WebVPN secure https to http forwarding for unsecure http devices

This article describes how you can use Netmodule Routers with LXC container virtualisation to connect unsecure http devices through an OpenVPN infrastructure and securly expose them to the internet. It can also be used if you do provide the network environment for a customer of yours and you want him to be able to access his devices, but you still manage the routers yourself.

Concept

The above shows the basic concept of such an infrastructure. In the end you want to be able to reach your unsecure HTTP Endpoints (industrial facilities, measurement devices, webcams et cetera) through the internet on a secure basis. Your routers will be part of a secured OpenVPN network and from the internets point of view requests get in and out of your environment through https. Once they reach the container they get forwarded as http requests, but through your secured network to the acutal endpoint. This environment can be setup combining OpenVPN and a service called traefik (a reverse proxy) which will run in the container taking care of re-writing your https-to-http traffic as well as certificates.

Prerequisistes

  • Netmodule Router running software version >= 4.0.0.100 with a virtualisation licence
  • Running LXC virtualisation environment described here
    • ARM based linux distribution of your flavor from linuxcontainers.org, to make it small the example is based on Alpine Linux
    • The traefik.io reverse proxy for the ARM Platform
    • As an alternativ you can download a ready to use container HERE
  • OpenVPN network setup (your container could also run on one of your openvpn clients)
    • Clients need fix IP adresses so you can add them later to traefik
  • Valid DNS record(s) pointing to the public IP of the network where traefik runs
    • Wildcards DNS record preferred otherwise you need to create individual subdomains for each endpoint

Configuring Traefik

Setting up traefik is fairly simple. The main concept of how the service works is shown in the following graphic:

(image taken from traefik.io)

You have to define entrypoints (where http and https) traffic is incoming with the option to redirect between them. The next step is to setup frontends which define routes from entrypoints to backends depending on a set of rules (modifiers: that modify a request, matchers: determin if a particular request should be forwareded or not). At the end is the backend which represents on or more http servers (the endpoints).

Here is a simple example configuration (config.toml):

################################################################
# Global configuration
################################################################

defaultEntryPoints = ["http", "https"]

[entryPoints]
      [entryPoints.http]
      address = ":80"
	[entryPoints.http.redirect]
	entryPoint = "https"

      [entryPoints.https]
      address = ":443"
      [entryPoints.https.auth.basic]
      users = ["test:$apr1$UOcq8wCG$ittsBAMjt41v5kx.B/WSy1"]
      [entryPoints.https.tls] 
	

[file]
 
[backends]
	
      # HTTP via OpenVPN Tunnel for backends 1 - 2

      # Site 1 - HTTP Endpoint
      [backends.backend1]
      	[backends.backend1.servers.server1]
      	url = "http://10.8.0.6:8080"

      # Site 2 - HTTP Endpoint
      [backends.backend2]
      	[backends.backend2.servers.server1]
      	url = "http://10.8.0.10:8080"

		
[frontends]

      [frontends.frontend1]
      backend="backend1"
        [frontends.frontend1.routes.test_1]
        rule = "Host:site1.example.com"

      [frontends.frontend2]
      backend="backend2"
        [frontends.frontend2.routes.test_1]
        rule = "Host:site2.example.com"


################################################################
# LetsEncrypt (http challange) 
################################################################
[acme]
      email="user@example.com"
      storage = "/root/traefik/storage.json"
      entryPoint = "https"
      acmeLogging = true

      [acme.httpChallenge]
      entryPoint = "http"

      [[acme.domains]]
        main = "example.com"
        sans = ["site1.example.com", "site2.example.com"]


################################################################
# Logging 
################################################################
debug = true
logLevel = "ERROR"

[traefikLog]
	filePath = "log/traefik.log"


# Debugging http access requests  
#[accessLog]
#	filePath = "log/access.log"

The example configuration builds on the image from the concept earlier. We would realise the following:

  • http and https are allowed as entrypoints, but http gets redirected to https
  • Basic authentication trough MD5 encoded password (done with htpasswd) for user: test
  • LetsEncrypt: Traefik can be an ACME client and takes care of SSL certificates for https automatically
    • The example config would get certificates for example.com but you can also provide SAN's (alternative domains) to the main one.

For a more detailed description on how to configure traefik please refer to traefik.io

Information on the already setup container

You can download traefik already integrated into anAlpine Linux container that is ready to use. Here are the details you need:

Download from: (ADD LINK AGAIN)

  • Configuration: /etc/traefik
  • Binary: /usr/local/bin (linked to the original file in /etc/traefik)
  • Startup Script: /etc/init.d/traefik

In this container all you need to do, is extract it to your router, edit /etc/traefik/config.toml to your needs and then restart the service with /etc/init.d/traefik restart and you are done.

Since the service runs as non-root user the default listening ports for http and https where changed to 65080 and 65443. So additionally on your router you'd need to create NAPT Rules, that rewrite the http & https ports accordingly.

Configuring the router (EndPoint)

On the router side we assume that you have already setup OpenVPN. Now in the configuration above you saw, that the backends are defined with the OpenVPN ip adresses but not using the standart http port 80 instead they are configured via 8080. This is simply, because you might have more then one EndPoint in your site which then makes assigning them via the same router very easy. Just increas the port number on the defined backends in traefik.

The Router (for example in Site1) would need a NAPT Rule translating the incoming Port 8080 from its tun interface to port 80 and the ip of your endpoint. So your NAPT rule on the router on site 1 might look like this (with a second endpoint to visualize the just mentioned).

On the router that is running the container and serving the requests, don't forget to change the WebGui Ports 80 & 443 to some other ports,so that they can be re-written via NAPT rules to get to the container.