How to run OpenVPN?

Is it possible to run OpenVPN on fly? If so please tell me. I want to host pihole and openvpn on fly!

1 Like

It probably is, we haven’t tried it though! If you figure it out you should post your Dockerfile here.

We recently created a build using an OpenVPN Client on a Fly Nginx Reverse-Proxy app to send its logs securely to a remote syslog server, so I’ll share the config for anyone else that wants to implement.

Dockerfile:

FROM nginx:alpine

RUN mkdir -p /dev/net && \
    mknod /dev/net/tun c 10 200 && \
    chmod 600 /dev/net/tun

RUN apk update && \
    apk add openvpn rsyslog net-snmp net-snmp-tools iproute2 bash supervisor curl

ADD nginx.conf /etc/nginx/conf.d/default.conf
ADD conf/nginx/conf.d/proxy_cache.conf /etc/nginx/conf.d/proxy_cache.conf
ADD errors /etc/nginx/conf.d/errors
ADD network.conf /etc/sysctl.d/network.conf
ADD vpn/ /etc/openvpn/
ADD supervisor.conf /app/
ADD rsyslog.conf /etc/rsyslog.conf
ADD snmpd.conf /etc/snmp/snmpd.conf

CMD /usr/bin/supervisord -c /app/supervisor.conf

ENV NGINX_PORT=8080

OpenVPN client config, keys and certs are held in the /vpn folder copied to /etc/openvpn.

The tun device creation is specifically for builds, as the device already exists on Fly.

supervisor.conf:

[supervisord]
logfile=/var/log/supervisord
logfile_maxbytes=0
loglevel=info
pidfile=/tmp/supervisord.pid
nodaemon=true
user=root

[unix_http_server]
file=/tmp/supervisor.sock

[program:openvpn]
directory=/etc/openvpn
command=/usr/sbin/openvpn --config /etc/openvpn/client.conf
user=root
autostart=true
autorestart=true
startsec=0
stopwaitsec=0
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/stdout
stderr_logfile=/dev/stderr
stdout_logfile_maxbytes=0
stderr_logfile_maxbytes=0

[program:nginx]
command=/usr/sbin/nginx

[program:rsyslog]
command=/usr/sbin/rsyslogd

[program:snmpd]
command=/usr/sbin/snmpd

The only hangup was making sure nginx was present for the health checks, but once it was added to supervisor it worked like a charm.

network.conf:

net.ipv4.ip_forward=1

EDIT: You will need this file to enable forwarding for VPN routing.

Wow.

Are you running the OpenVPN server yourself? That’s pretty amazing and I’m impressed you got it working.

1 Like

Absolutely! The Fly app is just acting as a client with the remote IDS/Logging server which runs the OpenVPN server.

Not quite sure what changed over the weekend to cause this build to fail, but had to explicitly set the supervisor processes to work in the foreground to deploy again today. Here’s an updated supervisor.conf file:

[supervisord]
logfile=/var/log/supervisord
logfile_maxbytes=0
loglevel=info
pidfile=/tmp/supervisord.pid
nodaemon=true
user=root

[unix_http_server]
file=/tmp/supervisor.sock

[program:openvpn]
directory=/etc/openvpn
command=/usr/sbin/openvpn --config /etc/openvpn/client.conf
autostart=true
autorestart=true
startsec=0
stopwaitsec=0
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/stdout
stderr_logfile=/dev/stderr
stdout_logfile_maxbytes=0
stderr_logfile_maxbytes=0

[program:nginx]
command=/usr/sbin/nginx -g 'daemon off;'
autorestart=true
startsec=0
stopwaitsec=0
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/stdout
stderr_logfile=/dev/stderr
stdout_logfile_maxbytes=0
stderr_logfile_maxbytes=0

[program:rsyslog]
command=/usr/sbin/rsyslogd -n
autorestart=true

[program:snmpd]
command=/usr/sbin/snmpd -f
autorestart=true

Similarity, Can We host a Host a Outline Server on Fly.io?