swichers/docker-compose.yml

## docker-compose.yml
# This is useful to have an isolated VPN setup that lets you route SSH traffic
# without touching other traffic on the host.
#
# SETUP:
#   mkdir ./config
#   cat ~/.ssh/id_rsa.pub > config/bastion_keys
#   cp path/to/your.ovpn config/
#   chmod 0700 config
#   chmod 0400 config/bastion_keys
#   chown -R 4096:4096 config
#
# USAGE:
#   docker-compose up -d
#   ssh -J bastion@127.0.0.1:22222 example01
#
# PROTIP:
# Configure jumphosts in your SSH config so you can do ssh vpn-example01 instead
#
#   Host vpn-example01
#     ProxyJump bastion@127.0.0.1:22222
#     HostName example01
#     Port 22

version: '3.7'

services:
  vpn:
    image: dperson/openvpn-client:latest
    container_name: vpn
    restart: unless-stopped
    networks:
      - default
    read_only: true
    tmpfs:
      - /run
      - /tmp
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    cap_add:
      - NET_ADMIN
    environment:
      - TZ=America/Los_Angeles
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - $PWD/config:/vpn:ro
    ports:
      - 22222:22/tcp
    healthcheck:
      test: ["CMD", "curl", "-Ss", "ifconfig.co"]
      interval: 60s
      timeout: 15s

  bastion:
    image: binlab/bastion
    container_name: bastion
    restart: unless-stopped
    depends_on:
      - vpn
    network_mode: "service:vpn"
    environment:
      PUBKEY_AUTHENTICATION: "true"
      GATEWAY_PORTS: "false"
      PERMIT_TUNNEL: "false"
      X11_FORWARDING: "false"
      TCP_FORWARDING: "true"
      AGENT_FORWARDING: "true"
      AUTHORIZED_KEYS: "/var/lib/bastion/config/bastion_keys"
    volumes:
      - $PWD/config:/var/lib/bastion/config:ro
      - bastion:/usr/etc/ssh:rw

networks:
  default:

volumes:
  bastion:
	# This is useful to have an isolated VPN setup that lets you route SSH traffic
	# without touching other traffic on the host.
	#
	# SETUP:
	# mkdir ./config
	# cat ~/.ssh/id_rsa.pub > config/bastion_keys
	# cp path/to/your.ovpn config/
	# chmod 0700 config
	# chmod 0400 config/bastion_keys
	# chown -R 4096:4096 config
	#
	# USAGE:
	# docker-compose up -d
	# ssh -J bastion@127.0.0.1:22222 example01
	#
	# PROTIP:
	# Configure jumphosts in your SSH config so you can do ssh vpn-example01 instead
	#
	# Host vpn-example01
	# ProxyJump bastion@127.0.0.1:22222
	# HostName example01
	# Port 22

	version: '3.7'

	services:
	vpn:
	image: dperson/openvpn-client:latest
	container_name: vpn
	restart: unless-stopped
	networks:
	- default
	read_only: true
	tmpfs:
	- /run
	- /tmp
	security_opt:
	- label:disable
	stdin_open: true
	tty: true
	cap_add:
	- NET_ADMIN
	environment:
	- TZ=America/Los_Angeles
	devices:
	- /dev/net/tun:/dev/net/tun
	volumes:
	- $PWD/config:/vpn:ro
	ports:
	- 22222:22/tcp
	healthcheck:
	test: ["CMD", "curl", "-Ss", "ifconfig.co"]
	interval: 60s
	timeout: 15s

	bastion:
	image: binlab/bastion
	container_name: bastion
	restart: unless-stopped
	depends_on:
	- vpn
	network_mode: "service:vpn"
	environment:
	PUBKEY_AUTHENTICATION: "true"
	GATEWAY_PORTS: "false"
	PERMIT_TUNNEL: "false"
	X11_FORWARDING: "false"
	TCP_FORWARDING: "true"
	AGENT_FORWARDING: "true"
	AUTHORIZED_KEYS: "/var/lib/bastion/config/bastion_keys"
	volumes:
	- $PWD/config:/var/lib/bastion/config:ro
	- bastion:/usr/etc/ssh:rw

	networks:
	default:

	volumes:
	bastion: