# Backend demo kit ## 1. Bring containers up ### 1.1 Prepare docker-compose file Demo backend kit is provided as a set of docker containers: * fendvpn-proxy - slightly modified official [traefik](https://traefik.io/) containers with embedded configuration files. * fendvpn-demo - simplified implementation of authorizer and discovery services. * fendvpn-tunnel - tunnel management layer, it handles all clients tunnels. To simplify deployment we provide example docker-compose file. Please, update variable DOMAIN\_NAME according to your server public domain name. It's required to get proper SSL certificate. ```yaml version: "3.7" x-shared-variables: &shared-variables - DOMAIN_NAME: demo.example.org services: vpn-proxy: image: fendvpn/demo-proxy:stable container_name: fendvpn-proxy ports: - 443:443 - 80:80 volumes: - /opt/fendvpn/acme:/etc/traefik/acme:rw environment: <<: *shared-variables command: - --log.level=DEBUG - --providers.file.directory=/traefik vpn-demo: image: fendvpn/demo:stage container_name: fendvpn-demo restart: unless-stopped volumes: - /opt/fendvpn/demo:/opt/fendvpn/demo:rw vpn-node: image: fendvpn/tunnel:stage container_name: fendvpn-tunnel ports: - 3000:3000/udp restart: unless-stopped cap_add: - NET_ADMIN volumes: - /opt/fendvpn/tunnel/config:/opt/fendvpn/tunnel/config:rw - /opt/fendvpn/tunnel/trusted_rsa:/opt/fendvpn/tunnel/trusted_rsa:rw ``` ### 1.2 Start containers As soon as you've done with tuning docker-compose file to your needs, bring it up: ``` docker-compose -f docker-compose.yaml up -d ``` You can check containers status using `docker ps` command, you should get something like this: ``` f2c4659092b2 fendvpn/demo:stable "/usr/local/bin/vpn-…" 1 minute ago Up 32 minutes fendvpn-demo 4d3abec5c690 fendvpn/demo-proxy:stable "/wrapper.sh --log.l…" 1 minute ago Up 32 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp fendvpn-proxy d0ab2489e219 fendvpn/tunnel:stable "/entrypoint.sh" 1 minute ago Up 32 minutes 0.0.0.0:3000->3000/udp fendvpn-tunnel ``` If default ports are not suitable for your environment, please change it in both docker-compose file and service configuration files (see next section). ## 2. Configure tunnel manager ### 2.1 Overview and first login Tunnel manager by default stores its configuration under `/opt/fendvpn/tunnel` folder. It has next subfolders: * `config/` keeps settings and peers. * `trusted_rsa/` keeps currently configured trusted RSA public keys for verifying JWT. Tunnel manager provides web-interface, you can open it by address `https://` or by IP address (in this case, please, dismiss invalid certificate warning). Default username is "admin" and generated password is written into logs during first start. You can get it using next command: ``` docker logs fendvpn-tunnel 2>&1 | grep "Generated new password" ``` After logging in to web-interface, you can change this password. If you forget your password, just edit `/opt/fendvpn/tunnel/config/settings.json`, remove option "admin\_password\_hash" and restart vpn-node container. After startup, it will generate new password again. ### 2.2 Configure Trusted RSA keys If you're going to use our demo SDK or application, you'll need to configure trusted RSA keys on tunnel manager side (`fendvpn-tunnel`). Right after startup, `fendvpn-demo` container generates his own pair of private and public keys. Initially, tunnel manager does not know about this key, you need to add it manually. #### **Get demo public key** * Key Id is stored in file /opt/fendvpn/demo/settings.json under option `key_id` (it's in UUID format). * Public key itself is stored in file /opt/fendvpn/demo/public.pem #### **Adding key to tunnel manager** Please, open tunnel manager web-interface, open page "Trusted keys", then click "Add new", provide key UUID and public key in PEM format (as stored in public.pem) and save changes. ### 2.3 Configure server IPv4 Tunneling service, by design, has to know the server's public ipv4 address. It's used to generate configuration for client side. Please, open tunneling manager web-interface, open "Settings" page and set "Server IPv4" option. ### 2.4 Fine-tune tunneling manager You can fine-tune tunnel manager by updating `/opt/fendvpn/tunnel/config/settings.json` file. See table below for options explanation. | Option name | Meaning | Default value | | ----------------------- | ------------------------------------------------------------- | ------------------------------------------- | | log\_level | Service logging level (debug, info, warning, error) | "debug" | | sqlite\_path | Path to storage of peers | "/opt/fendvpn/tunnel/config/storage.sqlite" | | static\_path | Path to web-interface files | "/opt/fendvpn/tunnel/web/" | | trusted\_rsa\_dir | Directory to store trusted RSA keys | "/opt/fendvpn/tunnel/trusted\_rsa/" | | wireguard\_name | Name of wireguard interface | fendwg0 | | admin\_user\_name | Administrator's login | admin | | admin\_password\_hash | Hash of administrator's password | Autogenerated | | wg\_server\_ipv4 | Public IP for accessing wireguard (added to connect response) | Empty | | wg\_server\_port | Public UDP port for accessing wireguard | 3000 | | wg\_listen\_port | Wireguard listening port | 3000 | | wg\_keepalive | Wireguard keepalive value, seconds | 60 | | wg\_subnet | Wireguard private subnet | "10.235.0.0/16" | | wg\_private\_key | Wireguard private key | Autogenerated | | ping\_interval | Peer ping interval. | 600 | | connection\_timeout | Maximum peer inactivity interval value, seconds | 3600 | | http\_listen\_port | HTTP service listening port | "0.0.0.0:8085" | | access\_token\_lifetime | Administrator's access token lifetime, seconds | 1800 | | dns | Array of DNS servers, sent to client | \["8.8.8.8", "8.8.4.4"] | ## 3. Fine-tune authorizer and discovery demo container **Warning! Authorizing and discovery demo suite is only designed to show functionality, and does not really provide secure operation!** #### Authorizer and discovery demo suite configuration options | Option name | Meaning | Default value | | ------------------ | ------------------------------------------------------------------------------------ | ------------------------------- | | project | Project name. Used for identifying specific project connection in JWT data. | "Demo project" | | key\_id | JWT key identifier. | Autogenerated | | issuer | Issuer field of JWT. | "Demo authorizer" | | authorizer\_name | Authorizer name. Used for user ID generation. | "demo" | | private\_key\_path | Path to private RSA key in PEM format (for JWT signing). | "/opt/fendvpn/demo/private.pem" | | public\_key\_path | Path to public RSA key in PEM format (used during initial configuration generation). | "/opt/fendvpn/demo/public.pem" | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://fendai.gitbook.io/fendvpn-docs/backend-demo-kit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.