Scalingo OpenVPN Addon

Introduction

Sometimes, your application may need to reach an infrastructure which is not opened to the Internet and the only way to access the services or databases in this infrastructure are to create a VPN connection and join the private network of this infrastructure.

This addon provides a way to create VPN connections from your application containers using the OpenVPN technology.

Setup of the addon

Provision the addon

First, you need to provision the add to your application. This can be done through the dashboard or with our command line tool.

scalingo -a appname addons-add scalingo-vpn-openvpn vpn-openvpn-standard

Setup the configuration

From the addon tab of your dashboard, click on the OpenVPN addon icon to reach its dashboard. The following items can be configured:

  • OpenVPN client Configuration file required (Content of the config file, often named <name>.ovpn by providers)
  • CA Certificate required (X.509 certificate of the Certificate Authority used to sign the server certificate)
  • User Certificate required (X.509 certificate associated to the user)
  • User Private Key required (private key associated to the user)
  • User Private Key Passphrase optional (Key passphrase if the private key is encrypted)
  • Username/Password optional (Should be filled if authentication with login/password is required)

As stated in their description, these fields should be filled according to the OpenVPN Server configuration.

Example:

client
dev tun
proto tcp
remote <ip:port>
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
redirect-gateway autolocal
nobind
persist-key
persist-tun
ca ca.pem
cert cert.pem
key key.pem
auth-user-pass
cipher AES-256-CBC
auth SHA256
comp-lzo
route-delay 4
verb 3
reneg-sec 0

This is an example of OpenVPN configuration file. The instruction auth-user-pass shows that the connection requires a couple username/password, in this case the configuration should be correctly defined.

Once you’ve validated the configuration, the following environment variables will be added to your application environment:

  • SCALINGO_OPENVPN_CONF
  • SCALINGO_OPENVPN_CERT
  • SCALINGO_OPENVPN_CA
  • SCALINGO_OPENVPN_KEY
  • SCALINGO_OPENVPN_KEY_PASS
  • SCALINGO_OPENVPN_USERNAME
  • SCALINGO_OPENVPN_PASSWORD

The app will be restarted and you should see the output of the OpenVPN being setup:

-----> Starting OpenVPN connection…
 Socket Buffers: R=[87380->131072] S=[16384->131072]
 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
 Attempting to establish TCP connection with [AF_INET]<IP:PORT> [nonblock]
 TCP connection established with [AF_INET]<IP:PORT>
 TCPv4_CLIENT link remote: [AF_INET]<IP PORT>
 TCPv4_CLIENT link local: [undef]
 TLS: Initial packet from [AF_INET]<IP PORT>, sid=a0081f01 2f804579
 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
 [<remote host>] Peer Connection Initiated with [AF_INET]<IP:PORT>
 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
 SENT CONTROL [dpr-scafw01]: 'PUSH_REQUEST' (status=1)
 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:10
 /sbin/ip addr add dev tun0 local <local VPN IP> peer <remote VPN IP>
 TUN/TAP TX queue length set to 100
 TUN/TAP device tun0 opened
 /sbin/ip link set dev tun0 up mtu 1500
 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
 OPTIONS IMPORT: timers and/or timeouts modified
 OPTIONS IMPORT: route options modified
 /sbin/ip route add <gateway>/32 via 172.17.0.1
 Initialization Sequence Completed
 /sbin/ip route add <private network> via <remote VPN IP>
-----> OpenVPN connected

Q&A

  • What happen if the connection is cut?

The openvpn automatically schedules reconnections, using an exponential backoff logics (restart instantly first time, then wait longer and longer according to the number of consecutive failures).

  • Where can I find an comprehensive documentation of OpenVPN Config files?

The official OpenVPN wiki contains everything you might need to configure the OpenVPN client and server.

schedule 01 Dec 2017