Skip to content

Instantly share code, notes, and snippets.

@Koubek

Koubek/VPN-client-on-Docker.md

Last active March 16, 2023 22:42
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Koubek/b89d40d80dffd86d903a0725a6324900 to your computer and use it in GitHub Desktop.
Save Koubek/b89d40d80dffd86d903a0725a6324900 to your computer and use it in GitHub Desktop.
Download ZIP
How to connect a PC behind VPN gateway using Docker
Raw
VPN-client-on-Docker.md

VPN-client-on-Docker

This approach uses Docker containers based on Linux kernel. Due to this fact we use one shared Linux server with multiple VPN containers. Then everyone in the company can access the remote system using the shared instances.

I haven`t tested this concept on my Win10 machine, running Linux containers (switching Docker to Linux containers mode). I suppose in the near future will be possible run containers on both platforms simultaneously. Even then I am not sure if the networking stack of Docker on Windows will allow us to run these VPN client containers correctly. I will test it in the future or if anyone else will do I`ll be happy to know the results.

I have created and published the following images:

Each image (VPN) has its own specific configurations related to VPN characteristics. The details can be found on the Docker Hub. There is a description how to configure and run container for each Docker image.

Here, I would like to describe the overall process from the higher perspective. This means my goal is to give you an overview applicable to every single image and omit the image proprietary specifics.

We will use the following schema as a practical example. I hope it will be easier to understand the concept and how to configure the containers.

vpnclientondocker


On the schema we can see the following elements:

  • 129.168.0.11 in the central part of the drawing. This is our Docker host. All vpn-client containers will be running here. The host publishes ports in the range between 51121 and 51125. End users will be accessing the IP of the host in combination with a port number. Each port will be linked with a specific container using docker port mapping.
  • 172.17.0.2 - 172.17.0.6 are our VPN containers. The VPN client software is running inside these containers. Each container uses its own network adapter. You can see there is a port 3380 mentioned next to the IP inside each container. Every container is listening RDP protocol communication on this port (this is being predetermined inside the provided docker images). And again, docker port mapping wires each container (IP:3380) with a specific docker host port (mentioned in the previous point).
  • 81.127.54.46 and 89.101.12.119 are VPN gateways. These are the VPN endpoints where the VPN client containers try to connect to. This can be an IP address or a domain name. And eventually paired with a specific port.
  • 192.168.1.25 and 172.16.201.17 are the target remote terminals. These are the destination PCs behind the VPN gateways where the end-users will be redirected. You will access RDP of these elements. This can be seen as a limitation as you can access only one target IP and port. But this limitation is given by design. If you need to access another PCs, you have to enter them from the original endpoint (multihop).

Let`s say you are working on a notebook/workstation with IP 192.168.0.151. You have to enter your customer Customer1 whose VPN gateway has IP address 81.127.54.46 and the VPN gateway is listening on the port 443. The customer is operating Forti VPN so you will use koubek/docker-forticlient docker image. You also know that there is a terminal server 192.168.1.25 within the remote LAN and this will be your RDP target.

And now the magic. You will spin up the container that will do all necessary. This is the basic command you can use to make it work:

docker run `
    --name vpn-customer1 `
    --privileged `
    -p 51121:3380 `
    -e "VPNADDR=81.127.54.46:443" `
    -e "VPNUSER=[vpn-user-id]" `
    -e "VPNPASS=[vpn-pwd]" `
    -e "VPNRDPIP=192.168.1.25" `
    koubek/docker-forticlient

Let`s describe the parameters. We will start with those that are practically common for all images.

