Scalingo OpenVPN Addon
Introduction
Sometimes, your application may need to reach an infrastructure which is not opened to the Internet and the only way to access the services or databases in this infrastructure are to create a VPN connection and join the private network of this infrastructure.
With this addon, only the traffic targeting your VPN network will go through the VPN. The rest of the traffic keeps being routed as usual.
This addon provides a way to create VPN connections from your application containers using the OpenVPN technology.
Setup of the Addon
Provision the Addon
First, you need to provision the add to your application. This can be done through the web dashboard or with our command line tool:
scalingo --app my-app addons-add scalingo-vpn-openvpn vpn-openvpn-standard
Setup the Configuration
From the addon tab of your dashboard, click on the OpenVPN addon icon to reach its dashboard. The following items can be configured:
- OpenVPN client Configuration file required (Content of the configuration file, often named
<name>.ovpn
by providers) - CA Certificate required (X.509 certificate of the Certificate Authority used to sign the server certificate)
- User Certificate required (X.509 certificate associated to the user)
- User Private Key required (private key associated to the user)
- User Private Key Passphrase optional (Key passphrase if the private key is encrypted)
- Username/Password optional (Should be filled if authentication with login/password is required)
As stated in their description, these fields should be filled according to the OpenVPN Server configuration.
For the deployment to succeed, the following IPs shouldn’t be routed through OpenVPN:
- 10.0.0.0/24
- 10.20.0.0/16
Example
client
dev tun
proto tcp
remote <ip:port>
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
redirect-gateway autolocal
nobind
persist-key
persist-tun
ca ca.pem
cert cert.pem
key key.pem
auth-user-pass
cipher AES-256-CBC
auth SHA256
comp-lzo
route-delay 4
verb 3
reneg-sec 0
This is an example of OpenVPN configuration file. The instruction
auth-user-pass
shows that the connection requires a couple
username/password, in this case the configuration should be correctly defined.
Once you’ve validated the configuration, the following environment variables will be added to your application environment:
SCALINGO_OPENVPN_CONF
SCALINGO_OPENVPN_CERT
SCALINGO_OPENVPN_CA
SCALINGO_OPENVPN_KEY
SCALINGO_OPENVPN_KEY_PASS
SCALINGO_OPENVPN_USERNAME
SCALINGO_OPENVPN_PASSWORD
The app will be restarted and you should see the output of the OpenVPN being setup:
-----> Starting OpenVPN connection…
Socket Buffers: R=[87380->131072] S=[16384->131072]
OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Attempting to establish TCP connection with [AF_INET]<IP:PORT> [nonblock]
TCP connection established with [AF_INET]<IP:PORT>
TCPv4_CLIENT link remote: [AF_INET]<IP PORT>
TCPv4_CLIENT link local: [undef]
TLS: Initial packet from [AF_INET]<IP PORT>, sid=a0081f01 2f804579
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[<remote host>] Peer Connection Initiated with [AF_INET]<IP:PORT>
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
SENT CONTROL [dpr-scafw01]: 'PUSH_REQUEST' (status=1)
ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:10
/sbin/ip addr add dev tun0 local <local VPN IP> peer <remote VPN IP>
TUN/TAP TX queue length set to 100
TUN/TAP device tun0 opened
/sbin/ip link set dev tun0 up mtu 1500
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: route options modified
/sbin/ip route add <gateway>/32 via 172.17.0.1
Initialization Sequence Completed
/sbin/ip route add <private network> via <remote VPN IP>
-----> OpenVPN connected
Q&A
What happen if the connection is cut?
The OpenVPN automatically schedules reconnections, using an exponential backoff logics (restart instantly first time, then wait longer and longer according to the number of consecutive failures).
Where can I find a comprehensive documentation of OpenVPN configuration files?
The official OpenVPN wiki contains everything you might need to configure the OpenVPN client and server.
What version of the OpenVPN client is available?
It depends on the stack:
I would like to configure the DNS with the dhcp-option
configuration, is it possible?
The use of the dhcp-option
is not possible on Scalingo. It is mandatory to use Scalingo DNS, for instance to resolve databases domain name. A solution to circumvent this limitation is to create a public domain name which resolves to a private IP address.