mdnsfr / docker-rancher-openvpn Goto Github PK

View Code? Open in Web Editor NEW

57.0 7.0 32.0 15 KB

OpenVPN Server with optionnal Rancher specific abilities, with multiple authentication backends

Shell 42.35% Python 53.40% Dockerfile 4.25%

docker-rancher-openvpn's Introduction

OpenVPN for Rancher with modular authentication

OpenVPN server image made to give access to Rancher network with modular authentication.

This Server doesn't relies on clients certificates, but on credential based authentication

Current version is shipped with following authentication :

httpbasic
httpdigest
ldap
rancherlocal

How to configure the image

The only mandatory variables are AUTH_METHOD, and method dependant variables.

Each non mandatory environment variable is optionnal and has default value.

Following variables are the answers to common questions during certificate creation process

CERT_COUNTRY="US"
CERT_PROVINCE="AL"
CERT_CITY="Birmingham"
CERT_ORG="ACME"
CERT_EMAIL="[email protected]"
CERT_OU="IT"

These variables define the network address and CIDR netmask for the ip pool which will be the VPN subnet for OpenVPN to draw client addresses from

VPNPOOL_NETWORK="10.43.0.0"
VPNPOOL_CIDR="16"

Next two variables are used in client configuration generation process, to indicate OpenVPN clients where to connect to establish the link

REMOTE_IP="ipOrHostname"
REMOTE_PORT="1194"

If you don't want to expose the full Rancher network, you can set your own network and netmask with following variables:

ROUTE_NETWORK="10.42.0.0"
ROUTE_NETMASK="255.255.0.0"

If you don't want to expose the interunal Rancher metadata api, you can set any value to this variable, it will prevent to add the route to metadata api. Default is to expose the metadata api, in this case this variable is empty.

NO_RANCHER_METADATA_API="" => expose metadata api
NO_RANCHER_METADATA_API="1" => do not expose metadata api

You can also set your custom search domain and DNS server pushed to VPN clients:

PUSHDNS="169.254.169.250"
PUSHSEARCH="rancher.internal"

There is also an optionnal variable to let you customize OpenVPN server config, for example to push your own custom route. This variable accept multiple line by adding a simple \n between lines.

OPENVPN_EXTRACONF="first line\nsecond line\nthird line"

How to run this image

You must have to run this image with privileged mode.

Here is the minimal docker run example with httpbasic authentication :

docker run -d --privileged=true -p 1194:1194 \
    -e AUTH_METHOD=httpbasic \
    -e AUTH_HTTPBASIC_URL=https://api.github.com/user \
    mdns/rancher-openvpn

And here is an exhaustive docker run example with ldap authentication :

docker run -d \
    --privileged=true \
    -e REMOTE_IP=1.2.3.4 \
    -e REMOTE_PORT=1194 \
    -e CERT_COUNTRY=FR \
    -e CERT_PROVINCE=PACA \
    -e CERT_CITY=Marseille \
    -e CERT_ORG=MDNS \
    -e [email protected] \
    -e CERT_OU=IT \
    -e VPNPOOL_NETWORK=10.8.0.0 \
    -e VPNPOOL_CIDR=24 \
    -e OPENVPN_EXTRACONF='# Example of multiline extraconf\npush "10.10.0.0 255.255.0.0"\npush "10.20.0.0 255.255.0.0"'
    -e ROUTE_NETWORK=10.42.103.143 \
    -e ROUTE_NETMASK=255.255.255.255 \
    -e PUSHDNS=169.254.169.250 \
    -e PUSHSEARCH=rancher.internal \
    -e NO_RANCHER_METADATA_API=1 \
    -e AUTH_METHOD=ldap \
    -e AUTH_LDAP_URL=ldap://ldap.acme.tld \
    -e AUTH_LDAP_BASEDN='dc=acme,dc=tld' \
    -e AUTH_LDAP_SEARCH='(uid=$username)' \
    -e AUTH_LDAP_BINDDN='cn=admin,dc=acme,dc=tld' \
    -e AUTH_LDAP_BINDPWD='thisIsTheBindDnPassword' \
    -v /etc/openvpn \
    --name=vpn \
    -p 1194:1194 \
    mdns/rancher-openvpn

Note bene : First launch takes more time because of certificates and private keys generation process

Authentication methods

HTTP Basic

Authentication is made by trying to connect to a HTTP Server with credentials in Basic HTTP Auth mechanism.

