l0-openvpn is a Layer0 sample application that will create an OpenVPN-AS server.
The installation scripts necessary for Layer0 deployment are in
/deploy. There's one file in particular that we must edit before deployment, and that is
/deploy/.ebextensions/01_commands.config. In this file, we are setting up docker-compose, a YAML task definition, and environment variables for the service. As such, change the
ADMIN_PASS variable to a password you'd like to use for the
Now, switch to the
/deploy directory. If you're on Linux, OSX, or an OS that has
zip natively, run
zip dockerrun.zip Dockerrun.aws.json .ebextensions/*. Otherwise, the suggested Windows client is 7-Zip. Make sure that
Dockerrun.aws.json is at the root of the archive. We'll use this zip file to deploy our application:
# l0-cli deploy:create dockerrun.zip [deploy id hash] # l0-cli deploy:apply [deploy_id] [service_id]
After you've run
deploy:apply, track the progress of the deployment via AWS' Elastic Beanstalk Console. You can find your specific deployment by searching the Elastic Beanstalk console for the service ID hash used in
deploy:apply. Once you've found the dashboard for your particular service, you'll see a URL associated with it that ends in
elasticbeanstalk.com. Copy the full hostname from that URL and login to the OpenVPN admin panel at
https://[elasticbeanstalkhostname]:2222/admin using the user
openvpn and the password you set in
01_commands.config. Go to the User Permissions page after logging in and check "Allow access from: All Other VPN Clients" for the
openvpn user (click 'show' to expand user settings).
http://[elasticbeanstalkhostname]:2222/ and login as
openvpn. Be sure to select "login" instead of "connect" from the dropdown box. From here, you can download the OpenVPN Connect client specific for your platform as well as the "Yourself (autologin profile)", which is your VPN connection profile.
After you've downloaded the OpenVPN autologin profile, we need to make some changes so that we can connect to the VPN server's load balancer. The file is typically saved as
client.ovpn; open it in a text editor. After the line
nobind, add the following:
proto tcp remote elasticbeanstalkhostname 8060 tcp
elasticbeanstalkhostname to the hostname we used in the steps above. Remove the other lines that begin with
remote; they specify incorrect IPs and protocols we cannot use (UDP). After you've made these edits, you can use this connection profile in OpenVPN Connect (recommended for Windows users) or any other OpenVPN-compatible client like Tunnelblick for OSX.
Simple Docker Installation
You can use this container without Layer0 via the following:
docker build -t l0-openvpn . docker run -p 443:443/tcp -p 943:943/tcp -p 1194:1194/udp -e ADMIN_PASS=[changethispassword] -d --privileged -t l0-openvpn:latest /sbin/my_init
After the server is up, login to the OpenVPN admin panel at
https://yourdockerhostip:943/admin using the user
openvpn and the password you set in the above
docker run command. Go to the User Permissions page after logging in and check the box that reads "Allow access from: All Other VPN Clients".
After you've verified your account, visit
http://yourdockerhostip:943/ and login with your new password. Be sure to select "login" instead of "connect" from the dropdown box. From here, you can download the OpenVPN Connect client specific for your platform as well as the "Yourself (autologin profile)", which is your VPN connection profile (also works for 3rd party clients).
- When I attempt to login to the OpenVPN web portal, the logo spins and nothing happens.
This is because the OpenVPN server is configured with a self-signed certificate. Most browsers (i.e. Chrome) will block such sites, so disable the shield icon in your URL bar and/or whatever security settings/plugins may be preventing connecting to a site with a self-signed cert.
- Internal corporate sites no longer resolve when connected to the VPN server.
Our recommended configuration routes all your IP traffic through the VPN server and uses OpenDNS to resolve hosts, which means that internally-facing sites may not resolve. As a workaround, you can create entries for the hosts you need in
/etc/hosts (OSX/Linux) or
Windows\System32\drivers\etc\hosts (Windows). You can also set your VPN client to ignore the VPN DNS resolver, although you may experience some issues with DNS caching if you do.