VPN tunnel for apps
-
Alright, I got the container both running and entered into the database (I'm pretty sure). So Cloudron can "see" the app. I copied the exposed and host ports to the container returned at the end of
createContainer
while nulling them during the containers initialization.That seems to be enough for app discovery, now to see if I can get the reverse proxy working which will be the last piece of the puzzle I hope.
-
Dig, Forest, Dig!
-
@marcusquinn Iām not positive but I think the Nguni reverse proxy is being fed a null or 0 hostPort. The exposedPort is part of Cloudronās environment variables. Maybe Iāll add the hostPort to that and read it back during reverse proxy configuration.
-
I hope nobody finds me logging my development on this app to be annoying. I needed a place to keep all of these new concepts in my head. Iāve never worked with Docker or Cloudron before this month and Iām trying to jot down my experiences for me to read later until I complete this.
If I hardcode the health checks to all pass. My app connected to the VPN stays connected and itās terminal working but never gets past the āStartingā phase until it times out in like ten minutes (the reverse proxy doesnāt work so neither does Letās Encrypt...which then times out the app). This is because itās reverse proxy isnāt set up correctly. I believe that the NGINX reverse proxy either gets the wrong hostPort or the wrong exposedPort or both.
Iām actually amazed that I got this far. Because both the
hostPort
does make it into the database now for it to be discoverable by Cloudron. But why the reverse proxyWriteNginxReverseConfig
receives different info than `apps.jsā āadd-to-dbā function (since that happens first) is really confusing. Iāll keep working on it though. I canāt hardcode (wellll...I technically can for the same container but donāt want to).Another problem is that my NetworkMode to container changes only (for now) take effect upon installation. Have to figure out why that is - but I also have some guesses.
Nobody told me
box
code was this hard. -
And Iām still using the appās FQDN variable to hardcode its attachment to the VPN rather than its manifest ID since I canāt find the function to read an appās manifest to get its ID. So much more work to be done (I need the VPN clientās
containerCreate
optionexposedPort(s)
to be variable depending on its ID and the app connecting to it) - which is another reason I need to learn to use manifest data. But thatās a simple function Iām sure Iām missing somewhere. @girish - do you know it off the top of your head? -
I suddently have a doubt about what your goal is ...
Are you trying to make the app itself, when it tries to connect to an external service, use the VPN, but still be exposed through normal internet?
Or are you trying to restrict the users from accessing the app itself if they are not going through the VPN?
-
Iām trying to accomplish your first idea.
I made a Cloudron app called āOpenVPN Clientā and it works perfectly. It can connect to any OpenVPN Server. I put a basic Apache configuration in front of it just to pass the Cloudronās Health Check.
Now, my use case is to have a singular other app (any app, but Iām using the basic LAMP from the Cloudron store for testing) route all of that appās traffic through my OpenVPN Client app. I understand other users may want to connect more than one other app and itās technically possible to do so via setting their
NetworkMode
tocontainer:open-vpn-id
- but that introduces an extra complexity of exposing more than one port which Cloudron cannot do rn (but is technically possible if girish wanted to make those edits). I donāt mind though since my use case is a 1:1 OpenVPN Client + Other Cloudron app connection.Thatās the entire thing in a nutshell. Iāve had to dig into a lot of
box
code to understand how to make it happen but my OpenVPN Client app is completely working and even passes all the Cloudron health checks but the singular app connecting to it and routing all of its web traffic through it does not pass the Cloudron Healthcheck because a container connecting to the network of another container is forced to inherit all the network properties of that container. That means, the reverse proxy sees nohostPort
(Cloudron is looking for it in the wrong place) when trying to configure the app and thus literally stays in the **Starting up...ā statuses (with itās terminal working and traffic is verified routing through the OpenVPN Client). -
@Lonk sounds like you need an internal network interface for internal liveness checks and external interface for the outgoing VPN traffic and it's checks.
otherwise you're forced to check liveness on the wrong app just because it's routing through it.
-
@robi Well, the thing is. The second app should pass all the health checks just fine. Itās a web app after all that is exposed to the web (right now testing with the LAMP stackās homepage). The only reason it doesnāt pass the check (which makes Cloudron stop the container) is because Cloudron is setting up the reverse nginx config incorrectly due to it believing the Cloudron app just installed has no hostPort even though it really does.
The nginx reverse config needs to account for this to make the second app connected to the VPN Client app to even work. Because right now all I can do is use its terminal to prove its working. But the Cloudron network is setup in such a way that itās needed to reverse proxy itās
hostPort
to itsexposedPort
.My newest idea is to write the Docker randomized
hostPort
as part of the Cloudron environment variables it holds and then use that in the Nginx Reverse Proxy config if the starting app doesnāt appear to have one.Working on
box
code is harder than app code (especially because I canāt access its database outside of the command line and, well...I donāt really know SQL syntax). But shoutout to @nebulon for making it easier for me! -
This also leads to the discussion of exposedPorts in the OpenVPN Client app's side of things. Right now, it has to mirror each of it's connected containers (their can be multiple) exposed ports, but Cloudron (for good reason) has restricted app's exposed ports to one.
