OpenVPN Access Server on Photon OS (with docker)

Issue

How to build a fast and easy VPN solution for a secure connection to the own infrastructure.

Solution

As a solution I opted for VMware Photon OS, docker and took advantage of this "linuxserver/openvpn-as" project based on OpenVPN.

In this quick guide I assume that Photon OS (minimal) is already installed and properly configured (such as IP address, DNS, NTP server and so on). In my case Photon OS i configured with 1 vCPU, 2 GB of RAM and 16GB of Disk (even if for the purpose of this scope 8 GB are enough).

First thing to do, we check if docker is installed, if not we install it or start the service and enable it to start when the VM starts.

# systemctl status docker

# systemctl start docker

# systemctl enable docker

I then, created a script to automate the installation and running of the container.

The outcome of the script is the execution of the container, and we will be asked to enter a new password for the default admin account.
Below the script:

#/bin/bash
#
# Initial setup script (all-in-one) to access OpenVPN Web UI

# Install the package called OpenVPN access server
# Download and install
docker pull linuxserver/openvpn-as:latest

# Let's create a new docker container called openvpn-as with the following:
#  -v /home/docker/openvpn-as/config: /config - Sets the directory to store tehconfig files.
#  --restart=always - Ensures the container always starts on system boot. You can opt not to add this agument if you don't want to container to restart
# -e PGID=1001 -e PUID=1001 - Sets the user ID to eliminate permission issues between the host server and the container.
# -e TZ=Europe/Rome - Set Time Zone
# --net=host --privileged - Dictates how OpenVPN Access Server runs in the container.
docker create --name=openvpn-as --restart=always -v /home/docker/openvon-as/config:/config -e INTERFACE=eth0 -e PGID=1001 -e PUID=1001 -e TZ=Europe/Rome --net=host --privileged linuxserver/openvpn-as

# Start the container
docker start openvpn-as

# Get access to docker and change the default admin password
docker exec -it $(docker ps | grep openvpn-as | awk '{print $1}') /usr/bin/passwd admin
 

We give execute permissions to the script.

# chmod +x OpenVPN_initial_setup.sh

Let's execute it ...

# ./OpenVPN_initial_setup.sh

... and at the prompt enter the new password

Let's verify that the container is running correctly

# docker ps

Let's connect to the local IP address (https://local-IP:943/admin/) for a first configuration ... providing the username admin and the previous setted password.

We accept the terms of use

Once logged in, first of all let's set up in Configuration > Network Settings > Hostname or IP Address ... insert the public IP or the FQDN. Then, we click on Save Settings to save the configuration.

We enable Google Authenticator Multi-Factor Authentication in the menu Authentication > General ... and saving the settings.

We then enabling and saving the "Require user permissions record for VPN access" in User Management > User Permissions.

We create a new Profile in User Profiles and the we click on New Profile.

We download and save locally on its own computer the .ovpn file, that will be used later for the VPN connection.

Client configuration part

Configure one of the following Apps on your mobile device, Google Authenticator, Microsoft Authenticator, FortiToken. I have verified that the 2FA system works with all of the above authenticator apps.

Open the web client at the VPN endpoint address (https://Public-IP:9443/) and, once logged in with the admin account, scan the QR Code with the newly installed App.

Insert the 6-digit code and download the right VPN client for its own OS/device.

Once installed, double click on the previous .ovpn file downloaded to import the VPN configuration.

Click on Connect ...

Provide username and password ...

... insert the 6-digits of the 2FA ...

We can now able to reach the remote site in a safe mode.

Conclusion

OpenVPN Access server is very simple to install and configure. However, there are some limitations due to the free license (only two connections available), the "linuxserver/openvpn-as" project is deprecated and no longer maintained, consequently the latest available version of OpenVPN is version 2.9.0 (currently version available for download is 2.11.3).

I saw that there are also other interesting project like Wireguard, not yet available as a container for docker but available as a native package for Photon OS.
Must try as soon as possible.

That's it.