Each variable is mandatory :

AUTH_METHOD=httpbasic
AUTH_HTTPBASIC_URL is the http server url, ex : AUTH_HTTPBASIC_URL='http[s]://hostname[:port][/uri]'

You can test authentication against the GitHub api server :

docker run -d --privileged=true -p 1194:1194 \
    -e AUTH_METHOD=httpbasic \
    -e AUTH_HTTPBASIC_URL=https://api.github.com/user \
    mdns/rancher-openvpn

Warning ! If you use GitHub api url in production, anyone who has a github account will be able to connect your VPN !!

HTTP Digest

Authentication is made by trying to connect to a HTTP Server with credentials in Digest HTTP Auth mechanism.

Each variable is mandatory :

AUTH_METHOD=httpdigest
AUTH_HTTPDIGEST_URL is the http server url, ex : AUTH_HTTPDIGEST_URL='http[s]://hostname[:port][/uri]'

You can test authentication against the httpbin sandbox server :

docker run -d --privileged=true -p 1194:1194 \
    -e AUTH_METHOD=httpdigest \
    -e AUTH_HTTPDIGEST_URL=https://httpbin.org/digest-auth/auth/myuser/mypwd \
    mdns/rancher-openvpn

LDAP

Authentication is made by trying to connect a ldap server with client credentials

These are mandatory variable to setup ldap authentication :

AUTH_METHOD=ldap
AUTH_LDAP_URL is the server address in URL format : AUTH_LDAP_URL=ldap[s]://hostnameOrIp[:port]
AUTH_LDAP_BASEDN is the base DN to search for, ex: AUTH_LDAP_BASEDN='dc=acme,dc=com'
AUTH_LDAP_SEARCH is the ldap search pattern to find user's dn, with a parameter $username, ex : AUTH_LDAP_SEARCH='(uid=$username)'

If your ldap server need to be authenticated to search directory, you can use optionnals binding variables:

AUTH_LDAP_BINDDN : DN to use in searching processs
AUTH_LDAP_BINDPWD : password associated

You can test ldap authentication with osixia/openldap ldap docker image, with login "admin" :

docker run -d --name=ldap -e LDAP_ORGANISATION="ACME" -e LDAP_DOMAIN="acme.tld" -e LDAP_ADMIN_PASSWORD="mypwd" osixia/openldap:1.1.1
docker run -d --privileged=true -p 1194:1194 --link ldap:ldapsrv \
    -e AUTH_METHOD=ldap \
    -e AUTH_LDAP_URL=ldap://ldapsrv \
    -e AUTH_LDAP_BASEDN='dc=acme,dc=com' \
    -e AUTH_LDAP_SEARCH='(uid=$username)' \
    -e AUTH_LDAP_BINDDN='cn=admin,dc=acme,dc=tld' \
    -e AUTH_LDAP_BINDPWD='mypwd' \
    mdns/rancher-openvpn

Rancher Server in local mode

Authentication is made by trying to connect to a Rancher Server configured in local mode.

Each variable is mandatory :

AUTH_METHOD=rancherlocal
AUTH_RANCHERLOCAL_URL is the http server url, ex : AUTH_RANCHERLOCAL_URL='http[s]://hostname[:port]/v1/token'

You can test authentication against the Rancher api server :

docker run -d --privileged=true -p 1194:1194 \
    -e AUTH_METHOD=rancherlocal \
    -e AUTH_RANCHERLOCAL_URL=https://rancher.example.com/v1/token \
    mdns/rancher-openvpn

Client configuration

The client configuration is printed at dock start on stdout, but you can also retrieve it through the "vpn_get_client_config.sh" script.

docker exec -it vpn bash
root@35972bb51cc9:/# vpn_get_client_config.sh
remote $REMOTE_IP $REMOTE_PORT
client
dev tun
proto tcp
remote-random
resolv-retry infinite
cipher AES-128-CBC
auth SHA1
nobind
link-mtu 1500
persist-key
persist-tun
comp-lzo
verb 3
auth-user-pass
auth-retry interact
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIJALhlg01BvAIvMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
...
[Your generated OpenVPN CA certificate]
...
X0yOqF6doV0+DPt5T+vEeu9oiczscg==
-----END CERTIFICATE-----
</ca>

Save this configuration in your ".ovpn" file, don't forget to replace IPADDRESS and PORT with your server ip and the exposed port to reach OpenVPN server

