Port Forward with dockerized OpenVPN-Server

Question

So I am a bit new to the VPN stuff and am currently getting a little desperate.

For what I want to do. I have rented a little server somewhere (static IP, Domain and everything). Now I want to run some services on that server via docker. Those services should not just be accessible by everyone, but only with a valid VPN connection to the server. (The firewall currently blocks access to those ports from the outside)

From what I understand I could achieve this with a VPN and Port Forwarding, but It can certainly be that I missunderstood something on a fundamental level.

Anyway, I have a OpenVPN-Server running via docker compose:

version: '2'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - ./openvpn-data/conf:/etc/openvpn

I followed This Tutorial to configure it. I can connect to the VPN using the client software just fine, but now I don't know how to configure it, so that once I am connected I can call a service on Port 8080 on the Server for example.

I did not really find any answers that helped me set it up so far, so I hope someone here can help me. I tried running the service in the same docker network, and configure the VPN, but that did not work.

Thank you in advance and have a nice day.

Providing specifics after "Blind Spots" question

The OpenVPN.conf

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/www.mysite.com.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/www.mysite.com.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup

### Push Configurations Below
push "dhcp-option DNS 192.168.13.6"
push "dhcp-option DOMAIN mysite.com"
push "route 192.168.192.0 255.255.255.0"

For the troubleshooting results: After I fixed the compression problem I've found, every of the steps mentioned here is satisfied.

For what I achieved and what I want to achieve. The last part of the config file push "route 192.168.192.0 255.255.255.0" adds a docker network, which I defined and to which the openVPN container as well as some other containers are connected (All of this transpires on the server of course).

When my openVPN client is connected, it gets the IP 192.168.192.6, as expected and I can ping the gateway of 192.168.192.0/20 at 192.168.192.1 as well as all the containers which are connected to said docker network. This works fine now. What I have not been able to achieve is to connect to one of those containers ports.

So for exapmle I have a teamcity container running which is connected to the docker network. I can ping it, but I can not access it through the port I defined for it, let's say port 8080. I want to forward that port for my openVPN client and I don't know how. That's the problem which still persists.

Answer 1

I found the solution to my Problem. I will give an in depth tutorial on how to achieve what I wanted here. For all who are just interested in the configuration of the openVPN can skip to the: "Port-Forward" section:

So what I wanted to achieve, was to have a openVPN container running on my server as well as some other private containers which I wanted to make accessible to anyone with a vpn connection. The Question was about how to configure openVPN to achieve that, and not how to initially set it up, but I will describe the whole process anyway

Docker Compose

version: '2'
networks:
  openvpn:
    name: openvpn
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.192.0/20
          gateway: 192.168.192.1
  research_network:
    name: research_network
volumes:
  research-data:
    name: research-data
  uploads:
    name: research_uploads
  storage-uploads:
    name: research_storage-uploads

services:
  openvpn:
    container_name: openvpn_server
    image: kylemanna/openvpn
    cap_add:
     - NET_ADMIN
    ports:
     - "4223:1194/udp"
    volumes:
     - ./openvpn-data/conf:/etc/openvpn
    networks:
      openvpn:
        ipv4_address: 192.168.192.2

  mysql:
    container_name: research_DB
    image: mysql:8.0
    depends_on:
      - openvpn
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=${RESEARCH_DB_ROOT_PASSWORD}
      - MYSQL_DATABASE=research
      - MYSQL_USER=${RESEARCH_DB_USER}
      - MYSQL_PASSWORD=${RESEARCH_DB_PASSWORD}
    volumes:
      - research-data:/var/lib/mysql
    networks:
      - research_network
  bookstack:
    container_name: research
    image: solidnerd/bookstack:22.10.2
    depends_on:
      - research_DB
    restart: always
    environment:
      - DB_HOST=research_DB:3306
      - DB_DATABASE=research
      - DB_USERNAME=${RESEARCH_DB_USER}
      - DB_PASSWORD=${RESEARCH_DB_PASSWORD}
      - APP_URL=http://192.168.255.1:8080
    volumes:
      - uploads:/var/www/bookstack/public/uploads
      - storage-uploads:/var/www/bookstack/storage/uploads
    networks:
      research_network:
      openvpn:
          ipv4_address: 192.168.192.3

This is an example docker-compose.yml file with an openVPN instance as well as an example service.

A docker network is created: 192.168.192.0/20, which connects all the services. In this case the openVPN as well as the bookstack instance. This is important for later.

Setup OpenVPN

You can follow this tutorial and change things where necassary for what you want to achieve.

I changed:

docker-compose run --rm openvpn ovpn_genconfig -N -d -n 192.168.13.6 -u udp://vpn.mycompany.net -p "dhcp-option DOMAIN mycompany.net" -p "route 192.168.13.0 255.255.255.0" -p "route 172.17.0.0 255.255.0.0"

accordingly to:

docker-compose run --rm openvpn ovpn_genconfig -N -d -n 192.168.13.6 -u udp://vpn.mycompany.net -p "dhcp-option DOMAIN mycompany.net" -p "route 192.168.192.0 255.255.255.0"

Which will make the docker network we created before available to the VPN. The rest will work just fine

Troubleshooting

Before we come to the interesting part, I want to mention the Troobleshooting part. The tutorial provides a few steps for that, which I followed afer I was unbable to ping 192.168.255.1, which is the default gateway for the VPN containers, even though a connection was established. It took me a while to notice why.

using:

docker logs <yourOpenVpnContainerName

I noticed a large block of "Bad compression stub decompression header byte: xx". This stems from a compression incompatibility from the OpenVPN Server version and the Client version. You can read up on it, if it interests you, but to fix it, go to the "openvpn.conf" file and remove any mention of: "comp-lzo no". This will fix it.

Port Forwarding

Now we get to the part, which my question actually was all about. Configure the port forwarding.

To test that everything will work, ping 192.168.192.1 the default gateway of the docker network (at least in this example, defined in the docker-compose) from your client machine (when you have a standing VPN connection of course). If this works go on. If not, there is something wrong with your configuration.

Non we have to get into the openVPN Containers bash to configure the iptables. To do that use:

docker exec -ti -u 0 <OpenVpnContainerName> /bin/bash

(-u 0 makes you root)

Once inside run

iptables -t nat -A PREROUTING -d 192.168.255.1 -p tcp --dport 8080 -j DNAT --to-dest 192.168.192.3:8080

and

iptables -t filter -A INPUT -p tcp -d 192.168.255.1 --dport 8080 -j ACCEPT.

This will forward the bookstack instance to all VPN clients on: 192.168.255.1:8080. You can change it accordingly to your use case. This will work and do what I initially wanted to.

ATTENTION: This will not permenantly work. If the OpenVPN container stops, these iptable configurations will not be persisted! You then have to redo them. There probably is a method to automate this, but I was not able to do so till now. Anyway. Thanks for reading, and I hope this was helpfull to you.