  • --name is just a container name. You can omit this parameter but I can recommend using it to specify the customer name to identify the container.
  • --privileged is mandatory here. VPN containers need some specific (higher) privileges. Probably would be possible to use one the capabilities as well and specify so the minimum required privileges but this is out of the scope of this document (especially because this can vary for each VPN client type).
  • -p 51121:3380 is the port mapping mentioned before. This is how we wire the docker host port with the container internal port (which is expecting RDP communication). On the left side, we have the Docker host`s port, on the ride side is the internal port of the container (this is given by each image, I set for all images the same port - 3380). Maybe it worths to say that you need to set up the left part only ;)

The following env parameters (or their names) can vary for each docker image and many of them will be defined by your customers:

  • -e "VPNADDR=81.127.54.46:443" is the address of the remote VPN gateway. This information will be given by your customer.
  • -e "VPNUSER=[vpn-user-id]" is VPN username. This information will be given by your customer.
  • -e "VPNPASS=[vpn-pwd]" is VPN user password. This information will be given by your customer.
  • -e "VPNRDPIP=192.168.1.25" is the remote terminal server. You will be redirected right there when running an RDP client. This information will be given by your customer.

Once the container is running you just run your favorite RDP client. There you have to introduce the IP of your Linux docker host, combined with the port that will redirect your RDP communication into the specfic container. In our case is the following information: 129.168.0.11:51121. Then you have to specify the credentials of the remote terminal and you are there :)

image

You can use all benefits like the clipboard, your HDDs, printers etc. Of course, it depends on the remote terminal server (if these resources are permitted or not).

The next benefit is that you can access multiple customers in parallel, you won`t break your local networking stack (especially the routing tables) and if your docker host (IP) is accessible to anyone in your company, you can share one connection across the whole company.

