Open sasoriza opened 4 years ago
I got following working setup working. I feel like the docs are leaving a lot of points open so I like to share it:
I run a openvpn container based on `kylemanna/openvpn´
I can find all connected clients with:
sudo cat /var/data/openvpn/conf/openvpn-status.log
I use this to veify the IP of my dperson/openvpn-client
container (see config below):
192.168.255.14,srv1-docker-client,172.19.0.1:35756,Sun Mar 22 12:45:06 2020
The jwilder/whoami
is my test service, it exposes a simple HTML page with the container ID on port 8000
. When I connect my local laptop to the VPN I can access http://192.168.255.14:8000/
.
The client certificate is in ./vpn/srv1-docker-client.ovpn
relativ to the docker-compose.yml
Here is my docker-compose.yml
:
version: '3'
networks:
vpn:
services:
# openvpn server
openvpn:
cap_add:
- NET_ADMIN
image: kylemanna/openvpn
container_name: openvpn
ports:
- "1194:1194/udp"
restart: always
volumes:
- /var/data/openvpn/conf:/etc/openvpn
# VPN Client container to rout traffic through VPN Server
# See: https://github.com/dperson/openvpn-client/
# To add a container to the VPN open the required port here and see service1 as example!
vpn:
image: dperson/openvpn-client
restart: unless-stopped
# cap_add, security_opt, and volume required for the image to function
ports:
- 8000:8000 # for whoami service1 example
cap_add:
- net_admin
environment:
TZ: 'EST5EDT'
networks:
- vpn
read_only: true
tmpfs:
- /run
- /tmp
security_opt:
- label:disable
stdin_open: true
tty: true
volumes:
- /dev/net:/dev/net:z
# Put .ovpn configuration file in the /vpn directory (in "volumes:" above or
# launch using the command line arguments, IE pick one:
- ./vpn:/vpn
# command: 'server;user;password[;port]'
# Replace "service1" with and image with an actual service you want to run
service1:
image: jwilder/whoami
depends_on:
- vpn
network_mode: "service:vpn"
restart: unless-stopped
My current problem is, that I already have a public nginx running on the server and I can't expose port 80 from the openvpn-client container anymore to have a second nginx for traffic inside the VPN.
I am not running a second proxy with this VPN container, which is good because I also have another nginx
instance running as a proxy on 80 & 443. Not using a 2nd proxy isn't an issue as the services I am running use their own ports natively. I know I could use my primary proxy to handle it, but I skipped it as this works and I've always been OK with using ports for services (in non-prod internal services at least).
The below config lets me hit 9091 for Transmission and 8000 for whoami, and executing docker-compose exec vpn curl ifconfig.co
returns the VPN IP. Using a torrent leak check also confirms it is running on the VPN.
It is entirely possible I am overlooking some setting and this is an insecure setup. I'm not leaving it stood up outside of brief testing as I can't figure out how to open a port forward on Transmission via a config file after Transmission is running. I have an issue thread on that, if anyone has input ;) (This is not the config I was running for that testing, BTW, as am rebuilding both the VPN and Transmission containers with custom files in that testing.
version: '3.4'
services:
vpn:
container_name: vpn
image: dperson/openvpn-client
restart: unless-stopped
ports:
- 9091:9091
- 8000:8000
dns:
- 8.8.8.8
- 8.8.4.4
cap_add:
- NET_ADMIN
devices:
- '/dev/net/tun:/dev/net/tun:rwm'
environment:
FIREWALL: ''
PUID: 1000
PGID: 1000
TZ: PST8PDT
ROUTE: '192.168.0.0/16'
networks:
- default
read_only: true
tmpfs:
- /run
- /tmp
security_opt:
- label:disable
stdin_open: true
tty: true
volumes:
- ./vpn:/vpn
transmission:
container_name: transmission
image: dperson/transmission
restart: unless-stopped
network_mode: service:vpn
depends_on:
- vpn
cap_add:
- NET_ADMIN
stdin_open: true
tty: true
environment:
PUID: 1000
PGID: 1000
TZ: PST8PDT
TRUSER: 'admin'
TRPASSWD: 'password123'
TR_MAX_PEERS_GLOBAL: 400
TR_DOWNLOAD_DIR: "/mnt/shares/shareddl/_test/downloads/finished"
TR_INCOMPLETE_DIR_ENABLED: "true"
TR_INCOMPLETE_DIR: "/mnt/shares/shareddl/_test/downloads/incomplete"
TR_WATCH_DIR_ENABLED: "true"
TR_WATCH_DIR: "/mnt/shares/shareddl/_test/downloads/watched"
volumes:
- /mnt/shares/shareddl/_test:/mnt/shares/shareddl/_test
whoami:
container_name: whoami
image: jwilder/whoami
restart: unless-stopped
network_mode: service:vpn
depends_on:
- vpn
networks:
default:
I am trying to set this up via docker-compose on my Synology DS and while everything seems to start up fine I am having trouble accessing the web server created by dperson/nginx. I do have some general problem with understanding some parts of the configuration, especially when it comes to port settings / forwarding and passing options.
If I want to access my gui via port 58846 will I have to include this port within the web service, the service itself or the ovpn client? Do I need to forward this port via the -p command? If ports 80 and 443 are already used (I will get an error when starting up the container if I use these), can I simply change these to other ports by setting 8888:80 for example?
Will I have to add a -v command to pass the vpn configuration or will this be pulled from the .conf file? It seems that the vpn config is being loaded correctly without the -v command, I am getting a VERIFY OK in my docker log. But I am still unsure if this command in needed, as some docker-compose files include it while others don't.
This is my yml file (or the latest of many) I have tried without success: I do believe that the problem is within the ports config or the final command within the web service.