Table of Contents

WebVPN secure https to http forwarding for unsecure http devices

This article describes how you can use Netmodule Routers with LXC container virtualisation to connect unsecure http devices through an OpenVPN infrastructure and securly expose them to the internet. It can also be used if you do provide the network environment for a customer of yours and you want him to be able to access his devices, but you still manage the routers yourself.

Concept

The above shows the basic concept of such an infrastructure. In the end you want to be able to reach your unsecure HTTP Endpoints (industrial facilities, measurement devices, webcams et cetera) through the internet on a secure basis. Your routers will be part of a secured OpenVPN network and from the internets point of view requests get in and out of your environment through https. Once they reach the container they get forwarded as http requests, but through your secured network to the acutal endpoint. This environment can be setup combining OpenVPN and a service called traefik (a reverse proxy) which will run in the container taking care of re-writing your https-to-http traffic as well as certificates.

Prerequisistes

Configuring Traefik

Setting up traefik is fairly simple. The main concept of how the service works is shown in the following graphic:

(image taken from traefik.io)

You have to define entrypoints (where http and https) traffic is incoming with the option to redirect between them. The next step is to setup frontends which define routes from entrypoints to backends depending on a set of rules (modifiers: that modify a request, matchers: determin if a particular request should be forwareded or not). At the end is the backend which represents on or more http servers (the endpoints).

Here is a simple example configuration (config.toml):

################################################################
# Global configuration
################################################################

defaultEntryPoints = ["http", "https"]

[entryPoints]
      [entryPoints.http]
      address = ":80"
	[entryPoints.http.redirect]
	entryPoint = "https"

      [entryPoints.https]
      address = ":443"
      [entryPoints.https.auth.basic]
      users = ["test:$apr1$UOcq8wCG$ittsBAMjt41v5kx.B/WSy1"]
      [entryPoints.https.tls] 
	

[file]
 
[backends]
	
      # HTTP via OpenVPN Tunnel for backends 1 - 2

      # Site 1 - HTTP Endpoint
      [backends.backend1]
      	[backends.backend1.servers.server1]
      	url = "http://10.8.0.6:8080"

      # Site 2 - HTTP Endpoint
      [backends.backend2]
      	[backends.backend2.servers.server1]
      	url = "http://10.8.0.10:8080"

		
[frontends]

      [frontends.frontend1]
      backend="backend1"
        [frontends.frontend1.routes.test_1]
        rule = "Host:site1.example.com"

      [frontends.frontend2]
      backend="backend2"
        [frontends.frontend2.routes.test_1]
        rule = "Host:site2.example.com"


################################################################
# LetsEncrypt (http challange) 
################################################################
[acme]
      email="user@example.com"
      storage = "/root/traefik/storage.json"
      entryPoint = "https"
      acmeLogging = true

      [acme.httpChallenge]
      entryPoint = "http"

      [[acme.domains]]
        main = "example.com"
        sans = ["site1.example.com", "site2.example.com"]


################################################################
# Logging 
################################################################
debug = true
logLevel = "ERROR"

[traefikLog]
	filePath = "log/traefik.log"


# Debugging http access requests  
#[accessLog]
#	filePath = "log/access.log"

The example configuration builds on the image from the concept earlier. We would realise the following:

For a more detailed description on how to configure traefik please refer to traefik.io

Information on the already setup container

You can download traefik already integrated into anAlpine Linux container that is ready to use. Here are the details you need:

Download from: (ADD LINK AGAIN)

In this container all you need to do, is extract it to your router, edit /etc/traefik/config.toml to your needs and then restart the service with /etc/init.d/traefik restart and you are done.

Since the service runs as non-root user the default listening ports for http and https where changed to 65080 and 65443. So additionally on your router you'd need to create NAPT Rules, that rewrite the http & https ports accordingly.

Configuring the router (EndPoint)

On the router side we assume that you have already setup OpenVPN. Now in the configuration above you saw, that the backends are defined with the OpenVPN ip adresses but not using the standart http port 80 instead they are configured via 8080. This is simply, because you might have more then one EndPoint in your site which then makes assigning them via the same router very easy. Just increas the port number on the defined backends in traefik.

The Router (for example in Site1) would need a NAPT Rule translating the incoming Port 8080 from its tun interface to port 80 and the ip of your endpoint. So your NAPT rule on the router on site 1 might look like this (with a second endpoint to visualize the just mentioned).

On the router that is running the container and serving the requests, don't forget to change the WebGui Ports 80 & 443 to some other ports,so that they can be re-written via NAPT rules to get to the container.