{"id":489,"date":"2020-03-03T16:47:57","date_gmt":"2020-03-03T15:47:57","guid":{"rendered":"http:\/\/crudelis.fr\/site\/sblog\/?p=489"},"modified":"2022-07-30T18:16:12","modified_gmt":"2022-07-30T16:16:12","slug":"yunohost-inside-yunohost-through-a-vpn","status":"publish","type":"post","link":"https:\/\/crudelis.fr\/site\/sblog\/2020\/03\/yunohost-inside-yunohost-through-a-vpn\/","title":{"rendered":"YunoHost inside YunoHost through a VPN"},"content":{"rendered":"

Into this post we're going to see how to deploy a YunoHost<\/a> server into an existing YunoHost server by using LXC<\/a> in order to configure the guest YunoHost to connect throught ProtonVPN<\/a>.<\/p>\r\n

The idea is to isolate a service behind a VPN, but still using the convenience of YunoHost. Without affecting the whole server and all the services it provides.<\/p>\r\n\r\n\r\n

Install LXC<\/h2>\r\n\r\n\r\n\r\n

First things first, let's install LXC:<\/p>\r\n\r\n\r\n\r\n

sudo apt update\r\nsudo apt install lxc lxctl<\/code><\/pre>\r\n\r\n\r\n\r\n
Host network configuration<\/h2>\r\n\r\n\r\n\r\n
Allow the kernel to forward traffic:<\/p>\r\n\r\n\r\n\r\n
echo \"net.ipv4.ip_forward=1\" | sudo tee \/etc\/sysctl.d\/lxc_ynh.conf\r\nsudo sysctl -p \/etc\/sysctl.d\/lxc_ynh.conf<\/code><\/pre>\r\n\r\n\r\n\r\n
Add a bridge to route the traffic between the host and the LXC guest:<\/p>\r\n\r\n\r\n\r\n
sudo nano \/etc\/network\/interfaces.d\/lxc_ynh<\/code><\/pre>\r\n\r\n\r\n\r\n
auto lxc_ynh\r\n    iface lxc_ynh inet static\r\n    address 10.1.5.1\/24\r\n    bridge_ports none\r\n    bridge_fd 0\r\n    bridge_maxwait 0\r\n    up iptables -A FORWARD -i lxc_ynh -o eth0 -j ACCEPT\r\n    up iptables -A FORWARD -i eth0 -o lxc_ynh -j ACCEPT\r\n    up iptables -t nat -A POSTROUTING -s 10.1.5.0\/24 -j MASQUERADE<\/code><\/pre>\r\n\r\n\r\n\r\n
Then start the bridge:<\/p>\r\n\r\n\r\n\r\n
sudo ifup lxc_ynh --interfaces=\/etc\/network\/interfaces.d\/lxc_ynh<\/code><\/pre>\r\n\r\n\r\n\r\n
Create the container<\/h2>\r\n\r\n\r\n\r\n
Create a minimalist Debian container:<\/p>\r\n\r\n\r\n\r\n
sudo lxc-create -n lxc_ynh -t debian -- -r buster<\/code><\/pre>\r\n\r\n\r\n\r\n
Container configuration<\/h2>\r\n\r\n\r\n\r\n
The container configuration will be done into the file \/var\/lib\/lxc\/lxc_ynh\/config<\/code><\/p>\r\n\r\n\r\n\r\n
sudo nano \/var\/lib\/lxc\/lxc_ynh\/config<\/code><\/pre>\r\n\r\n\r\n\r\n
Remove the line lxc.net.0.type = empty<\/code>
And add the following ones:<\/p>\r\n\r\n\r\n\r\n
# Network\r\nlxc.net.0.type = veth\r\nlxc.net.0.flags = up\r\nlxc.net.0.link = lxc_ynh\r\nlxc.net.0.name = eth0\r\nlxc.net.0.hwaddr = 00:FF:AA:00:00:01\r\nlxc.net.0.ipv4.address = 10.1.5.10\r\nlxc.net.0.ipv4.gateway = 10.1.5.1\r\n\r\n# Autostart\r\nlxc.start.auto = 1<\/code><\/pre>\r\n\r\n\r\n\r\n
First steps with the container<\/h2>\r\n\r\n\r\n\r\n
Start the LXC container:<\/p>\r\n\r\n\r\n\r\n
