search

dperson / openvpn-client

GNU Affero General Public License v3.0
1.04k stars 585 forks source link

Help with docker-composer setup #238

Open sasoriza opened 4 years ago

sasoriza commented 4 years ago

I am trying to set this up via docker-compose on my Synology DS and while everything seems to start up fine I am having trouble accessing the web server created by dperson/nginx. I do have some general problem with understanding some parts of the configuration, especially when it comes to port settings / forwarding and passing options.

If I want to access my gui via port 58846 will I have to include this port within the web service, the service itself or the ovpn client? Do I need to forward this port via the -p command? If ports 80 and 443 are already used (I will get an error when starting up the container if I use these), can I simply change these to other ports by setting 8888:80 for example?

Will I have to add a -v command to pass the vpn configuration or will this be pulled from the .conf file? It seems that the vpn config is being loaded correctly without the -v command, I am getting a VERIFY OK in my docker log. But I am still unsure if this command in needed, as some docker-compose files include it while others don't.

This is my yml file (or the latest of many) I have tried without success: I do believe that the problem is within the ports config or the final command within the web service.

version: "3.4"

services:

  ovpn-client:
    image: dperson/openvpn-client:latest
    cap_add:
      - net_admin
    container_name: ovpn-client
    volumes:
      - /dev/net/tun:/dev/net/tun
      - /volume1/docker/ovpn-client_data/vpn:/vpn
    environment:
      PUID: 1024
      PGID: 100
      TZ: 'CET'
      ROUTE: '192.168.1.0/24'
      FIREWALL: ''
      DNS: '8.8.4.4'
    devices:
      - /dev/net/tun:/dev/net/tun:rwm  
    networks:
      - default
    read_only: true
    tmpfs:
      - /run
      - /tmp
    restart: unless-stopped
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    command: '-r 192.168.178.0/24 -p 58846'
    ports:
      - 58846:58846 # port for deluge web UI to be reachable from local network

  deluge:
    container_name: deluge
    image: linuxserver/deluge:latest
    depends_on:
      - ovpn-client
    restart: unless-stopped
    network_mode: "service:ovpn-client"
    environment:
      PUID: 1024
      PGID: 100
      TZ: 'CET'
    volumes:
      - /volume1/docker/deluge_data:/config 
      - /volume1/downloads/torrent:/storage/Torrents
      - /volume1/downloads/usenet:/storage/Usenet

  web:
    image: dperson/nginx
    depends_on:
      - deluge
    environment:
      TZ: 'CET'
    links:
      - ovpn-client:deluge
    networks:
      - default
    ports:
      - "8880:80"
      - "1988:443"
    read_only: true
    tmpfs:
      - /run
      - /tmp
      - /var/cache/nginx
    restart: unless-stopped
    stdin_open: true
    tty: true
    command: -w "http://deluge:58846/;/deluge/"
    # shares the network stack of vpn. The service can by reached using
    # the name of the service as a hostname.
networks:
  default:
niondir commented 4 years ago

I got following working setup working. I feel like the docs are leaving a lot of points open so I like to share it:

I run a openvpn container based on `kylemanna/openvpn´

I can find all connected clients with: sudo cat /var/data/openvpn/conf/openvpn-status.log

I use this to veify the IP of my dperson/openvpn-client container (see config below):

192.168.255.14,srv1-docker-client,172.19.0.1:35756,Sun Mar 22 12:45:06 2020

The jwilder/whoami is my test service, it exposes a simple HTML page with the container ID on port 8000. When I connect my local laptop to the VPN I can access http://192.168.255.14:8000/.

