This is an old revision of the document!
This article describes how you can use Netmodule Routers with LXC container virtualisation to connect unsecure http devices through an OpenVPN infrastructure and securly expose them to the internet. It can also be used if you do provide the network environment for a customer of yours and you want him to be able to access his devices, but you still manage the routers yourself.
<grafik>
The above shows the basic concept of such an infrastructure. In the end you want to be able to reach your unsecure HTTP Endpoints (industrial facilities, measurement devices, webcams et cetera) through the internet on a secure basis. Your routers will be part of a secured OpenVPN network and from the internets point of view requests get in and out of your environment through https. Once they reach the container they get forwarded as http requests, but through your secured network to the acutal endpoint. This environment can be setup combining OpenVPN and a service called traefik (a reverse proxy) which will run in the container taking care of re-writing your https-to-http traffic as well as certificates.
Setting up traefik is fairly simple. The main concept of how the service works is shown in the following graphic:
<bild traefik internal>
You have to define entrypoints (where http and https) traffic is incoming with the option to redirect between them. The next step is to setup frontends which define routes from entrypoints to backends depending on a set of rules (modifiers: that modify a request, matchers: determin if a particular request should be forwareded or not). At the end is the backend which represents on or more http servers (the endpoints).
Here is a simple example configuration (config.toml):
################################################################ # Global configuration ################################################################ defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.https] address = ":443" [entryPoints.https.tls] [file] [backends] # HTTP via OpenVPN Tunnel for backends 1 - 2 # Site 1 - HTTP Endpoint [backends.backend1] [backends.backend1.servers.server1] url = "http://10.8.0.6:8080" # Site 2 - HTTP Endpoint [backends.backend2] [backends.backend2.servers.server1] url = "http://10.8.0.10:8080" [frontends] [frontends.frontend1] backend="backend1" [frontends.frontend1.routes.test_1] rule = "Host:site1.example.com" [frontends.frontend2] backend="backend2" [frontends.frontend2.routes.test_1] rule = "Host:site2.example.com" ################################################################ # LetsEncrypt (http challange) ################################################################ [acme] email="user@example.com" storage = "/root/traefik/storage.json" entryPoint = "https" acmeLogging = true [acme.httpChallenge] entryPoint = "http" [[acme.domains]] main = "example.com" sans = ["site1.example.com", "site2.example.com"] ################################################################ # Logging ################################################################ debug = true logLevel = "ERROR" [traefikLog] filePath = "log/traefik.log" # Debugging http access requests #[accessLog] # filePath = "log/access.log"
The example configuration builds on the image from the concept earlier. We would realise the following:
For a more detailed description on how to configure traefik please refer to traefik.io
On the router side we assume that you have already setup OpenVPN.