swichers · September 21, 2021 01:27
diff --git a/docker-compose.yml b/docker-compose.yml
 # This is useful to have an isolated VPN setup that lets you route SSH traffic
 # without touching other traffic on the host.
 #
 # SETUP: 
 #   mkdir ./config
 #   cat ~/.ssh/id_rsa.pub > config/bastion_keys
 #   cp path/to/your.ovpn config/
 #   chmod 0700 config
 #   chmod 0400 config/bastion_keys
 #   chown -R 4096:4096 config
 #
 # USAGE: 
 #   docker-compose up -d
 #   ssh -J [email protected]:22222 example01
 #
 # PROTIP: 
 # Configure jumphosts in your SSH config so you can do ssh vpn-example01 instead
 #
 #   Host vpn-example01
 #     ProxyJump [email protected]:22222
 #     HostName example01
 #     Port 22

 version: '3.7'
      
 services: 
  vpn:
    image: dperson/openvpn-client:latest
    container_name: vpn
    restart: unless-stopped
    networks:
      - default
    read_only: true
    tmpfs:
      - /run
      - /tmp
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    cap_add:
      - NET_ADMIN
    environment:
      - TZ=America/Los_Angeles
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - $PWD/config:/vpn:ro
    ports:
      - 22222:22/tcp
    healthcheck:
      test: ["CMD", "curl", "-Ss", "ifconfig.co"]
      interval: 60s
      timeout: 15s

  bastion:
    image: binlab/bastion
    container_name: bastion
    restart: unless-stopped
    depends_on:
      - vpn
    network_mode: "service:vpn"
    environment:
      PUBKEY_AUTHENTICATION: "true"
      GATEWAY_PORTS: "false"
      PERMIT_TUNNEL: "false"
      X11_FORWARDING: "false"
      TCP_FORWARDING: "true"
      AGENT_FORWARDING: "true"
      AUTHORIZED_KEYS: "/var/lib/bastion/config/bastion_keys"
    volumes:
      - $PWD/config:/var/lib/bastion/config:ro
      - bastion:/usr/etc/ssh:rw

 networks:
  default:

 volumes:
  bastion:
	# This is useful to have an isolated VPN setup that lets you route SSH traffic
	# without touching other traffic on the host.
	#
	# SETUP:
	# mkdir ./config
	# cat ~/.ssh/id_rsa.pub > config/bastion_keys
	# cp path/to/your.ovpn config/
	# chmod 0700 config
	# chmod 0400 config/bastion_keys
	# chown -R 4096:4096 config
	#
	# USAGE:
	# docker-compose up -d
	# ssh -J [email protected]:22222 example01
	#
	# PROTIP:
	# Configure jumphosts in your SSH config so you can do ssh vpn-example01 instead
	#
	# Host vpn-example01
	# ProxyJump [email protected]:22222
	# HostName example01
	# Port 22

	version: '3.7'

	services:
	vpn:
	image: dperson/openvpn-client:latest
	container_name: vpn
	restart: unless-stopped
	networks:
	- default
	read_only: true
	tmpfs:
	- /run
	- /tmp
	security_opt:
	- label:disable
	stdin_open: true
	tty: true
	cap_add:
	- NET_ADMIN
	environment:
	- TZ=America/Los_Angeles
	devices:
	- /dev/net/tun:/dev/net/tun
	volumes:
	- $PWD/config:/vpn:ro
	ports:
	- 22222:22/tcp
	healthcheck:
	test: ["CMD", "curl", "-Ss", "ifconfig.co"]
	interval: 60s
	timeout: 15s

	bastion:
	image: binlab/bastion
	container_name: bastion
	restart: unless-stopped
	depends_on:
	- vpn
	network_mode: "service:vpn"
	environment:
	PUBKEY_AUTHENTICATION: "true"
	GATEWAY_PORTS: "false"
	PERMIT_TUNNEL: "false"
	X11_FORWARDING: "false"
	TCP_FORWARDING: "true"
	AGENT_FORWARDING: "true"
	AUTHORIZED_KEYS: "/var/lib/bastion/config/bastion_keys"
	volumes:
	- $PWD/config:/var/lib/bastion/config:ro
	- bastion:/usr/etc/ssh:rw

	networks:
	default:

	volumes:
	bastion: