|
| 1 | +# VPN Test Environment with Docker Compose |
| 2 | + |
| 3 | +This project sets up a VPN test environment using Docker Compose, allowing two remote clients to securely access an internal Ubuntu server and a simple web server on a simulated enterprise LAN. |
| 4 | + |
| 5 | +## Project Structure |
| 6 | + |
| 7 | +``` |
| 8 | +vpn-test/ |
| 9 | +├── docker-compose.yml |
| 10 | +├── openvpn-data/ |
| 11 | +│ └── conf/ |
| 12 | +├── webserver/ |
| 13 | +│ └── html/ |
| 14 | +│ └── index.html |
| 15 | +└── ubuntu-server/ |
| 16 | +└── client1.ovpn |
| 17 | +└── client2.ovpn |
| 18 | +``` |
| 19 | + |
| 20 | +* **`docker-compose.yml`:** Defines the services (OpenVPN server, web server, Ubuntu server) and their configurations. |
| 21 | +* **`openvpn-data/conf/`:** Stores OpenVPN server configuration files, certificates, and keys. |
| 22 | +* **`webserver/html/`:** Contains the `index.html` file served by the internal web server. |
| 23 | +* **`ubuntu-server/`:** (Optional) You can place scripts or configuration files for the Ubuntu server here. |
| 24 | +* **`client1.ovpn`**: OpenVPN configuration file for client 1. |
| 25 | +* **`client2.ovpn`**: OpenVPN configuration file for client 2. |
| 26 | + |
| 27 | +## Prerequisites |
| 28 | + |
| 29 | +* Docker Engine and Docker Compose installed on your server machine. |
| 30 | +* Basic understanding of networking concepts (IP addresses, subnets, ports). |
| 31 | +* At least one another machine for testing. |
| 32 | + |
| 33 | +## Setup Steps |
| 34 | + |
| 35 | +### 1. Project Directory |
| 36 | + |
| 37 | +* Create a directory for this project: |
| 38 | + |
| 39 | + ```bash |
| 40 | + mkdir vpn-test |
| 41 | + cd vpn-test |
| 42 | + ``` |
| 43 | + |
| 44 | +* Create subdirectories: |
| 45 | + |
| 46 | + ```bash |
| 47 | + mkdir -p openvpn-data/conf webserver/html ubuntu-server |
| 48 | + ``` |
| 49 | + |
| 50 | +### 2. Docker Compose File |
| 51 | + |
| 52 | +* Create a file named `docker-compose.yml` with the following content: |
| 53 | + |
| 54 | +```yaml |
| 55 | +services: |
| 56 | + openvpn: |
| 57 | + image: kylemanna/openvpn:latest |
| 58 | + container_name: openvpn-server |
| 59 | + cap_add: |
| 60 | + - NET_ADMIN |
| 61 | + volumes: |
| 62 | + - ./openvpn-data/conf:/etc/openvpn |
| 63 | + ports: |
| 64 | + - "40000:1194/udp" # Expose a non-standard port (>= 32768 for my Freebox) |
| 65 | + networks: |
| 66 | + - vpn_network |
| 67 | + restart: always |
| 68 | +
|
| 69 | + webserver: |
| 70 | + image: nginx:latest |
| 71 | + container_name: internal-webserver |
| 72 | + volumes: |
| 73 | + - ./webserver/html:/usr/share/nginx/html:ro |
| 74 | + networks: |
| 75 | + - vpn_network |
| 76 | + restart: always |
| 77 | +
|
| 78 | + ubuntu-server: |
| 79 | + image: ubuntu:latest |
| 80 | + container_name: internal-ubuntu |
| 81 | + command: tail -f /dev/null # Keep it running |
| 82 | + networks: |
| 83 | + - vpn_network |
| 84 | + restart: always |
| 85 | +
|
| 86 | +networks: |
| 87 | + vpn_network: |
| 88 | + driver: bridge |
| 89 | + ipam: |
| 90 | + config: |
| 91 | + - subnet: 172.20.0.0/16 |
| 92 | +``` |
| 93 | + |
| 94 | +### 3. Web Server Content |
| 95 | + |
| 96 | +* Create a simple `index.html` file in `./webserver/html`: |
| 97 | + |
| 98 | +```html |
| 99 | +<!DOCTYPE html> |
| 100 | +<html> |
| 101 | +<head> |
| 102 | + <title>Internal Webserver</title> |
| 103 | +</head> |
| 104 | +<body> |
| 105 | + <h1>Hello from Big local company Webserver!</h1> |
| 106 | +</body> |
| 107 | +</html> |
| 108 | +``` |
| 109 | + |
| 110 | +### 4. Generate OpenVPN Configuration |
| 111 | + |
| 112 | +* **Initialize OpenVPN and Generate Server Config:** |
| 113 | + |
| 114 | + ```bash |
| 115 | + docker-compose run --rm openvpn ovpn_genconfig -u udp://YOUR_PUBLIC_IP:40000 -n 8.8.8.8 -n 8.8.4.4 |
| 116 | + ``` |
| 117 | + |
| 118 | + * **Replace `YOUR_PUBLIC_IP` with the actual public IP address of your server.** (use `curl ifconfig.me` to get the public IP or check on google) |
| 119 | + * **Adjust the port (40000 here) if you chose a different one.** |
| 120 | + * **-n option allows you to set DNS, here we use google's one, but you can use the one you prefer** |
| 121 | +
|
| 122 | +* **Initialize the PKI (Public Key Infrastructure):** |
| 123 | +
|
| 124 | + ```bash |
| 125 | + docker-compose run --rm openvpn ovpn_initpki |
| 126 | + ``` |
| 127 | +
|
| 128 | + * You'll be prompted to set a passphrase for the CA (Certificate Authority). Choose a strong one and remember it. |
| 129 | + |
| 130 | +* **Generate Client Certificates:** |
| 131 | + |
| 132 | + ```bash |
| 133 | + docker-compose run --rm openvpn easyrsa build-client-full client1 nopass |
| 134 | + docker-compose run --rm openvpn easyrsa build-client-full client2 nopass |
| 135 | + ... |
| 136 | + ``` |
| 137 | + |
| 138 | +* **Retrieve Client Configuration Files:** |
| 139 | + |
| 140 | + ```bash |
| 141 | + docker-compose run --rm openvpn ovpn_getclient client1 > client1.ovpn |
| 142 | + docker-compose run --rm openvpn ovpn_getclient client2 > client2.ovpn |
| 143 | + ... |
| 144 | + ``` |
| 145 | + |
| 146 | + * This will create `client1.ovpn` and `client2.ovpn` in your project directory. |
| 147 | + |
| 148 | +The `.ovpn` file contains all the necessary parameters to connect to the server such as: |
| 149 | + |
| 150 | +- Server's address (IP or hostname) and port. |
| 151 | +- Protocol (UDP or TCP). |
| 152 | +- Certificates and keys. |
| 153 | +- Cipher and authentication settings. |
| 154 | +- Other options like compression, persistence, etc. |
| 155 | +
|
| 156 | +### 5. Configure Router (Port Forwarding) |
| 157 | +
|
| 158 | +* If your server is behind a router (like Freebox), you need to configure port forwarding: |
| 159 | + * Log in to your router's administration interface (e.g., `192.168.1.254` for Freebox). |
| 160 | + * Find the "Port Forwarding" or "Redirection de Ports" settings. |
| 161 | + * Create a rule to forward UDP port 40000 (or the port you chose) from the internet to the internal IP address of your server machine on port 40000. |
| 162 | + |
| 163 | + |
| 164 | + |
| 165 | + |
| 166 | + |
| 167 | +### 6. Configure Firewall (Server) |
| 168 | + |
| 169 | +* If you have a firewall enabled on your server (e.g., `ufw`), allow incoming traffic on the OpenVPN port: |
| 170 | + |
| 171 | + ```bash |
| 172 | + sudo ufw allow 40000/udp |
| 173 | + ``` |
| 174 | + |
| 175 | +### 7. Start the Environment |
| 176 | + |
| 177 | +* Start the Docker Compose services: |
| 178 | + |
| 179 | + ```bash |
| 180 | + docker-compose up -d |
| 181 | + ``` |
| 182 | + |
| 183 | +### 8. Client Setup (Ubuntu Example for Client 1, my other Ubuntu laptop) |
| 184 | + |
| 185 | +* **Install OpenVPN:** |
| 186 | + |
