Initialize Ubuntu Host Device and Set Up a Basic Firewall
Working on Ubuntu 16.04 sever. (login as root).
# apt-get update # apt-get install ufw
Enable ufw
IPv6 make sure IPV6=yes
into the file /etc/default/ufw
or set it to yes.
# vim /etc/default/ufw
Enable firewall ufw
# ufw default deny incoming # ufw default allow outgoing # ufw allow ssh # ufw allow 1194/udp # ufw allow 1194/tcp # ufw enable
Check UFW
Status, and app list
# ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 1194/udp ALLOW Anywhere 1194/tcp ALLOW Anywhere 22 (v6)ALLOW Anywhere (v6) 1194/udp (v6) ALLOW Anywhere (v6) 1194/tcp (v6) ALLOW Anywhere (v6)
Allowing VPN Firewall/Create mysterium-node firewall rules
# sysctl -w net.ipv4.ip_forward=1 # ufw default allow FORWARD
Extend SSH
daemon timeout
# vim /etc/ssh/sshd_config and set ClientAliveInterval 120 ClientAliveCountMax 720 # systemctl restart sshd
Installing Docker
Installs Docker, Docker Compose, and python pip – always latest version during deploy.
# apt-get install -y \ apt-transport-https \ ca-certificates \ software-properties-common \ gnupg-agent \ python-pip \ nano screen \ bash-completion command-not-found \ mlocate \ htop iotop \ ncdu mc vim curl wget # curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - # add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" # apt-get update # apt-get install docker-ce docker-ce-cli containerd.io # pip install -U docker-compose # docker-compose --version
VPN Container #1:
Start To start VPN server as a docker container that Based on [mobtitude/vpn-pptp docker image], This docker image with simple VPN (PPTP) server with chap-secrets authentication.
# VPN_USERNAME="VPNUser" # VPN_PASSWORD = "VPNPassword"
PPTP
uses /etc/ppp/chap-secrets
file to authenticate VPN
users. You will need to create a file on your own and link it to docker when starting a container.
# cat >>/etc/ppp/chap-secrets< # Secrets for authentication using PAP > # client server secret acceptable local IP addresses > $VPN_USERNAME * $VPN_PASSWORD * > EOF
Strating the Server
# docker run -d --privileged -p 1723:1723 -v /etc/ppp/chap-secrets:/etc/ppp/chap-secrets mobtitude/vpn-pptp
new docker version >= 1.7.1
# docker run -d --privileged --net=host -v /etc/ppp/chap-secrets:/etc/ppp/chap-secrets mobtitude/vpn-pptp
[`–net=host`] Use host networking
refer to Docker documents
If you use the host network driver for a container, that container’s network stack is not isolated from the Docker host. For instance, if you run a container which binds to port 80 and you use host networking, the container’s application will be available on port 80 on the host’s IP address.
[`–privileged`] Privileged containers and capabilities
Full container capabilities (–privileged)
The
--privileged
flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.
To start a container in detached mode, you use -d=true or just -d option. By design, containers started in detached mode exit when the root process used to run the container exits, unless you also specify the
--rm
option. If you use-d
with--rm
, the container is removed when it exits or when the daemon exits, whichever happens first.
–volume , -v Bind mount a volume
[`-v`] Volumes are the preferred mechanism for persisting data generated by and used by Docker containers.
Checking Works port on host
# netstat -puntl root@localhost:~# netstat -puntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3234/sshd TCP 0 0 0.0.0.0:***1723*** 0.0.0.0:* LISTEN 10733/PPTPD tcp6 0 0 :::22 :::* LISTEN 3234/sshd
Connecting to VPN service
You can use any VPN (PPTP)
client to connect to the service. To authenticate use credentials provided in chap-secrets file.
SoftEtherVPN Container #2:
For more, we can Setting up L2TP/IPSec Server container, that using docker file of [`siomiz/softethervpn`]
# L2TP_PSK="netslover" # docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp -e PSK=$L2TP_PSK -e USERNAME=$VPN_USERNAME -e PASSWORD=$VPN_PASSWORD siomiz/softethervpn
--env
, -e
is used to Set environment variables.
Mix and match published ports:
- -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp for L2TP/IPSec.
- -p 1194:1194/udp for OpenVPN.
- -p 443:443/tcp for OpenVPN over HTTPS.
- -p 5555:5555/tcp for SoftEther VPN (recommended by vendor).
- -p 992:992/tcp is also available as alternative.
All optional:
- -e PSK: Pre-Shared Key (PSK), if not set: “notasecret” (without quotes) by default.
- -e USERS: Multiple usernames and passwords may be set with the following pattern: username:password;user2:pass2;user3:pass3. Username and passwords are separated by :. Each pair of username:password should be separated by ;. If not set a single user account with a random username (“user[nnnn]”) and a random weak password is created.
- -e SPW: Server management password.
- -e HPW: “DEFAULT” hub management password.
- Single-user mode (usage of -e USERNAME and -e PASSWORD) is still supported.