Public | Automated Build

Last pushed: 2 years ago
Short Description
l0-openvpn
Full Description

Layer0 OpenVPN

l0-openvpn is a Layer0 sample application that will create an OpenVPN-AS server.

Layer0 Installation

The installation scripts necessary for Layer0 deployment are in /deploy. There's one file in particular that we must edit before deployment, and that is /deploy/.ebextensions/01_commands.config. In this file, we are setting up docker-compose, a YAML task definition, and environment variables for the service. As such, change the ADMIN_PASS variable to a password you'd like to use for the openvpn user.

Now, switch to the /deploy directory. If you're on Linux, OSX, or an OS that has zip natively, run zip dockerrun.zip Dockerrun.aws.json .ebextensions/*. Otherwise, the suggested Windows client is 7-Zip. Make sure that Dockerrun.aws.json is at the root of the archive. We'll use this zip file to deploy our application:

# l0-cli deploy:create dockerrun.zip
[deploy id hash]
# l0-cli deploy:apply [deploy_id] [service_id]

Layer0 Post-Install

After you've run deploy:apply, track the progress of the deployment via AWS' Elastic Beanstalk Console. You can find your specific deployment by searching the Elastic Beanstalk console for the service ID hash used in deploy:apply. Once you've found the dashboard for your particular service, you'll see a URL associated with it that ends in elasticbeanstalk.com. Copy the full hostname from that URL and login to the OpenVPN admin panel at https://[elasticbeanstalkhostname]:2222/admin using the user openvpn and the password you set in 01_commands.config. Go to the User Permissions page after logging in and check "Allow access from: All Other VPN Clients" for the openvpn user (click 'show' to expand user settings).

Next, visit http://[elasticbeanstalkhostname]:2222/ and login as openvpn. Be sure to select "login" instead of "connect" from the dropdown box. From here, you can download the OpenVPN Connect client specific for your platform as well as the "Yourself (autologin profile)", which is your VPN connection profile.

After you've downloaded the OpenVPN autologin profile, we need to make some changes so that we can connect to the VPN server's load balancer. The file is typically saved as client.ovpn; open it in a text editor. After the line nobind, add the following:

proto tcp
remote elasticbeanstalkhostname 8060 tcp

Change elasticbeanstalkhostname to the hostname we used in the steps above. Remove the other lines that begin with remote; they specify incorrect IPs and protocols we cannot use (UDP). After you've made these edits, you can use this connection profile in OpenVPN Connect (recommended for Windows users) or any other OpenVPN-compatible client like Tunnelblick for OSX.

Simple Docker Installation

You can use this container without Layer0 via the following:

docker build -t l0-openvpn .  
docker run -p 443:443/tcp -p 943:943/tcp -p 1194:1194/udp -e ADMIN_PASS=[changethispassword] -d --privileged -t l0-openvpn:latest /sbin/my_init

After the server is up, login to the OpenVPN admin panel at https://yourdockerhostip:943/admin using the user openvpn and the password you set in the above docker run command. Go to the User Permissions page after logging in and check the box that reads "Allow access from: All Other VPN Clients".

After you've verified your account, visit http://yourdockerhostip:943/ and login with your new password. Be sure to select "login" instead of "connect" from the dropdown box. From here, you can download the OpenVPN Connect client specific for your platform as well as the "Yourself (autologin profile)", which is your VPN connection profile (also works for 3rd party clients).

Troubleshooting

  • When I attempt to login to the OpenVPN web portal, the logo spins and nothing happens.

This is because the OpenVPN server is configured with a self-signed certificate. Most browsers (i.e. Chrome) will block such sites, so disable the shield icon in your URL bar and/or whatever security settings/plugins may be preventing connecting to a site with a self-signed cert.

  • Internal corporate sites no longer resolve when connected to the VPN server.

Our recommended configuration routes all your IP traffic through the VPN server and uses OpenDNS to resolve hosts, which means that internally-facing sites may not resolve. As a workaround, you can create entries for the hosts you need in /etc/hosts (OSX/Linux) or Windows\System32\drivers\etc\hosts (Windows). You can also set your VPN client to ignore the VPN DNS resolver, although you may experience some issues with DNS caching if you do.

Docker Pull Command
Owner
csakoda
Source Repository

Comments (0)