server security DevOps Docker
1. Firstly decide the location for the docker-compose file and write the following script as
version: "2.1"
services:
openvpn-as:
image: ghcr.io/linuxserver/openvpn-as
container_name: openvpn-as1
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- INTERFACE=eth0 #optional
# volumes:
# - <path to data>:/config
ports:
- 943:943
- 9443:9443
- 1194:1194/udp
restart: unless-stopped
2. Now, run the command
$ docker-compose up -d
3. You may face an issue in login to admin-Ui by default user openvpn, So To overcome from this run the given command Inside The Container
/usr/local/openvpn_as/bin/ovpn-init --force
Please Note that at the prompt step of using the default user as openvpn write no , and in username type [ admin ]
To reset your password use:
$ passwd admin
$ apt-get install systemd -y
$ systemctl enable openvpnas
Now , Go To openvpn admin web-UI:
URL: https://IPorDomain:943/admin [ please always use https in both cases either IP or domain, http will give an error]
## Do not hesitate to click on show advance and proceed to url given at the end
And enter your creds as below
Then,
An agreement thing will pop up like this, kindly Agree and continue.
Now,
In Network Settings --> In Hostname/Ip address add Public IP. [ This one is the foremost thing ]
YOUR OPEN VPN IS CONFIGURED.
TO ADD MFA FUNCTIONALITY:
Firstly create a new user from OpenVPN admin-UI from the user management section.
After that in the authentication section enable the Google authenticator MFA authentication. [yes]
Now GO TO OpenVPN client UI [ URL: https://IP:943 ]
log in with the user credentials which you have created recently in the OpenVPN admin UI.
after login, a QR code will be displayed and ask for 6 digit code
scan the QR from the google authenticator app and type the verification code
You will get logged in and you have to download a .ovpn file so that you can connect with the VPN.
Click on Yourself(user-locked-profile) and a (.ovpn) file will be downloaded.
Now, Go to the local machine and type the command as
$ sudo openvpn --config filename.ovpn
Give your credentials according to the prompt
after this, you will be connected to the VPN server.
*************************************************************************************************************
OpenVPN with Docker-Compose
Here, we’ll see how to set up and configure OpenVPN using docker-compose
Quick Start With Docker-Compose
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
>>Add a new service in docker-compose.yml
version: '3'
services:
OpenVPN:
cap_add:
- NET_ADMIN
image: kylemanna/openvpn:2.4
container_name: openvpn
ports:
- "1194:1194/udp"
restart: always
volumes:
- ./openvpn-data:/etc/openvpn
1. Initialize The Configuration Files and Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> ovpn_genconfig :This cmd will generate "ccd" directory and openvpn.conf && ovpn_env.sh in the mounted volume.
#docker-compose run --rm openvpn ovpn_genconfig -u udp://3.19.1.170
>> ovpn_initpki :easyrsa ‘init-pki’, ‘build-ca’ ‘gen-dh’ ‘build-server-full’ && openvpn genkey
#docker-compose run --rm openvpn ovpn_initpki
PEM pass phrase: "Generate_Your_MASTER_PASSPHRASE"
Common Name( eg user/host/server name ): "You_Can_Leave_it_Empty"
Once done you'll be again prompted to provide your passphrase: provide_your_master_passphrase_here
2. Fix ownership (depending on how to handle your backups, this may not be needed)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo chown -R $(whoami): ./openvpn-data
3. Start the OpenVPN Server Process
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
docker-compose up -d
4. Access The Container Logs With
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
docker-compose logs -f
5. Generate a Client Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export CLIENTNAME="your_client_name"
# with a passphrase (recommended)
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
>enter passphrase for clientkey
>verify the passphrase
>enter MasterPassphrase
# without a passphrase (not recommended)
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass
6. Retrieve Client Configuration With Embedded Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn
7. On The Client Machine Install OpenVPN:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo apt install openvpn
>>On Client Machine run using the client key
sudo openvpn --config tclient1.ovpn
We provide custom enterprise solutions with a focus on building enterprise-grade web and mobile applications. Our enterpriseweb appdevelopment servicesinclude 360-degree software testing to render seamless app performance across a myriad of devices. For more information, reach us out at[email protected].