NetModule Router Wiki

User Tools

Site Tools

This is an old revision of the document!

Table of Contents

WebVPN secure https to http forwarding for unsecure http devices

This article describes how you can use Netmodule Routers with LXC container virtualisation to connect unsecure http devices through an OpenVPN infrastructure and securly expose them to the internet. It can also be used if you do provide the network environment for a customer of yours and you want him to be able to access his devices, but you still manage the routers yourself.

Concept

<grafik>

The above shows the basic concept of such an infrastructure. In the end you want to be able to reach your unsecure HTTP Endpoints (industrial facilities, measurement devices, webcams et cetera) through the internet on a secure basis. Your routers will be part of a secured OpenVPN network and from the internets point of view requests get in and out of your environment through https. Once they reach the container they get forwarded as http requests, but through your secured network to the acutal endpoint. This environment can be setup combining OpenVPN and a service called traefik (a reverse proxy) which will run in the container taking care of re-writing your https-to-http traffic as well as certificates.

Prerequisistes

  • Netmodule Router running software version >= 4.0.0.100 with a virtualisation licence
  • Running LXC virtualisation environment described here
    • ARM based linux distribution of your flavor from linuxcontainers.org, to make it small the example is based on Alpine Linux
    • The traefik.io reverse proxy for the ARM Platform
    • As an alternativ you can download a ready to use container HERE (ADD LINK & Upload container)
  • OpenVPN network setup (your container could also run on one of your openvpn clients)
    • Clients need fix IP adresses so you can add them later to traefik
  • Valid DNS record(s) pointing to the public IP of the network where traefik runs
    • Wildcards DNS record preferred otherwise you need to create individual subdomains for each endpoint

Configuring Traefik

Setting up traefik is fairly simple. The main concept of how the service works is shown in the following graphic:

<bild traefik internal>

You have to define entrypoints (where http and https) traffic is incoming with the option to redirect between them. The next step is to setup frontends which define routes from entrypoints to backends depending on a set of rules (modifiers: that modify a request, matchers: determin if a particular request should be forwareded or not). At the end is the backend which represents on or more http servers (the endpoints).

Here is a simple example configuration (config.toml): 

################################################################
# Global configuration
################################################################

defaultEntryPoints = ["http", "https"]

[entryPoints]
      [entryPoints.http]
      address = ":80"       

      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls] 
	

[file]
 
[backends]
	
      # HTTP via OpenVPN Tunnel for backends 1 - 2

      # Site 1 - HTTP Endpoint
      [backends.backend1]
      	[backends.backend1.servers.server1]
      	url = "http://10.8.0.6:8080"

      # Site 2 - HTTP Endpoint
      [backends.backend2]
      	[backends.backend2.servers.server1]
      	url = "http://10.8.0.10:8080"

		
[frontends]

      [frontends.frontend1]
      backend="backend1"
        [frontends.frontend1.routes.test_1]
        rule = "Host:site1.example.com"

      [frontends.frontend2]
      backend="backend2"
        [frontends.frontend2.routes.test_1]
        rule = "Host:site2.example.com"


################################################################
# LetsEncrypt (http challange) 
################################################################
[acme]
      email="user@example.com"
      storage = "/root/traefik/storage.json"
      entryPoint = "https"
      acmeLogging = true

      [acme.httpChallenge]
      entryPoint = "http"

      [[acme.domains]]
        main = "example.com"
        sans = ["site1.example.com", "site2.example.com"]


################################################################
# Logging 
################################################################
debug = true
logLevel = "ERROR"

[traefikLog]
	filePath = "log/traefik.log"


# Debugging http access requests  
#[accessLog]
#	filePath = "log/access.log"

The example configuration builds on the image from the concept earlier. We would realise the following:

  • Site1
    • Router OpenVPN client ip: 10.8.0.6
    • HTTP Endpoint will be reached through: site1.example.com
  • Site2
    • Router OpenVPN client ip: 10.8.0.10
    • HTTP Endpoint will be reached through: site2.example.com
  • both http and https are allowed as entrypoints
  • LetsEncrypt: Traefik can be an ACME client and takes care of SSL certificates for https automatically
    • The example config would get certificates for example.com but also covering multiple hostnames. Multi-domain ssl ceritifcate

For a more detailed description on how to configure traefik please refer to traefik.io

Configuring the router

Page Tools

app-notes/webvpn-secure-https-portforwardings-for-unsecure-http-devices.1531485409.txt.gz · Last modified: 2018/07/13 12:36 by preisig