Skip to content

VPN Access Quick Guide

πŸš€ Quick Setup

1. Start VPN Infrastructure

# Start VPN services
docker-compose -f docker-compose-vpn.yml up -d

# Start main services
docker-compose up -d

# Check status
docker ps | grep -E "(wireguard|wg-easy|pihole)"

2. Configure Firewall (One-time setup)

# Generate firewall rules
./scripts/manage-access.sh update-firewall

# Apply rules (requires sudo)
sudo ./firewall-rules.sh

# Verify rules
sudo iptables -L

3. Create VPN Client

# Open WG-Easy web interface
open https://vpn-admin.olanna.ai

# Login with: admin / secureWgPassword123!
# Click "Add Client" and download config

🌐 Service Access Patterns

Public Services (No VPN Required)

# These work from anywhere on the internet:
https://status.olanna.ai        # Status page
https://assets.olanna.ai        # Static files

Administrative Services (Basic Auth Required)

# These require authentication but no VPN:
https://vpn-admin.olanna.ai     # VPN management (admin/secureWgPassword123!)

Private Services (VPN Required)

# These require VPN connection:
https://auth.olanna.ai          # Authentication
https://monitoring.olanna.ai    # Grafana
https://search.olanna.ai        # OpenSearch
https://tracing.olanna.ai       # Jaeger
https://jenkins.olanna.ai       # Jenkins
https://database.olanna.ai      # pgAdmin
https://consul.olanna.ai        # Consul
https://vault.olanna.ai         # Vault
https://nexus.olanna.ai         # Nexus
https://rabbitmq.olanna.ai      # RabbitMQ
https://traefik.olanna.ai       # Traefik Dashboard
https://dns.olanna.ai           # Pi-hole
https://telemetry.olanna.ai     # OpenTelemetry

πŸ“± Client Setup

Desktop (Windows/Mac/Linux)

  1. Download WireGuard client from https://www.wireguard.com/install/
  2. Import configuration from WG-Easy web interface
  3. Connect and test access

Mobile (iOS/Android)

  1. Install WireGuard app from store
  2. Scan QR code from WG-Easy interface
  3. Connect and test access

Command Line (Linux)

# Install WireGuard
sudo apt install wireguard

# Copy config from WG-Easy
sudo cp client-config.conf /etc/wireguard/wg0.conf

# Start VPN
sudo wg-quick up wg0

# Check status
sudo wg show

# Stop VPN
sudo wg-quick down wg0

πŸ”§ Management Commands

View Current Configuration

./scripts/manage-access.sh show-config

Add New VPN-Only Service

# Add a new internal service
./scripts/manage-access.sh add-vpn-service myapp.olanna.ai myapp 8080

# This creates service-labels-myapp.yml - add those labels to your docker-compose.yml

Add New Public Service (⚠️ Use Carefully)

# Add a service accessible from internet
./scripts/manage-access.sh add-public-service api.olanna.ai myapi 3000

Block Additional Ports

# Block a port from public access (VPN still works)
./scripts/manage-access.sh block-port 3306
./scripts/manage-access.sh update-firewall
sudo ./firewall-rules.sh

Test VPN Access

# Test if VPN is working and services are accessible
./scripts/manage-access.sh test-vpn

πŸ› οΈ Troubleshooting

VPN Connection Issues

# Check WireGuard status
docker logs wg-easy

# Check if VPN port is open
nmap -sU -p 51820 vpn.olanna.ai

# Test DNS resolution
nslookup vpn.olanna.ai

Service Access Issues

# Check if connected to VPN
ip addr show | grep "10.8.0"

# Test internal connectivity
ping 172.18.0.10  # Pi-hole DNS

# Check Traefik routing
curl -H "Host: monitoring.olanna.ai" http://172.18.0.X:3000

Firewall Issues

# Check current rules
sudo iptables -L -n

# Check if port is blocked
sudo netstat -tlnp | grep :PORT

# Test from VPN
curl -I https://monitoring.olanna.ai

πŸ”’ Security Best Practices

1. Change Default Passwords

# Update in docker-compose-vpn.yml:
# WG_EASY: secureWgPassword123! -> YOUR_STRONG_PASSWORD
# Pi-hole: 6vmvFh9PuAv1Xo/e -> YOUR_STRONG_PASSWORD

2. Regular Client Management

  • Remove old/unused VPN clients
  • Rotate client certificates periodically
  • Monitor connection logs

3. Network Monitoring

# Monitor VPN connections
docker exec wg-easy wg show

# Check access logs
docker logs traefik | grep "monitoring.olanna.ai"

4. Emergency Access

If locked out, you can temporarily allow your IP: 

# Add your current IP to firewall (emergency only)
sudo iptables -I INPUT -s $(curl -s ifconfig.me)/32 -j ACCEPT

πŸ“Š Network Layout

Internet
    ↓
[Firewall] ← Only ports 22, 80, 443, 51820 allowed
    ↓
[Traefik] ← Routes based on domain + IP source
    ↓
β”Œβ”€ Public Services (any IP)
β”‚   β”œβ”€ auth.olanna.ai
β”‚   β”œβ”€ status.olanna.ai
β”‚   └─ assets.olanna.ai
β”‚
└─ VPN Required (10.8.0.0/24 + 172.18.0.0/16 only)
    β”œβ”€ monitoring.olanna.ai
    β”œβ”€ search.olanna.ai
    β”œβ”€ jenkins.olanna.ai
    └─ ... (all other services)

VPN Network: 10.8.0.0/24
Docker Network: 172.18.0.0/16

🎯 Quick Test Checklist

After setup, verify:

  1. βœ… Public services work without VPN
  2. βœ… Private services are blocked without VPN
  3. βœ… VPN client connects successfully
  4. βœ… Private services work with VPN connected
  5. βœ… Firewall blocks direct port access
  6. βœ… DNS resolution works through Pi-hole