Here is an example of a final client.ovpn :

remote 5.6.7.8 1194
client
dev tun
proto tcp
remote-random
resolv-retry infinite
cipher AES-128-CBC
auth SHA1
nobind
link-mtu 1500
persist-key
persist-tun
comp-lzo
verb 3
auth-user-pass
auth-retry interact
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIJALhlg01BvAIvMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
...
[Your generated OpenVPN CA certificate]
...
X0yOqF6doV0+DPt5T+vEeu9oiczscg==
-----END CERTIFICATE-----
</ca>

Volumes and data conservation

Everything is stored in /etc/openvpn.

docker-rancher-openvpn's People

Contributors

Stargazers

Watchers

docker-rancher-openvpn's Issues

Multiline OPENVPN_EXTRACONF

The OPENVPN_EXTRACONF should accept multiple lines (e.g. separated with \n)

and the default configuration parameters should be removed from bin/entry.sh to be usable in general:

push "dhcp-option DNS 169.254.169.250"
push "dhcp-option SEARCH rancher.internal"
push "route 10.42.0.0 255.255.0.0"
push "route 169.254.169.250 255.255.255.255"

Thanks for the nice container!

current version is whether support rancher 2.4.x ?

docker run -d --privileged=true -p 1194:1194
-e AUTH_METHOD=rancherlocal
-e AUTH_RANCHERLOCAL_URL=https://192.168.180.237/v3/token
mdns/rancher-openvpn

openvpn client can't connected,error msg is 错误的凭证

openvpn-rancherlocal

i tried to install openvpn in rancherlocal mode, without success:

12/2/2016 2:34:32 AMTraceback (most recent call last):
12/2/2016 2:34:32 AM  File "/usr/local/bin/openvpn-auth.py", line 164, in <module>
12/2/2016 2:34:32 AM    auth_rancher_local(url, username, password)
12/2/2016 2:34:32 AM  File "/usr/local/bin/openvpn-auth.py", line 94, in auth_rancher_local
12/2/2016 2:34:32 AM    if (requests.post(url, data = { "authProvider": "localauthconfig", "code": username + ":" + password})):
12/2/2016 2:34:32 AM  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 94, in post
12/2/2016 2:34:32 AM    return request('post', url, data=data, json=json, **kwargs)
12/2/2016 2:34:32 AM  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 49, in request
12/2/2016 2:34:32 AM    return session.request(method=method, url=url, **kwargs)
12/2/2016 2:34:32 AM  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
12/2/2016 2:34:32 AM    resp = self.send(prep, **send_kwargs)
12/2/2016 2:34:32 AM  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 569, in send
12/2/2016 2:34:32 AM    r = adapter.send(request, **kwargs)
12/2/2016 2:34:32 AM  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 407, in send
12/2/2016 2:34:32 AM    raise ConnectionError(err, request=request)
12/2/2016 2:34:32 AMrequests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
12/2/2016 2:34:32 AMFri Dec  2 01:34:32 2016 172.31.3.73:14679 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
12/2/2016 2:34:32 AMFri Dec  2 01:34:32 2016 172.31.3.73:14679 TLS Auth Error: Auth Username/Password verification failed for peer

That's the error log from the server when an login attempt is set of.
When i ping the url of the rancher master server everything is working fine, i double checked all ports are open to communicate;
do you have an idea what i could test next to get it running?

MTU mismatch

Fri Feb 28 10:40:41 2020 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1440)
Fri Feb 28 10:44:42 2020 XXXXXX:57664 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1440', remote='tun-mtu 1376'

I'm getting these logs and the vpn disconnects after exactly 7 minutes with


28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:56996
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56996 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1500 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56996 Connection reset, restarting [0]
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1440)
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:56997
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56997 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1500 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56997 Connection reset, restarting [0]

OpenVPN config not fully working on ubuntu

Hi,

I'm using your openVPN tool since a while and i always wondered why i did not have access to the rancher DNS.

This post : https://serverfault.com/questions/318563/how-to-push-my-own-dns-server-to-openvpn

gave me the answer.

