VPN tunnel for apps
-
@Lonk said in Better documentation for the API:
Would docker connect work better in this regard
Is this a new command? Atleast, I don't have this in my docker 19.03.12.
$ docker connect docker: 'connect' is not a docker command. See 'docker --help'edit: don't mind me, I guess they are just typos.
docker network connectanddocker network attach, I guess. I wasn't aware of this connect subcommand.edit2: there is no,
docker network attach
I meant docker network connectall the time.@girish said in VPN tunnel for apps:
there is no, docker network attach I meant docker network connect all the time.
Okay, that makes a lot of sense, when you mentioned the "network" attach command, I figured I had some reading up to do.
I edited my post to fix my typo and remove mentions of "docker attach".
-
@Lonk said in Better documentation for the API:
Would docker connect work better in this regard
Is this a new command? Atleast, I don't have this in my docker 19.03.12.
$ docker connect docker: 'connect' is not a docker command. See 'docker --help'edit: don't mind me, I guess they are just typos.
docker network connectanddocker network attach, I guess. I wasn't aware of this connect subcommand.edit2: there is no,
docker network attach I meant docker network connectall the time.@girish I have finished converting the app into a Cloudron app and have pushed it to the Docker Hub, there appears to be one issue with these two lines in the
start.shfile:mkdir -p /dev/net
[[ -c /dev/net/tun ]] || mknod -m 0666 /dev/net/tun c 10 200There seems to be an issue with this part of the starting script. Likely related to this
docker runargument that I run locally--device /dev/net/tun. This is the exact error I get when attempting to run it on Cloudron (despite it successfully running locally with strictly Docker).ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)What do you think on the Cloudron side of things there?
-
@girish said in VPN tunnel for apps:
there is no, docker network attach I meant docker network connect all the time.
Okay, that makes a lot of sense, when you mentioned the "network" attach command, I figured I had some reading up to do.
I edited my post to fix my typo and remove mentions of "docker attach".
@Lonk Note: I submitted the DockerHub link for you here (https://www.cloudron.io/app-developer.html) to pull and test yourself locally via
docker run -it --cap-add=NET_ADMIN --device /dev/net/tun --dns 8.8.8.8 image/name(which will succeed, just trycurl icanhazip.comin the Docker container and it will see a different IP address). Then check the logs on cloudron when trying to install to it and you'll see the issues with/net/tunthat don't exist locally. -
@Lonk Have you pushed the package source code somewhere?
-
For the tun device stuff, @mehdi solved it by creating the device in Dockerfile - https://git.cloudron.io/cloudron/openvpn-app/-/blob/master/Dockerfile#L30 (
RUN mknod /app/code/net-tun c 10 200) and then usingdev-node /app/code/net-tunoption in openvpn.conf -
It's quite a long time ago now that I wrote the openvpn-server app, but I remember that this ton device stuff was hell
(Plus, Cloudron did not have support for capabilities like NET_ADMIN back then, so I had to implement that in the server itself^^)@Lonk in your command line, you forward the host's
/dev/net/tundevice to the container, which cloudron does not do, so the problem probably comes from there.If @girish's suggestion of using the same trick as the openvpn-server app does not work, I'd be happy to take a look.
-
For the tun device stuff, @mehdi solved it by creating the device in Dockerfile - https://git.cloudron.io/cloudron/openvpn-app/-/blob/master/Dockerfile#L30 (
RUN mknod /app/code/net-tun c 10 200) and then usingdev-node /app/code/net-tunoption in openvpn.confI worked on this for a few more hours tonight and after editing the starting script and DOCKERFILE (and a dumb mess up with CloudronManifest.json), I now have it 100% working within Cloudron.
Thank you so much for your help @girish / @mehdi!
There's a bunch of polish now that needs to be made. Proper healthcheck since this doesn't have a web admin exposed yet. I'll be making a custom web admin to change out VPN files (.ovpn) and credentials to make this a proper web app for Cloudron. For now, I'm just going to fake the healthcheck in testing just to see if we can connect containers using @girish Cloudron's code edit idea to make another container use my OpenVPN Client's Container's Network (akin to
docker run's--net=container:vpn-clientcommand).PS. @girish, I haven't published the code on Github yet because I've hardcoded my home's VPN credentials in there since this is just a proof of concept. I gave you guy's the DockerHub link through this form: https://www.cloudron.io/app-developer.html - so that only you guys would know the link to
pullit to Cloudron. Once I make the VPN configurable, I'll be releasing the source. I'll fix the health check in the morning with v0.3. Until then, feel free to pull the image to Cloudron to install for your own testing purposes (the idea you had to make it connect to other Cloudron apps). If you don't have time to, or are unable, I can take a stab at editing the Cloudron code directly. Let me know!