The client certificate is in ./vpn/srv1-docker-client.ovpn relativ to the docker-compose.yml

Here is my docker-compose.yml:

version: '3'

networks:
  vpn:

services:
# openvpn server
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - /var/data/openvpn/conf:/etc/openvpn

# VPN Client container to rout traffic through VPN Server
# See: https://github.com/dperson/openvpn-client/
# To add a container to the VPN open the required port here and see service1 as example!
  vpn:
    image: dperson/openvpn-client
    restart: unless-stopped
    # cap_add, security_opt, and volume required for the image to function
    ports:
     - 8000:8000 # for whoami service1 example
    cap_add:
      - net_admin
    environment:
      TZ: 'EST5EDT'
    networks:
      - vpn
    read_only: true
    tmpfs:
      - /run
      - /tmp
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    volumes:
      - /dev/net:/dev/net:z
    # Put .ovpn configuration file in the /vpn directory (in "volumes:" above or
    # launch using the command line arguments, IE pick one:
      - ./vpn:/vpn
    # command: 'server;user;password[;port]'
# Replace "service1" with and image with an actual service you want to run
  service1:
    image: jwilder/whoami
    depends_on:
      - vpn
    network_mode: "service:vpn"
    restart: unless-stopped
niondir commented 4 years ago

My current problem is, that I already have a public nginx running on the server and I can't expose port 80 from the openvpn-client container anymore to have a second nginx for traffic inside the VPN.

SiGmAX666 commented 4 years ago

I am not running a second proxy with this VPN container, which is good because I also have another nginx instance running as a proxy on 80 & 443. Not using a 2nd proxy isn't an issue as the services I am running use their own ports natively. I know I could use my primary proxy to handle it, but I skipped it as this works and I've always been OK with using ports for services (in non-prod internal services at least).

The below config lets me hit 9091 for Transmission and 8000 for whoami, and executing docker-compose exec vpn curl ifconfig.co returns the VPN IP. Using a torrent leak check also confirms it is running on the VPN.

It is entirely possible I am overlooking some setting and this is an insecure setup. I'm not leaving it stood up outside of brief testing as I can't figure out how to open a port forward on Transmission via a config file after Transmission is running. I have an issue thread on that, if anyone has input ;) (This is not the config I was running for that testing, BTW, as am rebuilding both the VPN and Transmission containers with custom files in that testing.

version: '3.4'

services:
  vpn:
    container_name: vpn
    image: dperson/openvpn-client
    restart: unless-stopped
    ports:
      - 9091:9091
      - 8000:8000
    dns:
      - 8.8.8.8
      - 8.8.4.4
    cap_add:
      - NET_ADMIN
    devices:
      - '/dev/net/tun:/dev/net/tun:rwm'
    environment:
      FIREWALL: ''
      PUID: 1000
      PGID: 1000
      TZ: PST8PDT
      ROUTE: '192.168.0.0/16'
    networks:
      - default
    read_only: true
    tmpfs:
      - /run
      - /tmp
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    volumes:
      - ./vpn:/vpn

  transmission:
    container_name: transmission
    image: dperson/transmission
    restart: unless-stopped
    network_mode: service:vpn
    depends_on:
      - vpn
    cap_add:
      - NET_ADMIN
    stdin_open: true
    tty: true
    environment:
      PUID: 1000
      PGID: 1000
      TZ: PST8PDT
      TRUSER: 'admin'
      TRPASSWD: 'password123'
      TR_MAX_PEERS_GLOBAL: 400
      TR_DOWNLOAD_DIR: "/mnt/shares/shareddl/_test/downloads/finished"
      TR_INCOMPLETE_DIR_ENABLED: "true"
      TR_INCOMPLETE_DIR: "/mnt/shares/shareddl/_test/downloads/incomplete"
      TR_WATCH_DIR_ENABLED: "true"
      TR_WATCH_DIR: "/mnt/shares/shareddl/_test/downloads/watched"
    volumes:
      - /mnt/shares/shareddl/_test:/mnt/shares/shareddl/_test

  whoami:
    container_name: whoami
    image: jwilder/whoami
    restart: unless-stopped
    network_mode: service:vpn
    depends_on:
      - vpn

networks:
  default: