Skip to content

Instantly share code, notes, and snippets.

@Jimmy-Xu

Jimmy-Xu/run-openvpn-on-hyper.md

Last active December 22, 2017 07:21
Show Gist options
  • Save Jimmy-Xu/0ff0573435a02aa59f59f0b98b6f820c to your computer and use it in GitHub Desktop.
Save Jimmy-Xu/0ff0573435a02aa59f59f0b98b6f820c to your computer and use it in GitHub Desktop.
Download ZIP
Run OpenVPN on Hyper.sh
Raw
run-openvpn-on-hyper.md
  1. openvpn client(localhost) -> openvpn server(hyper container)
  2. openvpn client(hyper container) -> openvpn server(hyper container) #different hyper account
$ docker search openvpn | head -n 5
NAME                           DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
kylemanna/openvpn              OpenVPN server in a Docker container compl...   316                  [OK]
haugene/transmission-openvpn   Docker container which runs Transmission t...   47                   [OK]
dperson/openvpn-client                                                         29                   [OK]
martin/openvpn                 Tiny (12MB) full featured OpenVPN server w...   14                   [OK]

Preparation

//create data volume  
$ OVPN_DATA="ovpn-data"
$ hyper volume create --name $OVPN_DATA
ovpn-data

//generate configuration  
$ hyper run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn-demo.hyper.sh -a SHA256
Successfully generated config

//generate certificates  
$ hyper run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
...
writing new private key to '/etc/openvpn/pki/private/ca.key.XXXXnnEDaj'
Enter PEM pass phrase: <<<=== (input password)
Verifying - Enter PEM pass phrase: <<<=== (input password again)
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: <<<=== (press Enter)
...
Enter pass phrase for /etc/openvpn/pki/private/ca.key:  <<<=== (input password again)
...
Write out database with 1 new entries
Data Base Updated

//generate a client certificate without a passphrase(volume can be binded to only one container now)  
$ hyper run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full jimmy nopass
...
Enter pass phrase for /etc/openvpn/pki/private/ca.key:  <<<=== (input password again)
...
Write out database with 1 new entries
Data Base Updated


//retrieve the client configuration with embedded certificates  
$ hyper run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient jimmy > jimmy.ovpn
$ ls -l jimmy.ovpn
-rw-rw-r-- 1 xjimmy xjimmy 4972 Jul 21 11:38 jimmy.ovpn

Start openvpn server

//run openvpn container  
$ hyper run --name myopenvpn -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp kylemanna/openvpn
//or enable debug output  
$ hyper run --name myopenvpn -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp -e DEBUG=1 kylemanna/openvpn

//add public ip to openvpn container  
$ hyper fip allocate 1
162.221.195.34
$ hyper fip associate 162.221.195.34 myopenvpn

//view container  
$ hyper ps
CONTAINER ID   IMAGE                 COMMAND        CREATED          STATUS          PORTS                    NAMES       PUBLIC IP
996592375b28   kylemanna/openvpn     "ovpn_run"     3 minutes ago    Up 2 minutes    0.0.0.0:1194->1194/udp   myopenvpn   162.221.195.34

//view internal ip
$ hyper inspect 996592375b28 | grep -i ipaddress
            "SecondaryIPAddresses": [],
            "IPAddress": "172.16.0.50",
                    "IPAddress": "172.16.0.50",

Test with local client

//test using a client that has openvpn installed correctly  
$ yum install -y openvpn
$ sudo sh -c 'echo "162.221.195.34   vpn-demo.hyper.sh" >> /etc/hosts'

$ sudo openvpn --config jimmy.ovpn 
Thu Jul 21 13:06:56 2016 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016
Thu Jul 21 13:06:56 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu Jul 21 13:06:56 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu Jul 21 13:06:56 2016 UDPv4 link local: [undef]
Thu Jul 21 13:06:56 2016 UDPv4 link remote: [AF_INET]162.221.195.34:1194
Thu Jul 21 13:06:56 2016 [vpn-demo.hyper.sh] Peer Connection Initiated with [AF_INET]162.221.195.34:1194
Thu Jul 21 13:06:59 2016 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.3.11)
Thu Jul 21 13:06:59 2016 TUN/TAP device tun0 opened
Thu Jul 21 13:06:59 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 13:06:59 2016 /usr/sbin/ip link set dev tun0 up mtu 1500
Thu Jul 21 13:06:59 2016 /usr/sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Thu Jul 21 13:06:59 2016 Initialization Sequence Completed

ping openvpn server internal ip from client

$ ping 172.16.0.50
PING 172.16.0.50 (172.16.0.50) 56(84) bytes of data.
64 bytes from 172.16.0.50: icmp_seq=1 ttl=64 time=289 ms
64 bytes from 172.16.0.50: icmp_seq=2 ttl=64 time=286 ms
64 bytes from 172.16.0.50: icmp_seq=3 ttl=64 time=317 ms
^C
--- 172.16.0.50 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 286.223/297.892/317.535/13.971 ms

Test openvpn client in hyper.sh

use another hyper account

//start hyper container as openvpn client
$ hyper run -it --name vpnclient centos:7.3.1611 bash

run the following commands in this hyper container:

//install openvpn
[root@a29e68de830f /]# yum install -y epel-release
[root@a29e68de830f /]# yum install -y openvpn

//copy jimmy.ovpn from above
[root@a29e68de830f /]# vi jimmy.ovpn

//config /etc/hosts
[root@a29e68de830f /]# echo "162.221.195.34   vpn-demo.hyper.sh" >> /etc/hosts

//load tun module
[root@a29e68de830f /]# modprobe tun

//connect to openvpn server
[root@a29e68de830f /]# openvpn --config jimmy.ovpn
Sat Sep  9 14:14:51 2017 OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Sat Sep  9 14:14:51 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Sat Sep  9 14:14:51 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]199.245.58.212:1194
Sat Sep  9 14:14:51 2017 UDP link local: (not bound)
Sat Sep  9 14:14:51 2017 UDP link remote: [AF_INET]199.245.58.212:1194
Sat Sep  9 14:14:51 2017 [vpn-demo.hyper.sh] Peer Connection Initiated with [AF_INET]199.245.58.212:1194
Sat Sep  9 14:14:52 2017 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.3)
Sat Sep  9 14:14:52 2017 TUN/TAP device tun0 opened
Sat Sep  9 14:14:52 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Sep  9 14:14:52 2017 /sbin/ip link set dev tun0 up mtu 1500
Sat Sep  9 14:14:52 2017 /sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Sat Sep  9 14:14:52 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Sep  9 14:14:52 2017 Initialization Sequence Completed

note:

each hyper account has a subnet(172.16.0.0/16), to access ip in another hyper account, the route should be updated.

//remove default rule for local subnet
[root@a29e68de830f /]# route del -net 172.16.0.0 netmask 255.255.0.0  eth0

//add back local subnet(255.255.0.0->255.255.255.0), example
[root@a29e68de830f /]# route add -net 172.16.6.0 netmask 255.255.255.0 eth0 

//ping remote ip of openvpn server
[root@4e3cbaa82254 /]# ping -c3 172.16.0.50
PING 172.16.0.50 (172.16.0.50) 56(84) bytes of data.
64 bytes from 172.16.0.50: icmp_seq=1 ttl=64 time=1.51 ms
64 bytes from 172.16.0.50: icmp_seq=2 ttl=64 time=1.24 ms
64 bytes from 172.16.0.50: icmp_seq=3 ttl=64 time=1.22 ms

--- 172.16.0.50 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.222/1.325/1.510/0.131 ms
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment