I have a teamcity container running which is connected to the docker network. I can ping it, but I can not access it through the port I defined for it, let's say port 8080. I want to forward that port for my openVPN client and I don't know how. That's the problem which still persists.
Best Answer
I found the solution to my Problem. I will give an in depth tutorial on how to achieve what I wanted here. For all who are just interested in the configuration of the openVPN can skip to the: "Port-Forward" section:
So what I wanted to achieve, was to have a openVPN container running on my server as well as some other private containers which I wanted to make accessible to anyone with a vpn connection. The Question was about how to configure openVPN to achieve that, and not how to initially set it up, but I will describe the whole process anyway
Docker Compose
This is an example docker-compose.yml file with an openVPN instance as well as an example service.
A docker network is created: 192.168.192.0/20, which connects all the services. In this case the openVPN as well as the bookstack instance. This is important for later.
Setup OpenVPN
You can follow this tutorial and change things where necassary for what you want to achieve.
I changed:
docker-compose run --rm openvpn ovpn_genconfig -N -d -n 192.168.13.6 -u udp://vpn.mycompany.net -p "dhcp-option DOMAIN mycompany.net" -p "route 192.168.13.0 255.255.255.0" -p "route 172.17.0.0 255.255.0.0"
accordingly to:
docker-compose run --rm openvpn ovpn_genconfig -N -d -n 192.168.13.6 -u udp://vpn.mycompany.net -p "dhcp-option DOMAIN mycompany.net" -p "route 192.168.192.0 255.255.255.0"
Which will make the docker network we created before available to the VPN. The rest will work just fine
Troubleshooting
Before we come to the interesting part, I want to mention the Troobleshooting part. The tutorial provides a few steps for that, which I followed afer I was unbable to ping 192.168.255.1, which is the default gateway for the VPN containers, even though a connection was established. It took me a while to notice why.
using:
docker logs <yourOpenVpnContainerName
I noticed a large block of "Bad compression stub decompression header byte: xx". This stems from a compression incompatibility from the OpenVPN Server version and the Client version. You can read up on it, if it interests you, but to fix it, go to the "openvpn.conf" file and remove any mention of: "comp-lzo no". This will fix it.
Port Forwarding
Now we get to the part, which my question actually was all about. Configure the port forwarding.
To test that everything will work, ping 192.168.192.1 the default gateway of the docker network (at least in this example, defined in the docker-compose) from your client machine (when you have a standing VPN connection of course). If this works go on. If not, there is something wrong with your configuration.
Non we have to get into the openVPN Containers bash to configure the iptables. To do that use:
docker exec -ti -u 0 <OpenVpnContainerName> /bin/bash
(-u 0 makes you root)
Once inside run
iptables -t nat -A PREROUTING -d 192.168.255.1 -p tcp --dport 8080 -j DNAT --to-dest 192.168.192.3:8080
and
iptables -t filter -A INPUT -p tcp -d 192.168.255.1 --dport 8080 -j ACCEPT
.This will forward the bookstack instance to all VPN clients on: 192.168.255.1:8080. You can change it accordingly to your use case. This will work and do what I initially wanted to.
ATTENTION: This will not permenantly work. If the OpenVPN container stops, these iptable configurations will not be persisted! You then have to redo them. There probably is a method to automate this, but I was not able to do so till now. Anyway. Thanks for reading, and I hope this was helpfull to you.