Docker and OpenVPN

I’m using a vpn based on OpenVPN and when I try to fire up a docker-compose set of containers it fails with:

ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network

A quick session of Duck-jitsu and I found: https://github.com/docker/for-linux/issues/418#issuecomment-491323611

A few simple steps sorted it out for me. Create docker network and use an override to tell compose to use it.

$ docker network create localdev --subnet 10.0.1.0/24

docker-compose.override.yml

version: '3'
networks:
  default:
    external:
      name: localdev

This does mean I’ll have to add it into all my local projects that get pushed upstream, but I can add it to .gitignore to prevent it being included.

Microsoft Azure and Juniper SRX

We’re getting on the Microsoft Office 366 and band wagon. I’m not a Microsoft fan, and think it’s overpriced for the functionality we’ll actually use. This means we need to setup an IPSec VPN between the Juniper SRX and Azure.

Microsoft have a Github page with not just guidance, but specific configuration examples to help do this. Not just with Juniper, but a range of firewalls.

https://github.com/Azure/Azure-vpn-config-samples

We’ve got some consultants in setting up the Azure side of the VPN and once I got into the portal I laughed at how much they were charging for turning on the VPN feature and setting a private key – that’s it! There’s very little control to be able to do anything else and if you want logs to see why things aren’t going to plan, you’d better rely on your own device for that.

After a couple of hours they’d written some PowerShell to gather some information that was stale because we’d already moved on past that particular error.

But that said, the Azure side just works. Get your device side right and do your debugging from there and let Azure sit and just do it’s thing. You have to assume that Azure just works.

Continue reading →

OpenVPN

Some months ago we bought a Barracuda firewall/VPN box to allow IT staff to connect and manage other IT devices securely. The idea was that the Barracuda would not only authenticate them against Active Directory and support two-factor authentication, but also carry out some Network Access Control and only allow devices that meets specific criteria connect to the network. Eg. Must be a domain member with a current Anti-virus and active firewall.

Well it turns out that the Barracuda couldn’t meet these needs. If you wanted to connect to the Barracuda using it’s web interface for portal type access it was fine. It used an agent based NAC and would allow two-factor auth using Google, but sadly not RADIUS.

However, if you wanted to use the network connection feature that is provided by using OpenVPN then you were going to be sadly disappointed.

Continue reading →