Dynamically assigning just the OpenVPN's exposed port(s) on demand (to logically sync up with the app that's connecting to it) is needed here and does 100% require a restart of the OpenVPN Client app unless we decide to go the route of opening
x
amount of the common ports and restricting multiple Cloudron app's from connecting to the OpenVPN Client to one exposed port per app (which ironically could be worked around with a dynamically assigned port forwarding to the real second containers port which then finally reverse proxies onto the hostPort + port 80 / 443 - but that seems like two much work just to connect more than one app perexposedPort
at a time). -
(Disclaimer: I am no expert on docker networking magic)
I think instead of trying to find a way to expose the ports from the OpenVPN container, you should instead try and find a way to make it work directly from the app container itself.
Even if you do make it work for the exposedPort (which, I think, refers to the main web port exposed by the app, the one which is behind the reverse proxy, to expose its web interface and such, that's why there's only one: there's only one web interface), you're gonna have trouble with the extra ports (the ones defined in the manifest here https://docs.cloudron.io/custom-apps/manifest/#tcpports ) for apps that use these.
-
@mehdi Well, that would only need to be a
box
discussion if we wanted more than one other Cloudron app to connect to it at a time. It'd be an interesting discussion on how to make it work with no caveats. But I personally don't see a need to have more than one container connect to the OpenVPN Client container. It's not like you can't add a secondary VPN Client Cloudron app and connect it to another app if you really need more than one VPN connection, ya know?Since that's how I'll be coding it, as soon as someone tells me how to use the
app
object inbox
to "get" the cloudron manifest ID. I'm assuming only girish or nebulon know that off the top of their head though so I'll have to reverse engineer that as soon as I figure out how to get the app passed this reverse nginx configuration barrier (which from the code looks like it's readinghostPort
asnull
which is why no apps are working). It would be nice in that situation to know the function to get the hostPort of another container based on manifest id (my OpenVPN Client app to be exact). But once I RE those last two functions, I can do this. -
Oh, I think the answer to my first question was really simple: app.manifest.id. āļø
Last thing is - I still need to find a way to get either container environment variables or the app object via only knowing the the cloudron manifest id. Then this should work perfectly.
-
-
My bad, nginx is writting the
httpPort
fine and it's configuration looks perfect. I'm missing something related to nginx though because all my HTTP requests to the Cloudron app that is supposed to be routed through the OpenVPN Client app just ends in a "502 Bad Gateway". -
Other than this mysterious nginx issue (that I think has to do with the exposed port not being available somewhere
box
assumes it's supposed to be), the app will continue to work and it's terminal will run. So this is all working as it should, except for something about nginx.You know the crazy part, it's even getting an SSL cert (it must be using some DNS validation for that since the proxy isn't working).
-
@Lonk said in VPN tunnel for apps:
@p44 I built the OpenVPN Client you can use to change your IP for your app. @girish offered to add a custom feature to Cloudron specifically to allow Cloudron apps to
network connect
to my OpenVPN Client app. So, not much longer now! I might try to dive into the network code myself but I'll admit, Cloudron's base code intimidates me.@Lonk Thank's a lot this is a very good feature to use. I'm following this thread. I'll wait for first release with a good web interface
-
@p44 It won't be put on the Cloudron Store without a web interface for you to change VPN credentials. That's my 1.0 "this is a finished app" final goal.
Right now, I'm just trying to make Cloudron's reverse proxy for the "app-connected-to-the-vpn-client" work correctly.
So, as it stands, reverse proxy is forwarding requests to port 80, 443 to
app.httpPort
(a randomized container port, for example 34222), and then what's supposed to happen is port "34222" is supposed to proxy to the realexposedPort
but that last step is what it's missing so I just get a "502 Bad Gateway". I can't find any references in the code to how to make the reverse proxy take thatexposedPort
from another app (the OpenVPN Client app) and use it to continue the proxy-ing. In fact, I can't even RE how official apps are doing so.This may be secret knowledge that only @girish knows and he'll have to tell me so I can fix this final proxy issue.
It's funny because I'm doing so much work in
box
right now to get this working. But I'm mainly just REinbox
code. The changes required to make the OpenVPN client work / function (which it already does...just without a web interface because I can't figure out how to proxy to it's exposedPort) - like, literally the changes tobox
amount to 5 new lines of code. I'm guessing fixing this last "proxy-to-exposed-port" issue will be a single line of code fix making the total 6 lines of code. So the changes are so simple, it's the knowledge ofbox
networking I'm lacking in. Cloudron uses an NPM library calleddockerode
to do it's Docker stuff. I thought it was the problem, but it's not - it's working just fine. It's this silly proxy issue. I'm so close...yet so far. -
Talked to @girish a little bit to confirm that the
ExposedPort
binds to theapp.httpPort
viadockerode.createContainer
magic. Soooo...there's only one solution. Usedockerode's
own library to fix this problem. How to do so...I'm not sure, time to look intodockerode's
library. But, the.run
command looks promising.