CODEWITHSUNDEEP
docker-composevpndocker-networkwireguard
Wushu06
Wushu06

Reputation: 93

How to securely access docker container remotely using vpn

I have this setup on my live server, and I want to be able to access both the Postgres and Redis containers from my local machine. I tried using WireGuard, but doing so now prevents other containers from communicating with Postgres and Redis because these two are using network_mode and are tunneled through WireGuard.

So my objective is:

1- Securely access Postgres and Redis through a VPN and hide these containers from the public.

2- Allow the application and other containers to still connect to Postgres and Redis.

services:
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - SERVER_URL=my_ip_or_domain 
      - SERVER_PORT=51820
      - PEERS=5
      - PEERDNS=auto
      - ALLOWEDIPS=10.0.0.0/24
    volumes:
      - ./config/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - "51820:51820/udp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      - backend 
    restart: unless-stopped

  app:
    image: myimage:latest
    container_name: backend_app
    depends_on:
      - redis
      - postgres
    networks:
      - backend
    restart: unless-stopped

  postgres:
    image: postgres:latest
    environment:
      POSTGRES_DB: '${DB_DATABASE}'
      POSTGRES_USER: '${DB_USERNAME}'
      POSTGRES_PASSWORD: '${DB_PASSWORD}'
    volumes:
      - 'backend-pgsql:/var/lib/postgresql/data'
    network_mode: "service:wireguard"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME}"]
      interval: 30s
      timeout: 5s
      retries: 3
    restart: unless-stopped

  redis:
    image: redis:alpine
    volumes:
      - 'backend-redis:/data'
    network_mode: "service:wireguard"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 30s
      timeout: 5s
      retries: 3
    restart: unless-stopped

networks:
  backend:
    driver: bridge

volumes:
  backend-pgsql:
    driver: local
  backend-redis:
    driver: local

App accessing postgres and redis

DB_CONNECTION=pgsql
DB_HOST=postgres
DB_PORT=5432
DB_DATABASE=qa
DB_USERNAME=root

REDIS_CLIENT=predis
REDIS_HOST=redis
REDIS_PASSWORD=null
REDIS_PORT=6379

Any suggestions for other setup that allows me reach my goal is welcomed too.

Upvotes: 0

Views: 56

Answers (1)

Wushu06
Wushu06

Reputation: 93

I've ditched wireguard and used openssh instead to be like a bastion box to allow me to connect to postgres and redis and add one more layer of security instead of exposing the ports publicly

  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    container_name: openssh-server
    hostname: openssh-server
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - USER_NAME=ubuntu
      - SUDO_ACCESS=true
      - PASSWORD_ACCESS=true
      - USER_PASSWORD=${SSH_PASSWORD}
    ports:
      - 2222:2222
    restart: unless-stopped
    volumes: # this to allow port forwarding AllowTcpForwarding yes
      - ./.docker/openssh/sshd_config:/config/ssh_host_keys/sshd_config
    networks:
      - backend

Upvotes: 0

Related Questions