Backend demo kit

Deploy your own backend for testing purposes

1. Bring containers up

1.1 Prepare docker-compose file

Demo backend kit is provided as a set of docker containers:

  • fendvpn-proxy - slightly modified official traefik containers with embedded configuration files.

  • fendvpn-demo - simplified implementation of authorizer and discovery services.

  • fendvpn-tunnel - tunnel management layer, it handles all clients tunnels.

To simplify deployment we provide example docker-compose file. Please, update variable DOMAIN_NAME according to your server public domain name. It's required to get proper SSL certificate.

version: "3.7"

x-shared-variables: 
  &shared-variables
  - DOMAIN_NAME: demo.example.org

services:
  vpn-proxy:
    image: fendvpn/demo-proxy:stable
    container_name: fendvpn-proxy
    ports:
      - 443:443
      - 80:80
    volumes:
      - /opt/fendvpn/acme:/etc/traefik/acme:rw
    environment:
       <<: *shared-variables
    command: 
      - --log.level=DEBUG
      - --providers.file.directory=/traefik

  vpn-demo:
    image: fendvpn/demo:stage
    container_name: fendvpn-demo
    restart: unless-stopped
    volumes:
      - /opt/fendvpn/demo:/opt/fendvpn/demo:rw

  vpn-node:
    image: fendvpn/tunnel:stage
    container_name: fendvpn-tunnel
    ports:
      - 3000:3000/udp
    restart: unless-stopped
    cap_add: 
      - NET_ADMIN
    volumes:
      - /opt/fendvpn/tunnel/config:/opt/fendvpn/tunnel/config:rw
      - /opt/fendvpn/tunnel/trusted_rsa:/opt/fendvpn/tunnel/trusted_rsa:rw

1.2 Start containers

As soon as you've done with tuning docker-compose file to your needs, bring it up:

docker-compose -f docker-compose.yaml up -d

You can check containers status using docker ps command, you should get something like this:

f2c4659092b2   fendvpn/demo:stable         "/usr/local/bin/vpn-…"   1 minute ago   Up 32 minutes                                                    fendvpn-demo
4d3abec5c690   fendvpn/demo-proxy:stable   "/wrapper.sh --log.l…"   1 minute ago   Up 32 minutes   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp         fendvpn-proxy
d0ab2489e219   fendvpn/tunnel:stable       "/entrypoint.sh"         1 minute ago   Up 32 minutes   0.0.0.0:3000->3000/udp                           fendvpn-tunnel

If default ports are not suitable for your environment, please change it in both docker-compose file and service configuration files (see next section).

2. Configure tunnel manager

2.1 Overview and first login

Tunnel manager by default stores its configuration under /opt/fendvpn/tunnel folder. It has next subfolders:

  • config/ keeps settings and peers.

  • trusted_rsa/ keeps currently configured trusted RSA public keys for verifying JWT.

Tunnel manager provides web-interface, you can open it by address https://<your_server_domain_name> or by IP address (in this case, please, dismiss invalid certificate warning).

Default username is "admin" and generated password is written into logs during first start. You can get it using next command:

docker logs fendvpn-tunnel 2>&1 | grep "Generated new password"

After logging in to web-interface, you can change this password. If you forget your password, just edit /opt/fendvpn/tunnel/config/settings.json, remove option "admin_password_hash" and restart vpn-node container. After startup, it will generate new password again.

2.2 Configure Trusted RSA keys

If you're going to use our demo SDK or application, you'll need to configure trusted RSA keys on tunnel manager side (fendvpn-tunnel).

Right after startup, fendvpn-demo container generates his own pair of private and public keys. Initially, tunnel manager does not know about this key, you need to add it manually.

Get demo public key

  • Key Id is stored in file /opt/fendvpn/demo/settings.json under option key_id (it's in UUID format).

  • Public key itself is stored in file /opt/fendvpn/demo/public.pem

Adding key to tunnel manager

Please, open tunnel manager web-interface, open page "Trusted keys", then click "Add new", provide key UUID and public key in PEM format (as stored in public.pem) and save changes.

2.3 Configure server IPv4

Tunneling service, by design, has to know the server's public ipv4 address. It's used to generate configuration for client side. Please, open tunneling manager web-interface, open "Settings" page and set "Server IPv4" option.

2.4 Fine-tune tunneling manager

You can fine-tune tunnel manager by updating /opt/fendvpn/tunnel/config/settings.json file. See table below for options explanation.

Option name

Meaning

Default value

log_level

Service logging level (debug, info, warning, error)

"debug"

sqlite_path

Path to storage of peers

"/opt/fendvpn/tunnel/config/storage.sqlite"

static_path

Path to web-interface files

"/opt/fendvpn/tunnel/web/"

trusted_rsa_dir

Directory to store trusted RSA keys

"/opt/fendvpn/tunnel/trusted_rsa/"

wireguard_name

Name of wireguard interface

fendwg0

admin_user_name

Administrator's login

admin

admin_password_hash

Hash of administrator's password

Autogenerated

wg_server_ipv4

Public IP for accessing wireguard (added to connect response)

Empty

wg_server_port

Public UDP port for accessing wireguard

3000

wg_listen_port

Wireguard listening port

3000

wg_keepalive

Wireguard keepalive value, seconds

60

wg_subnet

Wireguard private subnet

"10.235.0.0/16"

wg_private_key

Wireguard private key

Autogenerated

ping_interval

Peer ping interval.

600

connection_timeout

Maximum peer inactivity interval value, seconds

3600

http_listen_port

HTTP service listening port

"0.0.0.0:8085"

access_token_lifetime

Administrator's access token lifetime, seconds

1800

dns

Array of DNS servers, sent to client

["8.8.8.8", "8.8.4.4"]

3. Fine-tune authorizer and discovery demo container

Warning! Authorizing and discovery demo suite is only designed to show functionality, and does not really provide secure operation!

Authorizer and discovery demo suite configuration options

Option name

Meaning

Default value

project

Project name. Used for identifying specific project connection in JWT data.

"Demo project"

key_id

JWT key identifier.

Autogenerated

issuer

Issuer field of JWT.

"Demo authorizer"

authorizer_name

Authorizer name. Used for user ID generation.

"demo"

private_key_path

Path to private RSA key in PEM format (for JWT signing).

"/opt/fendvpn/demo/private.pem"

public_key_path

Path to public RSA key in PEM format (used during initial configuration generation).

"/opt/fendvpn/demo/public.pem"

PreviousClient API

Last updated