sudo lxc-start -n lxc_ynh -d<\/code><\/pre>\r\n\r\n\r\n\r\n
And update the apt cache (That's also a way to check if the network is working):<\/p>\r\n\r\n\r\n\r\n
sudo lxc-attach -n lxc_ynh -- apt-get update<\/code><\/pre>\r\n\r\n\r\n\r\n
If the container fails to resolve domain names, you likely have to change the dns for the next steps.\r\n\r\nGo to the file \/var\/lib\/lxc\/lxc_ynh\/rootfs\/etc\/resolv.conf<\/code> and replace 127.0.0.1 by a dns address you want, your gateway is usually a good choice.<\/pre>\r\n\r\n\r\n\r\n
Now that the network is working into your container, install the packages needed for a fully working Debian:<\/p>\r\n\r\n\r\n\r\n
sudo lxc-attach -n lxc_ynh -- apt-get install -y aptitude sudo git ssh openssh-server\r\nsudo lxc-attach -n lxc_ynh -- aptitude install -y ~pstandard ~prequired ~pimportant<\/code><\/pre>\r\n\r\n\r\n\r\n
You now have a perfectly working Debian into a LXC container.
So, now let's go directly into the container:<\/p>\r\n\r\n\r\n\r\n
sudo lxc-attach -n lxc_ynh -- \/bin\/bash<\/code><\/pre>\r\n\r\n\r\n\r\n
This is one of the best way to go into your container to have a proper terminal to work. Could be useful to keep that for further operations.<\/pre>\r\n\r\n\r\n\r\n
Install YunoHost into the container<\/h2>\r\n\r\n\r\n\r\n
 Now that we're into the container, you'll notice that the prompt has changed to root@lxc_ynh<\/code>, we're going to use that syntax for every command to use into the container.

And first, we're going to install YunoHost:<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# git clone https:\/\/github.com\/YunoHost\/install_script \/tmp\/install_script\r\nroot@lxc_ynh:\/# cd \/tmp\/install_script; .\/install_yunohost -a\r\nroot@lxc_ynh:\/# yunohost tools postinstall\r\nroot@lxc_ynh:\/# yunohost user create MYUSER<\/code><\/pre>\r\n\r\n\r\n\r\n
Change MYUSER<\/code> by the name you want for your user.<\/pre>\r\n\r\n\r\n\r\n
To ease the usage of a Let's Encrypt certificate, we're going to let the host handle it.
First we're going to share the certificates between the host and the guest by mounting the directory into the container.
In order to do so, we're going back to the file \/var\/lib\/lxc\/lxc_ynh\/config<\/code><\/p>\r\n\r\n\r\n\r\n
sudo nano \/var\/lib\/lxc\/lxc_ynh\/config<\/code><\/pre>\r\n\r\n\r\n\r\n
Please notice that there isn't the prompt root@lxc_ynh<\/code> as said before. This command has to be executed into the host, not the container.<\/pre>\r\n\r\n\r\n\r\n
And add these few lines<\/p>\r\n\r\n\r\n\r\n
# Mount between host and guest\r\n# SSL Certificates\r\nlxc.mount.entry=\/etc\/yunohost\/certs etc\/yunohost\/certs none ro,bind 0 0<\/code><\/pre>\r\n\r\n\r\n\r\n
Yet, after a restart of the container, ssl-cert<\/code> will probably have a problem to read the certificate because of the mapping of the groups between the host and the LXC guest.
And, as the certificates are not readable except by root<\/code> and ssl-cert<\/code>, ldap will fail to read it...<\/p>\r\n\r\n\r\n\r\n
Start by checking the permissions<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# ls -l \/etc\/yunohost\/certs\/<\/code><\/pre>\r\n\r\n\r\n\r\n
All files should belong to root:ssl-cert. If not, you have an issue with the gid of ssl-cert. To fix that, we will modify the gid to have the same than the host.<\/p>\r\n\r\n\r\n\r\n
First, find the gid of ssl-cert into the host<\/p>\r\n\r\n\r\n\r\n
cat \/etc\/group | grep ssl-cert<\/code><\/pre>\r\n\r\n\r\n\r\n
Then find the current group using that gid into the guest<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# cat \/etc\/group | grep 'gid ssl-cert'<\/code><\/pre>\r\n\r\n\r\n\r\n
Change the gid of the group impersonating ssl-cert gid and change the ownership of its files.<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# groupmod -g 'free gid' 'impersonating group'\r\nroot@lxc_ynh:\/# find \/ -group 'free gid' -exec chgrp -h 'impersonating group' {} \\;<\/code><\/pre>\r\n\r\n\r\n\r\n
Then give ssl-cert its correct gid so it would be the same as the host.<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# groupmod -g 'gid ssl-cert' ssl-cert<\/code><\/pre>\r\n\r\n\r\n\r\n
Now ssl-cert<\/code> will be able to read correctly the certificates, as its gid is the same as the host.<\/p>\r\n\r\n\r\n\r\n
Configure the host to access the container<\/h2>\r\n\r\n\r\n\r\n
Into the admin panel of your host YunoHost, add the domain you have chosen for your guest YunoHost during the post install just before.<\/p>\r\n\r\n\r\n\r\n
If has to be the same, otherwise, the redirection and the certificate won't match<\/pre>\r\n\r\n\r\n\r\n
And install a Let's Encrypt certificate for this new domain.<\/p>\r\n\r\n\r\n\r\n
Now, we need to redirect the request to this domain toward the container.
To do that, we're going to use the easy way by installing the app redirect<\/a> with the following configuration:<\/p>\r\n\r\n\r\n\r\n
Choose a domain for your redirect: The domain you used for your YunoHost into the container.\r\nChoose a path for your redirect:   \/\r\nRedirect destination path:         https:\/\/10.1.5.10\r\nRedirect type:                     Proxy, insivible [...]. Everybody will be able to access it.<\/code><\/pre>\r\n\r\n\r\n\r\n
Don't worry about the warning, we're not going to install anything else for that domain into this YunoHost. Everything else will be installed into the guest YunoHost.<\/pre>\r\n\r\n\r\n\r\n
If you're not using YunoHost, you should configure the domain yourself and handle the certificate.\r\nFor the redirection to the container, you'll need a nginx proxy pass instruction.\r\nHere the nginx config set while using the app redirect_ynh:\r\n\r\nlocation \/ {\r\n   proxy_pass        https:\/\/10.1.5.10;\r\n   proxy_redirect    off;\r\n   proxy_set_header  Host $host;\r\n   proxy_set_header  X-Real-IP $remote_addr;\r\n   proxy_set_header  X-Forwarded-Proto $scheme;\r\n   proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;\r\n   proxy_set_header  X-Forwarded-Host $server_name;\r\n   proxy_set_header  X-Forwarded-Port $server_port;\r\n\r\n   proxy_http_version 1.1;\r\n   proxy_set_header Upgrade $http_upgrade;\r\n   proxy_set_header Connection \"upgrade\";\r\n }<\/code><\/pre>\r\n\r\n\r\n\r\n
Enjoy it<\/h2>\r\n\r\n\r\n\r\n
In order to mount the certificate, and shake up a little bit all the stuff, let's restart the container:<\/p>\r\n\r\n\r\n\r\n
sudo lxc-stop -n lxc_ynh\r\nsudo lxc-start -n lxc_ynh -d<\/code><\/pre>\r\n\r\n\r\n\r\n
Now, from a not to bothering browser (be careful with any cache you may have) you should be able to reach your guest YunoHost from the domain name you've chosen.<\/p>\r\n\r\n\r\n\r\n
It can be useful to go into private browsing to avoid any cache that would got you some trouble.<\/pre>\r\n\r\n\r\n\r\n
While you should reach the portal of your guest YunoHost, you won't be able to reach the admin panel.\r\nFortunately, you still have the CLI command available.\r\nI hope to find a way to fix that issue...<\/em><\/pre>\r\n\r\n\r\n\r\n
Configure the container to support a VPN connection<\/h2>\r\n\r\n\r\n\r\n
The container is unable to connect to a VPN because it doesn't have a TUN interface.
