Using a VPN to secure the traffic into my ERPNext server

Hi
I have stumbled onto a problem with my ERPNext server when I install my SSL-cert.
I am still investigating this to see if I can find a solution for my NGINX.

But in the meantime, I am thinking out loud in terms of other solution.

Here is the cenario

  1. My V12.26 ERPNext seem to be working well without an SSL-cert ( VPS on Digital Ocean)
  2. An SSL-cert seem to be breaking my server ( I suspect Nginx ) because
    the ERPNExt function seem to continue. ( Posting elsewhere on this discussion group)
  3. I cannot operate my server without HTTPS that would be irresponsible.
  4. One other way would be to install VPN pipe between my browser and my server.

I have googled this topic and many VPN-names pop up

Question:
Has anyone else done something like this to make a recommendation ?
My VPS server is running Ubuntu 18.04

@johnlongland you can use a combination of fail2ban and ufw to allow traffic from only your specified IP addresses and block all other connection requests. This should not require any VPN service.

What is your main purpose?

HTTPS will encrypt traffic, so nobody can snoop in on your traffic. I guess in terms of confidentiality, that is certainly a need.

The VPN on the other hand will limit access to your server, so only limited people can access your server in the first place.

To limit access, I have secured a few websites with a client certificate, on top of HTTPS. So every user gets a client SSL certificate and this needs to be presented to the server, otherwise you can’t connect to it. This is a simple config in NGINX and should be easy to add.

This requires issuing (and distribution) of the client certs, but it also has the beauty that you can revoke certs and remove access easily. But an OpenVPN server might be a bit easier to handle, as you only need to provide a username/password combo for a user.

Hi @matthkarl and @flexy2ky

Thank you for taking the time to help me.

My goal : to be able to access my ERPNext ( Digital OCean VPS ) in such a way that the traffic
is not clear-text as in HTTP. Yes, HTTPS will encrypt it and that is what I want. But as I
indicated, the problem is, that when I add my SSL-certificates to my ERPNExt-server ,
it seems to break NGINX. Some of the Report buttons on ERPNext starts to malfunction.
No errors are generated so its difficult to see what is going wrong.
( I have made another post about this on this group about this)
And I don’t know why I am the only one battling with securing my server with an SSL-cert.

I am still investigating and hoping to find a solution.

In the meantime I am looking at a VPN. Yes, you are right … a VPN is going to be very limiting
but I am starting off as one-man company anyway, so for now it is not a problem.

Appreciate you taking the time to help me.

If you can share the guide you used in implementing https, it might be easier to help identify why NGINX breaks after you enable ssl. Basically, the only way to encrypt your data from snoopers is to implement https, hence I would suggest this is problem you should be focused on solving.

Thank you @flexy2ky

Here is the link of the procedure I used.

https://frappeframework.com/docs/user/en/bench/guides/configuring-https

I purchased the SSL-certs from the ISP that is hosting all my URL’s ( domains.co.za )

If you could spot something that I did wrong I would really appreciate it. I am very frustrated
to not be able to use my ERPNext server. Lots of data to punch into my server !

here are the versions on my server…

redis 4.0.9
python 3.6.9
nginx 1.14.0
Mariadb 10.4
ERPNext: v12.26.0 (version-12)
Frappe Framework: v12.23.0 (version-12)
Ubuntu 18.04 LTS on 2CPU Digital Ocean droplet with 4G RAM

I suspected as much. Are you using lets encrypt or you got a paid cert. if lets-encrypt then try this method by @bkm in his tutorial. works for me every time:

Thanks you @flexy2ky

I have a paid cert from my service provider that is hosting my URLS/ domains.

I shall look at the procedure you provided and see. I really hope I can spot the problem.

Will revert.

Thanks @flexy2ky, I had a look but it is for lets-encrypt. Even still , I was hoping to see
something, but everything is done via scripts.

I was hoping to be able to compare with the procedure that I use to see if I can spot
something.

To be honest, I have never attempted to use a paid certificate on ERPNext. I would love to test this out myself but this will be later.

You can try using letsencrypt for now while the solution to the issue of using a paid certificate is being sought.

Once again thank you @flexy2ky

I am thinking in the same line as you … to use letsencrypt so long …mmmmm

I have my VPN running but it does pose other problems. I have a URL setup to access
my server …my_url.co.za. And now that I have a VPN running directly into the ERPNext server,
I can no longer use that URL because the only port open is the VPN port and port 80/443
is now closed. So to access the server I have to use its internal address. And this
once again impacts on the installation process because I have to use that IP-address
as my site-name.

I think let me try the lets-encrypt on my one server ( I still have 4 test-servers running ! )

Update

For those that may be interested, I have installed a VPN into my ERPnext server.

I used this video as guideline …

It also shows where to get a client for windows that you can setup to access your ERPNext server.

In my setup I also use a Raspberry Pi terminal at the 3D-printing station so I also had to
setup a client on Raspbian.
I used this guide for it.

So my procedure was …
Install OpenVPN on my VPS server
It generates a xxxx.ovpn file that you use on your client side
You install OpenVPN on whatever client you are using and run the client using the xxxx.ovpn
configuration file ( it already contains the encryption keys )

thats it.

It is not an ideal solution. In my case I have to consider it. The problem is, on a VPS
you have a public IP and an internal IP. The public IP is linked via a URL that is all
managed by the DNS server. So you can access your ERPNext with a URL.
With a VPN you can no longer do that. You shut down the ports 80 and 443
and access your server with the internal IP address. Yes of course you can set
up a name in the hosts-file but that then becomes your site-name. So …
lots of things to consider if one wants to use a VPN.

But it is do-a-ble.

1 Like

Hi @flexy2ky

Just to report … I followed the lets-encrypt procedure and my “Stock Report” buttons
work correctly.

mmmmmmm … still wondering why my first procedure is flawed.

1 Like

I’m not familiar with the installation of nginx together with Frappe (installation via bench setup nginx, as I have used my nginx reverse proxy to have a HTTPS front for ERPNext.

You might want to look for the nginx config files (normally they are in /etc/nginx/sites-available/ or /etc/nginx/sites-enabled/ (they are linked files). My reverse proxy config looks as follows. Maybe you find the problem by comparing with your setup?

server {
    server_name erp.domain.com;

    location / {
        proxy_pass http://192.168.7.18:80;
        proxy_redirect off;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        client_max_body_size 512M;

    }

    access_log /var/log/nginx/erp.domain.com-access.log;
    error_log /var/log/nginx/erp.domain.com-error.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/erp.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/erp.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = erp.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name erp.domain.com;

    listen 80;
    return 404; # managed by Certbot
}

Thank you @matthkarl for taking the time to help

And thankyou for sharing your config. I shall have a look. Perhaps O can spot something !