Added :

script-security 2
dhcp-option DNS 169.254.169.250
dhcp-option DOMAIN rancher.internal
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

to my config and it's now working as expected. Idk if this could be considered a bug or not but maybe it's worth pointing out in the documentation :)

Some env vars already "baked into" entrypoint script

I was having trouble setting a custom route via environment variables. Looking in entry.sh in the git repo for the section that writes out server.conf and client.conf, it seemed like assigning values to the ROUTE_NETWORK and ROUTE_NETMASK env vars would accomplish this:

[...]
server $VPNPOOL_NETWORK $VPNPOOL_NETMASK
push "dhcp-option DNS $PUSHDNS"
push "dhcp-option SEARCH $PUSHSEARCH"
push "route $ROUTE_NETWORK $ROUTE_NETMASK"
$RANCHER_METADATA_API
keepalive 10 120
[...]

It wasn't working. Opening a terminal to the container itself revealed the actual contents of entry.sh are:

[...]
server $VPNPOOL_NETWORK $VPNPOOL_NETMASK
push "dhcp-option DNS 169.254.169.250"
push "dhcp-option SEARCH rancher.internal"
push "route 10.42.0.0 255.255.0.0"
push "route 169.254.169.250 255.255.255.255"
keepalive 10 120
[...]

Is it possible that mdns/rancher-openvpn-1.1 was built inside an environment where some env vars were already set, and so accidentally "baked in"?

-g.

DNS not working under macOS Sierra

Our present VPN configuration works just fine with Tunnelblick, except for users of macOS Sierra.

It appears that the Rancher DNS nameserver IP address - 169.254.169.250 - is routed differently in Sierra. Instead of traffic to this IP correctly sending over the VPN to the Rancher DNS service, this self-assigned IP fails to send traffic anywhere.

The workaround I am experimenting with is to add the push "redirect-gateway def1" directive to the server config to forcibly route all traffic over the VPN.

I thought it worth raising the issue here as it would be really great if this image was able to support macOS Sierra users using Tunnelblick as a VPN client without any additional configuration.

OPENVPN_EXTRACONF parameter in README.md may should be modified

Example in README.md

OPENVPN_EXTRACONF='# Example of multiline extraconf\npush "10.10.0.0 255.255.0.0"\npush "10.20.0.0 255.255.0.0"'

which don't work for me,while blow is ok,when i add route in the parameter

OPENVPN_EXTRACONF='push "route 172.16.0.0 255.240.0.0"'

LDAP additional filters

Hello

Is there any options to add extra filters memberOf ?

Please allow configuring `comp-lzo` via env vars

OpenVPN comp-zlo option not compatible with some clints (e.g. mikrotik routers and routeros).
Option not overriding via custom config var. Please add configure variable for it

upgrading != new certs?

when i'm upgrading the container, i get new certs, even if i put the directory /etc/openvpn in nfs

is it possible to check if there are already certificates in the folder and if don't generate new certificates?

LDAP Rancher template 1.0 bombs out after succesfull connect

update: also found this with the basic template

The LDAP OpenVPN template 1.0 on Rancher 1.x behaves erratic in a vCloud/ESXi enviroment.

Running Docker 1.1.0 on Ubuntu 14.04LTS

After initial connect succesfull or unsuccesfull authentication the port 1194/tcp bombs out and doesn't come back. The service just stops, clients disconnect ( retry in 5 secs )

It is the last piece of a setup we're doing here; we need it for the managed network hosts network.

Is there any1 out there with some pointers or a blogpost of sorts that show OpenVPN LDAP template 1.0 actually works on rancher 1.01 ?

AUTH_METHOD=rancherlocal when Rancher uses Github auth

I'm trying to set up the rancherlocal auth method. Setup works as expected and when trying to connect the VPN client prompts for a username and password (also expected).

The problem is that I can't seem to auth successfully against Rancher's API. My Rancher environment is using Github auth and restricting access to a single organization - so to access Rancher you have to "log in" with your Github account. It seems like the VPN may not be able to forward auth requests through Rancher to Github.

Has anyone successfully configured an OpenVPN server to auth against Rancher with Github auth enabled?

mdnsfr / docker-rancher-openvpn Goto Github PK

docker-rancher-openvpn's Introduction

OpenVPN for Rancher with modular authentication

How to configure the image

How to run this image

Authentication methods

HTTP Basic

HTTP Digest

LDAP

Rancher Server in local mode

Client configuration

Volumes and data conservation

docker-rancher-openvpn's People

Contributors

Stargazers

Watchers

Forkers

docker-rancher-openvpn's Issues

Recommend Projects

Recommend Topics

Recommend Org