We're going to add that interface, by adding those lines to the config file \/var\/lib\/lxc\/lxc_ynh\/config<\/code>:<\/p>\r\n\r\n\r\n\r\n
# VPN specific configuration\r\nlxc.autodev = 1\r\nlxc.cgroup.devices.allow = c 10:200 rwm\r\nlxc.hook.autodev = sh -c \"cd ${LXC_ROOTFS_MOUNT}\/dev; mkdir -p net; test -e net\/tun || mknod net\/tun c 10 200\"<\/code><\/pre>\r\n\r\n\r\n\r\n
Then restart the container:<\/p>\r\n\r\n\r\n\r\n
sudo lxc-stop -n lxc_ynh\r\nsudo lxc-start -n lxc_ynh -d<\/code><\/pre>\r\n\r\n\r\n\r\n
Now that the container can have a VPN client, let's install the open source CLI client for ProtonVPN<\/a> into the container:<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# apt install openvpn dialog python3-pip python3-setuptools iptables-persistent\r\nroot@lxc_ynh:\/# sudo pip3 install protonvpn-cli<\/code><\/pre>\r\n\r\n\r\n\r\n
Configure the VPN:<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# sudo protonvpn init<\/code><\/pre>\r\n\r\n\r\n\r\n
Note that you need sudo here to run the cli ProtonVPN app.<\/pre>\r\n\r\n\r\n\r\n
The VPN client is configured, but not yet connected. You can run the command protonvpn status<\/code> to see that you're not connected to the VPN.
So first, connect to the VPN:<\/p>\r\n\r\n\r\n\r\n
root@lxc_ynh:\/# sudo protonvpn connect -f\r\nroot@lxc_ynh:\/# sudo protonvpn status<\/code><\/pre>\r\n\r\n\r\n\r\n
Find all the available commands of the app here<\/a>.<\/pre>\r\n\r\n\r\n\r\n
Your guest YunoHost, into its LXC container is now protected behind the VPN.
But as soon as you will restart the container, the VPN will be disconnected.
To prevent that situation, we're going to create a systemd config for the ProtonVPN app.
Since a documentation already exist, let's follow it: https:\/\/github.com\/ProtonVPN\/protonvpn-cli-ng\/blob\/master\/USAGE.md#via-systemd-service<\/a><\/p>\r\n\r\n\r\n\r\n
This systemd config has to be added into the LXC container.<\/pre>\r\n\r\n\r\n\r\n
You're all set<\/h2>\r\n\r\n\r\n\r\n
Everything should be ok now.
You can restart your container to make sure everything is working and you're still connected to the VPN.<\/p>\r\n\r\n\r\n\r\n
And now it's time to install the services you want into your YunoHost https:\/\/yunohost.org\/#\/apps<\/a><\/p>\r\n\r\n\r\n\r\n
If you want to use a multimedia app, it can be useful to mount your \/home\/yunohost.multimedia into the LXC container to share the media between both the host and the guest.\r\n\r\nCreate first the directory:\r\nsudo mkdir \/var\/lib\/lxc\/lxc_ynh\/rootfs\/home\/yunohost.multimedia<\/code>\r\nAnd add a mount line into \/var\/lib\/lxc\/lxc_ynh\/config<\/code>:\r\nlxc.mount.entry=\/home\/yunohost.multimedia home\/yunohost.multimedia none bind 0 0<\/code>\r\nRestart the container and that's ok.<\/pre>\r\n\r\n\r\n\r\n
<\/p>\r\n","protected":false},"excerpt":{"rendered":"
Into this post we're going to see how to deploy a YunoHost server into an existing YunoHost server by using LXC in order to configure the guest YunoHost to connect throught ProtonVPN. The idea is to isolate a service behind a VPN, but still using the convenience of YunoHost. Without affecting the whole server and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[3],"tags":[],"class_list":["post-489","post","type-post","status-publish","format-standard","hentry","category-home-server"],"_links":{"self":[{"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/posts\/489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/comments?post=489"}],"version-history":[{"count":33,"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/posts\/489\/revisions"}],"predecessor-version":[{"id":914,"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/posts\/489\/revisions\/914"}],"wp:attachment":[{"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/media?parent=489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/categories?post=489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crudelis.fr\/site\/sblog\/wp-json\/wp\/v2\/tags?post=489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}