οΈ -
Alright, v0.3 release notes:
β’ Uses
cloudron:2.0base image now.
β’ Added apache to start the process of configuring a web interface (it'll need to do a few things like adddev-node /app/code/net-tunto the openvpn-server.ovpn files and convert them into vpn.conf files (which is stored inapp/dataso it's persistent and can change at anytime through an API endpoint I'm going to write...for now, you can change the file yourself and add it in the Cloudron File Manager and then restart the app).
β’ Fixed thehealthcheckso that Cloudron now runs it as a full fledged appThis is at the point where I'm ready to upload it to Github tonight and I'll post the link. I just need to revoke my personal OVPN Server certificate first before I do that and I have some more testing when it comes to the web interface and modifying files.
@girish Do you have any questions from me in order to make your side of things (Cloudron's base code) connect to this container's network to other apps on Cloudron? Were you able to find and pull my testing image from the DockerHub through the form I submitted - which I did get a response, as I'm now in the contributor program
and I'm happy to be because developing with Cloudron is just getting more and more fun. I have some ideas for Wordpress which is where my real expertise is. I'll finish this project and then move onto that after you guys release 6.0 (since I know it's coming with Wordpress changes). -
@Lonk Thanks! It might be easier for me to test with the package source. On Cloudron, you will need the manifest file to install and not just the docker image anyway.
I am happy to look into the Cloudron side of things whenever the package is semi-ready. Thanks for all the work!
-
@Lonk Thanks! It might be easier for me to test with the package source. On Cloudron, you will need the manifest file to install and not just the docker image anyway.
I am happy to look into the Cloudron side of things whenever the package is semi-ready. Thanks for all the work!
@girish My DockerHub link you can pull to Cloudron and install comes with the Cloudron manifest So, rn, itβs working perfectly as an app in Cloudron now, fully operational (just doesnβt have a web interface to change the OVPN file yet but contains everything you need to test it, directly connects to my homes VPN until I revoke the cert which I didnβt want to do until you were done testing). Iβll post the source on GitLab today minus the hardcoded
.ovpnfile. But can I send you that specific file personally so you can use it for testing. You just place it in the/app/datafolder and restart the OpenVPN Client app and your IP for that container will magically change. So you can then test connecting another app to it network-wise (a la a cloudron eqivalent to docker run's--net=container:vpn-clientruntime argument) and thencurl icanhazip.comthe βconnected-to-the-vpn-clientβ app to see if it gets the same IP address as the OpenVPN Client Cloudron app.Does all of that make sense?
-
@Lonk Thanks! It might be easier for me to test with the package source. On Cloudron, you will need the manifest file to install and not just the docker image anyway.
I am happy to look into the Cloudron side of things whenever the package is semi-ready. Thanks for all the work!
@girish I removed the pre-configured
.ovpnfile that is in the DockerHub version of 0.3 and added the full source code to Github. I tried adding it to Cloudron's Gitlab but it didn't let me create a repository for some reason so I just used Github.https://github.com/lonkle/openvpn-client-cloudron
If you need my preconfigured
.ovpnfile for testing instead of creating your own (you can add your converted.ovpnfile and rename it tovpn.confto the root directory before you install or after the install with the Cloudron File Manager, but if you do that you have to restart the app for it to take effect), then let me know so I can send it to you privately. I'll revoke my pre-configured one when you're done testing if you want to go that route (pun intended). -
Goals for v0.5.0:
β’ Add an HTTP API endpoint to change and convert any
.ovpnfile a user supplies viaPOSTinto the container and disconnect from current to connect to the newly added.ovpnGoals for v1.0.0 (I'd consider it ready to upload to the official Cloudron Appstore at this point):
β’ Add a full web interface at the base URL of the app which uses the API endpoint in v0.5 to allow a user to submit any
.ovpnfile and convert it to what Cloudron needs to straight from a web interface (so they don't have to use the API or manually add it in the terminal / file manager, which would be confusing to new users using Cloudron).@girish Neither of these final features will be needed for you to do your testing whenever you'd like to connect one or multiple containers networks to the the "OpenVPN Client v0.3" app's network. So let me know a good way to send you my preconfigured
vpn.conffile for you to use to test the feature. In the end, the API backend will automatically convert any.ovpnfiles supplied by a user via the API or web interface into a format Cloudron needs; mine is just pre-configured for ya so you don't have to make your own just to test networking between the containers. -
@p44 I built the OpenVPN Client you can use to change your IP for your app. @girish offered to add a custom feature to Cloudron specifically to allow Cloudron apps to
network connectto my OpenVPN Client app. So, not much longer now! I might try to dive into the network code myself but I'll admit, Cloudron's base code intimidates me.
