Sometimes, your application may need to reach an infrastructure which is not opened to the Internet and the only way to access the services or databases in this infrastructure are to create a VPN connection and join the private network of this infrastructure.
This addon provides a way to create VPN connections from your application containers using the OpenVPN technology.
Setup of the Addon
Provision the Addon
First, you need to provision the add to your application. This can be done through the web dashboard or with our command line tool:
scalingo --app my-app addons-add scalingo-vpn-openvpn vpn-openvpn-standard
Setup the Configuration
From the addon tab of your dashboard, click on the OpenVPN addon icon to reach its dashboard. The following items can be configured:
- OpenVPN client Configuration file required (Content of the configuration file, often named
- CA Certificate required (X.509 certificate of the Certificate Authority used to sign the server certificate)
- User Certificate required (X.509 certificate associated to the user)
- User Private Key required (private key associated to the user)
- User Private Key Passphrase optional (Key passphrase if the private key is encrypted)
- Username/Password optional (Should be filled if authentication with login/password is required)
As stated in their description, these fields should be filled according to the OpenVPN Server configuration.
client dev tun proto tcp remote <ip:port> route remote_host 255.255.255.255 net_gateway resolv-retry infinite redirect-gateway autolocal nobind persist-key persist-tun ca ca.pem cert cert.pem key key.pem auth-user-pass cipher AES-256-CBC auth SHA256 comp-lzo route-delay 4 verb 3 reneg-sec 0
This is an example of OpenVPN configuration file. The instruction
auth-user-pass shows that the connection requires a couple
username/password, in this case the configuration should be correctly defined.
Once you’ve validated the configuration, the following environment variables will be added to your application environment:
The app will be restarted and you should see the output of the OpenVPN being setup:
-----> Starting OpenVPN connection… Socket Buffers: R=[87380->131072] S=[16384->131072] OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017 Attempting to establish TCP connection with [AF_INET]<IP:PORT> [nonblock] TCP connection established with [AF_INET]<IP:PORT> TCPv4_CLIENT link remote: [AF_INET]<IP PORT> TCPv4_CLIENT link local: [undef] TLS: Initial packet from [AF_INET]<IP PORT>, sid=a0081f01 2f804579 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA [<remote host>] Peer Connection Initiated with [AF_INET]<IP:PORT> Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication SENT CONTROL [dpr-scafw01]: 'PUSH_REQUEST' (status=1) ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:10 /sbin/ip addr add dev tun0 local <local VPN IP> peer <remote VPN IP> TUN/TAP TX queue length set to 100 TUN/TAP device tun0 opened /sbin/ip link set dev tun0 up mtu 1500 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: route options modified /sbin/ip route add <gateway>/32 via 172.17.0.1 Initialization Sequence Completed /sbin/ip route add <private network> via <remote VPN IP> -----> OpenVPN connected
What happen if the connection is cut?
The OpenVPN automatically schedules reconnections, using an exponential backoff logics (restart instantly first time, then wait longer and longer according to the number of consecutive failures).
Where can I find a comprehensive documentation of OpenVPN configuration files?
The official OpenVPN wiki contains everything you might need to configure the OpenVPN client and server.
What version of the OpenVPN client is available?
It depends on the stack:
I would like to configure the DNS with the
dhcp-option configuration, is it possible?
The use of the
dhcp-option is not possible on Scalingo. It is mandatory to use Scalingo DNS, for instance to resolve databases domain name. A solution to circumvent this limitation is to create a public domain name which resolves to a private IP address.