Deploy your own virtualized VPN: What it is, how it works, and step-by-step guide

Oct 15, 2024

In today’s world, especially with the rise of remote work, companies need secure and efficient solutions to connect remote offices, mobile workers, and internal networks. One of the most widely-used tools for this purpose is a VPN ( Virtual Private Network), which allows organizations to establish encrypted and protected connections over the internet. In this article, we’ll explore the basics of VPNs, how they work in a business context, and, finally, show you how to deploy your own VPN on a self-managed server using Docker, simplifying the management and maintenance of your network infrastructure.

What is a VPN?

A VPN (Virtual Private Network) is a technology solution that allows both businesses and individuals to create secure, encrypted connections between remote devices and internal networks over the internet. Originally designed to securely connect remote offices to private internal networks, VPNs have evolved into a key tool in modern network infrastructures.

In a business context, VPNs are used to ensure that remote employees can securely access internal network resources from anywhere in the world. Moreover, they offer an effective way to unify distributed networks, enabling companies to expand their infrastructure without compromising security.

How does a VPN work?

A VPN works as an intermediary between your device and the network you wish to connect to. Instead of sending your traffic directly over the internet, your device establishes an encrypted connection with a VPN server, which then forwards your traffic to its final destination. This process is known as a “VPN tunnel,” and it’s responsible for keeping your data secure throughout the transfer.

The most commonly used encryption protocols in VPNs are OpenVPN and WireGuard. Both are secure and widely used, but they differ in their approach and performance. OpenVPN is a mature and stable protocol, whereas WireGuard is more modern and efficient, though still in development. The choice between the two depends on your specific needs and preferences.

VPN use cases for businesses

VPNs are a crucial tool for businesses of all sizes, providing secure and remote connectivity. Some of the most common use cases in a corporate environment include:

  • Connectivity between offices and remote employees: Companies with multiple branches or remote employees can use VPNs to create a unified and secure network environment.
  • Remote access to internal resources: VPNs allow employees to securely access servers, databases, or internal tools from anywhere in the world, ensuring productivity without compromising security.
  • Protection for remote connections: Employees who travel or work from public Wi-Fi networks can use a corporate VPN to encrypt their connection and protect sensitive information.
  • Reduction in operational costs: Instead of using dedicated connections like MPLS, businesses can use VPNs to transmit data between offices over the internet, thereby reducing infrastructure costs.
  • Access to global enterprise systems: VPNs allow international companies to connect their offices across different countries to a single internal network, ensuring seamless global communication.

Deploying a business VPN with Docker

Deploying a business VPN with Docker allows companies to maintain full control over their infrastructure, ensuring both security and performance. Docker makes it easy and fast to deploy, reducing the complexities of managing physical servers. This solution is ideal for businesses that need secure connections between their offices or for employees who require remote access to the internal network from any location.

Docker is a platform that allows you to package applications and services in isolated environments. This provides businesses with a secure, portable, and easy-to-manage environment for their VPN, ensuring a reliable infrastructure with minimal technical overhead.

Tools to deploy uour pwn VPN

There are several tools available that allow you to deploy a customized VPN, such as OpenVPN or WireGuard®, among others. However, self-hosting a VPN does come with certain technical challenges. It requires knowledge of how to configure and maintain the service. Additionally, the administrator is responsible for keeping the software up to date and protected from potential vulnerabilities.

Simplified deployment with Docker

Thanks to modern virtualization tools like Docker, it’s possible to deploy a VPN service in just a few minutes without dealing with complex server configurations. To follow this practical example, make sure you have Docker installed on your machine. If you haven’t installed it yet, you can find the installation instructions on the official Docker website.

Setting up the environment with Docker

In this example, we will use a preconfigured Docker image for OpenVPN, the kylemanna/docker-openvpn image, one of the most complete and popular implementations for deploying OpenVPN in Docker. Unlike the official image, it includes additional tools that make VPN management easier, such as scripts for automatically generating certificates and keys, simplifying the PKI setup. Additionally, it has the backing of an active community, ensuring regular updates and improvements. This option is ideal for testing environments or scenarios where ease of setup and flexibility are prioritized.

However, for production environments, it’s advisable to consider using the official OpenVPN image. It offers greater stability and long-term support, which are crucial factors when ensuring a reliable and secure service in critical infrastructures. Using the official version may be the better choice when security and long-term maintenance are top priorities.

Open a terminal and execute the following command to generate the necessary configuration files. For local testing, you can use localhost or the local IP address of your machine. For production environments, you must use the public IP address of the server to ensure external clients can connect to the VPN:

  
  docker run -v $(pwd)/openvpn-data/conf:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://PUBLIC_IP_ADDRESS
    

This command will create a folder named openvpn-data, where all the configuration files will be stored. Now, it’s the perfect time to initialize the PKI (Public Key Infrastructure) required for the OpenVPN server. To do this, run the following command:


  docker run -v $(pwd)/openvpn-data/conf:/etc/openvpn -v $(pwd)/openvpn-data/pki:/etc/easyrsa/pki --rm -it kylemanna/openvpn ovpn_initpki
    

You will be prompted to enter several passwords that will secure the communication between the VPN server and the clients. It’s crucial to remember these passwords, as they will be needed for future modifications or when adding new clients. You will also be asked to provide some details for the Certificate Authority (CA), which are essential for generating the necessary certificates.

Starting the VPN Server

Once all the configuration files and certificates are ready, you can start the VPN server with Docker using the following command:


  docker run -v $(pwd)/openvpn-data/conf:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
      

The -p 1194:1194/udp parameter indicates that the VPN server will listen on port 1194 UDP, which is the default port, while --cap-add=NET_ADMIN is required to allow Docker to properly configure the network. If everything has been set up correctly, the container ID should appear on your screen.

To allow clients to connect using the configured VPN service, we will use a docker-compose.yml file to launch and manage the service more easily and in a structured way:


  version: "2"
  
  services:
    openvpn:
      image: kylemanna/openvpn
      cap_add:
        - NET_ADMIN
      devices:
        - /dev/net/tun
      ports:
        - "1194:1194/udp"
      sysctls:
        - net.ipv6.conf.default.forwarding=1
        - net.ipv6.conf.all.forwarding=1
      volumes:
        - ./openvpn-data/conf:/etc/openvpn
  

Save the docker-compose.yml file in the same folder where the configuration files are located and execute the following command to start the VPN server:


  docker-compose up -d
  

This command will start the VPN server in the background, allowing you to manage it more easily. You can check the status of the running containers with the following command:


  docker ps
  

Generating certificates for clients

Once the VPN server is up and running, it’s time to generate the necessary certificates for the clients that will connect to the server. To do this, run the following command:


  docker run -v $(pwd)/openvpn-data/conf:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
    

Replace CLIENTNAME with the name you want to assign to the client. This command will generate a certificate and a key for the specified client. If you prefer to protect the certificate with a password, simply omit the nopass parameter. Once the certificate has been generated, you can export it to an .ovpn file to import it into your preferred VPN client. This way, you can connect to the VPN server from any compatible device.


  docker run -v $(pwd)/openvpn-data/conf:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > $(pwd)/CLIENTNAME.ovpn
    

So far, we’ve explored how to virtualize a VPN using Docker, but the issue is that we’re doing this in a local environment, which doesn’t fully utilize the advantages of a VPN since they are typically used to connect devices across different locations. To address this, you’ll need a remote server to deploy your VPN.

For this, you can use a cloud service provider like Linode, Google Cloud, Azure, or AWS. These providers offer affordable virtual servers with a wide range of configuration options. Once you’ve set up your server, you can follow the same steps we’ve outlined above to deploy your VPN in the cloud, wherever your server is located.

If you are outside of Spain and need a VPN in this country, I recommend using VPS from Raiola Networks, a hosting provider with servers in Spain ( specifically Madrid). Raiola Networks offers a wide range of hosting services, including VPS, dedicated servers, and web hosting. Additionally, they have excellent technical support and competitive prices.

Connecting to the VPN server

Once you’ve deployed your VPN server in the cloud, you can connect to it from any compatible device. To do this, you’ll need the .ovpn file you generated earlier, as well as a compatible VPN client. If you’re using Linux, you can use NetworkManager to import the .ovpn file and configure the connection. If you’re on macOS or Windows, you can use applications like OpenVPN Connect or Tunnelblick to connect to your VPN server. Simply use the .ovpn file, which contains the necessary configuration to connect to the server.

If you prefer not to self-host a VPN on your own server, you can use third-party services like ProtonVPN. This service allows you to connect to servers in over 50 countries and offers a no-logs policy, ensuring your privacy and anonymity online. Additionally, ProtonVPN uses military-grade encryption and secure protocols to protect your internet traffic.

Conclusion

In this article, we have reviewed how VPNs are an essential tool for businesses seeking to securely and efficiently connect their employees and offices. We have also shown how it’s possible to deploy a self-managed VPN using Docker, which simplifies administration and gives companies full control over their network infrastructure. With this solution, businesses can ensure secure and scalable connections without relying on third-party providers.

Related posts

That may interest you