| 187 | + ```bash |
| 188 | + sudo apt update |
| 189 | + sudo apt install openvpn |
| 190 | + ``` |
| 191 | + |
| 192 | +* **Transfer `client1.ovpn`:** |
| 193 | + * Transfer the `client1.ovpn` file to your Ubuntu client machine (using `scp`, a USB drive, or other methods). I've used gmail mhahaha!!! |
| 194 | +
|
| 195 | +* **Connect (Command Line):** |
| 196 | +
|
| 197 | + ```bash |
| 198 | + sudo openvpn --config client1.ovpn |
| 199 | + ``` |
| 200 | +
|
| 201 | + * Keep the terminal open while connected. |
| 202 | +
|
| 203 | +* **Connect (Network Manager - Optional):** |
| 204 | + * Import `client1.ovpn` into Network Manager. |
| 205 | + * Connect through the Network Manager interface. |
| 206 | +
|
| 207 | +### 9. Testing the Connection |
| 208 | +
|
| 209 | +* **Verify IP and Interface:** |
| 210 | + * On the client, use `ip addr show` to check for a `tun0` or `tap0` interface with an IP in the 172.20.0.0/16 subnet. |
| 211 | +
|
| 212 | +* **Ping Tests:** |
| 213 | + * Ping the web server: `ping 172.20.0.3` |
| 214 | + * Ping the Ubuntu server: `ping 172.20.0.4` |
| 215 | +
|
| 216 | +* **Access Web Server:** |
| 217 | + * Open a browser on the client and go to `http://172.20.0.3`. |
| 218 | +
|
| 219 | +* **SSH to Ubuntu Server (Optional):** |
| 220 | + * `ssh username@172.20.0.4` (replace with the correct username and IP). |
| 221 | +
|
| 222 | +Look at [openvpn in detail.pdf](./OPENVPN%20in%20details.pdf) file to learn more about the core key exchange and tls. |
| 223 | +
|
| 224 | +## Troubleshooting |
| 225 | +
|
| 226 | +* **TLS Key Negotiation Failed:** |
| 227 | + * Verify your server's public IP address in `client1.ovpn`. |
| 228 | + * Check firewall rules on the server and router. |
| 229 | + * Ensure port forwarding is configured correctly. |
| 230 | + * Double-check for typos in commands. |
| 231 | + |
| 232 | +* **`netcat` Test:** |
| 233 | + * On the server, inside the `openvpn` container: `nc -u -l -p 5555` |
| 234 | + * On the client: `nc -u YOUR_SERVER_PUBLIC_IP 1194` |
| 235 | + * Type messages to see if they are received on the other end. This tests basic UDP connectivity. |
| 236 | + |
| 237 | +* **Cipher Issue (Warning):** |
| 238 | + * Add `data-ciphers-fallback BF-CBC` to both `server.conf` and `client1.ovpn` if needed (less likely to be the cause of major problems). |
| 239 | + |
| 240 | +* **Other Issues:** |
| 241 | + * Examine OpenVPN server logs: `docker-compose logs openvpn` |
| 242 | + * Check client-side logs. |
| 243 | + * Consult OpenVPN documentation and forums. |
| 244 | + |
| 245 | +## Security Considerations (for Production) |
| 246 | + |
| 247 | +* **Stronger Authentication:** Use certificate-based authentication with strong ciphers. |
| 248 | +* **Firewall:** Implement a robust firewall on your server. |
| 249 | +* **Intrusion Detection:** Set up an IDS to monitor for suspicious activity. |
| 250 | +* **Regular Updates:** Keep all software up to date. |
| 251 | +* **Principle of Least Privilege:** Grant users only the necessary access. |
| 252 | + |
| 253 | +## Disclaimer |
| 254 | + |
| 255 | +This guide is for educational and testing purposes. It provides a basic setup and may not cover all security aspects required for a production environment. Adapt and enhance the configuration based on your specific security needs and best practices. |
0 commit comments