-
@p44 I built the OpenVPN Client you can use to change your IP for your app. @girish offered to add a custom feature to Cloudron specifically to allow Cloudron apps to
network connectto my OpenVPN Client app. So, not much longer now! I might try to dive into the network code myself but I'll admit, Cloudron's base code intimidates me. -
@Lonk Give it a try, it's not that hard ! I had to do it for the OpenVPN server, it's only fair that you do it for the OpenVPN client
@mehdi Alright alright, you've convinced me - Is the flow similar to app creation to build it locally? Won't I need another license to start working on Cloudron locally though? So, the cloud can stay up, and I can develop this multiple app network VPN connection code locally? Normally, I could just use the free license for local dev, but I literally need three apps to test this because coincidentally this modification needs a total of 3 simultaneously running apps to test, the Open VPN Client App, another app to connect to it's network (so one to one connection is tested and confirmed), and then another app to simultaneously (3 apps needed to be installed at once to test) connect to the same Open VPN Client App's network.
I also just read on Gitlap that some of Cloudron is closed source, hmm, I should focus my feature requests on the closed source aspects I literally can't change myself and then merge request it.
-
Still sifting through our 5.6 release bucket list, so I am trying to wrap my head around this a bit.
@Lonk IIUC, the feature requested here is to pipe the network traffic of some apps via a VPN connection. I love the idea!
I can see use cases like the ttrss one but also for any of the "pulling" apps like emby metadata download, torrent, searx, scapers etc.I think this involves two steps (which you already figured). Step 1 is to package the openvpn client app for Cloudron. I think you only need
net_adminfor this but we can easily add new caps depending on what is needed.Step 2 is to then have some configuration to let apps use this container as the networking layer. If you ignore the UI/UX, this is really just a one-line change: https://git.cloudron.io/cloudron/box/-/blob/master/src/docker.js#L311 will be changed to the VPN client app's container. If we had a way to identify vpn clients, we can just have a dropdown of vpn clients as the available 'networks' in the app's configuration UI. And that should be it.
(I hope I understand your requirements correctly.)
@girish said in VPN tunnel for apps:
Step 2 is to then have some configuration to let apps use this container as the networking layer. If you ignore the UI/UX, this is really just a one-line change: https://git.cloudron.io/cloudron/box/-/blob/master/src/docker.js#L311 will be changed to the VPN client app's container. If we had a way to identify vpn clients, we can just have a dropdown of vpn clients as the available 'networks' in the app's configuration UI. And that should be it.
https://github.com/lonkle/openvpn-client-cloudron
I am finished with the MVP, it'll be ready for the App Store as soon as I include instructions on install to show the user installing it how to get their
.ovpnin the/app/datafolder for the OpenVPN Client to pick it up and some other small polishes (like using a wildcard to pick up whatever.ovpnfile they put into/app/dataand adding the necessary one-liner automatically to the file for it to be compatible with Cloudron's network. But, as of now, every time you change OVPN servers, you have to restart the app. I'm going to use the Cloudron API to do this manually but I haven't found a way to not restart the app yet and just disconnect + connect to a different server on-demand, just at initial runtime.Oh, and when you need an
.ovpnfor testing container network connections, let me know! But I'm gonna take a stab (no promises, nervous at how different the Cloudron base code is gonna be
) at getting this working myself on the Cloudron side. Thanks for pointing me in the right direction! -
Okay, I'm close to finalizing the Cloudron side of things. But I can't seem to find a function like
getContainerIdByAppId('com.joelstickney.openvpn-client')@girish Do you know any functions off-hand or maybe some files that I should be lookinβ into? I need the Open VPN client's (sub)Container ID so I can apply it to the other (sub)Containers network(s).
-
I'm now able to connect any container to any network I want on app startup based on the app's FQDN or ID. But even if I create a separate network than
cloudronand stick the OpenVPN Client in there with another app. The other app doesn't inherit the OpenVPN Client's IP like it does when you connect the connectors directly on thebridgenetwork using thedocker run --netcommand.There may be a firewall issue though. Cloudron does have a very specific subnet and maybe I can't escape it without running into a firewall.
