SwarmLab-HowTos/labs/sec/ex-5_iptables.adoc

= VPN!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums: 



{empty} +



[[cheat-Docker]]
== Install docker (Home PC)

HowTo: See http://docs.swarmlab.io/SwarmLab-HowTos/labs/Howtos/docker/install.adoc.html[How to^]




.NOTE
[NOTE]
====
Assuming you're already logged in
====



== VPN

A ***virtual private network (VPN)*** extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on a computing device, e.g., a laptop, desktop, smartphone, across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection

https://en.wikipedia.org/wiki/Virtual_private_network[More: wikipedia]

image::495px-VPN_overview-en.svg.png[VPN connectivity overview]

.NOTE
[NOTE]
====
**OpenVPN** is an open-source software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

https://en.wikipedia.org/wiki/OpenVPN[More: wikipedia]
====


== Create VPN


.create-vpn.sh
[source,bash]
----
#!/bin/bash
IP=127.0.0.1                                            # Server IP       // <1>
P=1194                                                  # Server Port     // <2>
OVPN_SERVER='10.80.0.0/16'                              # VPN Network     // <3>

#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/   # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/                                           // <4>
if [ ! -d $vpn_data ]; then
 mkdir -p $vpn_data
fi

NAME=swarmlab-vpn-services                              # name of docker service // <5>
DOCKERnetwork=swarmlab-vpn-services-network             # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn            # docker image

docker stop  $NAME					      #stop container 
sleep 1
docker container rm  $NAME				#rm container

# rm config files 
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh

# create network
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork

#run container        see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn  -p 1194:1194 --rm $docker ovpn_genconfig  -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER   // <6>

# create pki          see ovpn_initpki 
docker run --net=none -v $vpn_data:/etc/openvpn  --rm -it $docker ovpn_initpki     // <7>

#                     see ovpn_copy_server_files 
#docker run --net=none -v $vpn_data:/etc/openvpn  --rm $docker ovpn_copy_server_files

#create vpn           see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker  // <8>

sudo sysctl -w net.ipv4.ip_forward=1

#show created
docker ps
----
<1> *localhost* inside of a container will resolve to the network stack of this container
<2> Port 
<3> Specify Addresses and Netmasks   for VPN Clients
<4> Directory to mount data
<5> Name of docker services
<6> Create config
<7> keys
<8> Run docker vpn service 


== Create user

.create-user.sh
[source,bash]
----
USERNAME=test1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn           

docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME  > $USERNAME.ovpn
----

[source,bash]
.add to $USERNAME.ovpn file
----
client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60

remote-cert-tls server
remote 192.168.1.5 1194 udp // <1>
float
----
<1> Host machine's  IP. Not Docker Container IP Address 

== rm vpn user

.rm-user.sh
[source,bash]
----
#!/bin/bash

CLIENTNAME=test1
U=$CLIENTNAME

vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn           

rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$"  $vpn_data/pki/index.txt | cut  -f4)

rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d"  $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient  $CLIENTNAME remove

rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
----

== show all vpn users

.show-user.sh
[source,bash]
----
NAME=swarmlab-vpn-services                              # name of docker service
docker exec -it  $NAME ovpn_listclients
----

== show all connected vpn users

.show-conn-user.sh
[source,bash]
----
NAME=swarmlab-vpn-services                              # name of docker service
docker exec -it  $NAME  cat /tmp/openvpn-status.log
----

== client connect 

.client connect
[source,bash]
----
openvpn --config ./clientfile.vpn
----




:hardbreaks:

{empty} +
{empty} +
{empty} 

:!hardbreaks:

'''

.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino, 
se hace camino al andar.

Wanderer, there is no path, 
the path is made by walking.

*Antonio Machado* Campos de Castilla
====