Display the source blob
Display the rendered blob
Raw
VpnClientOnDocker.svg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Raw
VpnClientOnDocker.xml
<mxfile userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" version="7.8.0" editor="www.draw.io" type="device"><diagram name="Page-1" id="bfe91b75-5d2c-26a0-9c1d-138518896778">7Vxbc6s2EP41nmkfwuiGgMfE59KH9kxmzkwvj8QoNnMwuIATp7++kpFskOSEOMK1XZhMAhIW8n7frnZXSyZ4utx8LePV4rciYdkEgWQzwZ8mCCEQYv5HtLw0LT4OmoZ5mSZNE9g3fE//YfI+2bhOE1Y1TbBpqosiq9NVt3FW5Dmb1Z22uCyL5+5tj0WWdBpW8ZwZDd9ncWa2/pEm9UK2QgD2Hb+wdL6Qjw592fEQz37My2Kdy+dNEH7cHk33MlZjyfurRZwUz62H4s8TPC2Lom7Olpspy4Rou1L7cqB3N++S5XWfD0TNB57ibM3UjLfzql+ULB6LvJ4WWVFuLzEAlE6nE3z3xMo65SK7zdJ5zvvqYtVq/TV+YNl9UaV1Wojeh6KuiyW/IdM6ZnymjI99F8txdg2Lepnxa8hPH9Msa81huj14e1WXxQ/W6qFhCO8w75mXcZKy/czzImet5k9pyXnTzCAvSoGKHEzhjUTLIl4JKSw3c0FzL2f1c1H+qLxlkae1GPduByDgF6b0JSBCKmyjw8y1hxVLVpcv/BbVG0oVeFGqRJrr5z0PUSjZs2hREAVU8l9yf74be48/P5EUsNMBj3Q4hg4VK5/YEGxAyq4oNiCTDTCEJhsgBh9nA3mbDVtTxxKJy/Mirdn3VTwTvc9cRl3YOtIxsIq2x2GshhAnsYnTplwOpOlfvTRpcDpp0quXZhidTprBtUsTQ3g6aYZXL018QrsJgSFOGCEP0tADnoK1JVr+nWpNfh2RSbG0fQjZZLgcuk+zTJNEPMYK2B5SoGMmfKbvcoZQXTcxD6QDQUQthCcWT8EJRNCEKOAQBRwhPufbCaKZwKRaxTk/n4tzjAVhmnY+frvrYiCVEOoQAwd4Yh94oH3QNz2XwRQQHUaX+9a3DZIjZLiHPzQYRmbktsOIjBgdxsjiZQ2GkRlP7TDyR4wOmj74pic3GGJmzLZDjI6I9UXM4i0OhpgtLmycDPGlO0jRv9eF6riptuLhngqAYLXZdyqfZLquav61wE9fCo7JNPuZd8RLIff8oVo1NypfpnnSZfoyyJE7SqI3/ZUAD8QBWzTrigNo5IDL/NBgHLDF4K44gAUHvrH686YeKfA+CljcrcEoYNvbckUBMpqBdywFXtQ+yJv+3FCUQGYqyR0l/NEqOGKExV8cjBFm5mrKv3Cc5qysLg0eV5uOUdd/RwgZePjBQHiYuSYDhTPeCJ5lxTqRqLSeLktA3O8P+6SrOogAAyoYhSZWUDlIHwJrLBc4iiVcnetBygUCo3jEsocILKG3i2oBa7mA+9Cbn/x+/43//hrX7Dl+6b/WNs1J+qQ3tfceQuhBFHg+8Qg9uD3RND+Uegu/sTP8ZS0faOI+MxT4XUbCwMJIiiyLie+AkT1KLkb7ZNqn1WwA2xRFuMuE0LJU2WxT4MI2mWlBtYcMPUWTy9HUIXK4EKi8mQIossTqNk11gU+POtTZunzaVUywPLkVdb5C0llcVelMUylNWlwu5cufUpTbi7/Ehdh3aS7vWZnyaQvImns2af2nehg/399+UNZVsS5nil2qajku50wJSioASzrFxyYibT/bohCqrWRZXKdPrDMJGwryCfdFul2Gle+IurkZqCta833kp/ZYGgMRv6vZKNQqURshGANxAOOX1m0rcUP1yoSpllP2w1fnFUAtjiFU42Qzgz1Ddxj0K5a1ZRM00r6bpwdpJ64Mkr6X1b24q3ja4a5/VtyNgE4Fchx3I18bCGgDHeDuMXQxUw2jN9LDG8niVfN1XXskN1hLTmPf4pFYgmffQeyMzURHq6rNv5yytgFdkhuoZzcsicGBStpwj9zGscYdeGEQdgw8BfQIE9/LmmOLJ6J2yc/FmncdT+NNlr7GHBJtINTPETnGmFtqedpFqfjWhxBdgRaLj9axtN43r7LuHbGg7pidUK9tOYEj00BXha2jRZUEWqGqrfiHDoTtG1H+tmArujLcXOlkGHU94VOG/7jH+ycfWGxJN5oKADrpYhue1WJLoUcpIBEOuY31oxBp+qre3H7v4suj6+7AWlJA0WmAtdis9bGsxfjK9D5wtBT7r6Kmrk+wMpMxPj6z+FgBIMlA1PUp4mPyanysKgkvWZsdAEQ0fCwr9lDKOmx4rBKex6c/ey3X5PxjY0pes88EBB5uHfDINKioyAqJT4MI8JWS+KDLLByJcCii6odom7Pu1nLy/4yriTMnvosbpaezCONm+3kXA2Fb6cVQxUBkyPdwtsXXTaXtxF01UBh5EAg7x+1MNNb4HF/jg4mFaEPV+JAeqYPR7PxHNT67t21PUeNDDr/y007bbl/gpB4Sqh5cbWr341ga9UCYni4hqCzItZVWKCepHXAoC3YmAYdeWkGQo9IKHAxWWuGblThdNR8z/+/I/GMVIpxA0X0zzWOgdFmFf5biKXJexVO+lvLHgZav66vhPMLwMI58QLm2hTgMO8Nyb8ADOFA/NOyn/h+tCsSycuPgpLWyRz4xjbAfqwr0bZkxywazLdro8aLBVVkwkdBxsulMtQgEmBbM0aYzv9z/d96GHvv/gIw//ws=</diagram></mxfile>
@salvatoregiardina88
Copy link

Hi,
Can you explain what you did in the VPN images in order to be able to create new containers using forticlient 7 or other VPN software like openvpn and using last version of Ubuntu in windows 11?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment