- About Cloud Images
- Digital Ocean
- Microsoft Azure
- Google Cloud
- Amazon AWS
- Admin Dashboard
- Managing Users
- Managing Devices
- Usage Statistics
- Adding a License
- General Settings
- Server Settings
- Security Settings
- Network Settings
- Directory Settings
- Email Settings
Deploying Konnect™ server on DigitalOcean
As a DigitalOcean partner and Marketplace vendor, we offer Konnect™ access server as a pre-built cloud image for the DigitalOcean cloud. The Konnect™ server image can be deployed directly from the Marketplace listing.
Availability
Our DigitalOcean 1-click image is available in the following data-center regions:
North America
Toronto 1
New York 1 and 3- San Francisco 3
Europe
Amsterdam 3
London 1
Frankfurt 1
Asia
Bangalore 1
Oceania
Singapore 1
Getting Started
After deploying your Konnect™ 1-click instance, connect to the Droplet via SSH and start the application stack:
ssh root@your_droplet_public_ipv4
cd /opt/konnect
docker compose up -d
When the container stack finishes deploying, the Configuration Wizard will be available at https://yourdropletpublic_ipv4 to guide you through the first-time setup.
Important: This initial setup is secured with a setup token. To obtain the setup token for your instance you can either grab it from the console logs with
docker compose logs | grep "setup token"or from your running instance withdocker exec -it konnect_web_1 /app/bin/rails runner "puts SETUP_TOKEN".
Securing your Deployment
Firewall
The DigitalOcean 1-click application comes pre-configured with a Universal Firewall (UFW) that only allows access to the following ports:
- SSH (TCP/22)
- HTTP (TCP/80)
- HTTPS (TCP/443)
- WG (UDP/51820)
If you changed your VPN service port during installation, you will need to update the UFW firewall rules accordingly.
SSL / TLS
The DigitalOcean 1-click application comes pre-configured with a self-signed certificate for the Droplet's public IP address. For production deployments, we highly recommend to assign a DNS name to your instance and assign an SSL/TLS certificate to enable access to the portal via HTTPS. If you do not have a purchased certificate, you can automatically generate a new certificate for your deployment using the Let's Encrypt service (see below).
Let's Encrypt
The application stack's ingress router supports automatic generation and renewal of SSL/TLS certificates using the Let's Encrypt certificate service out-of-the-box.
After assigning a DNS hostname to your Droplet via your DigitalOcean management console, connect to your Konnect™ server via SSH. Then, edit /opt/konnect/docker-compose.yml and uncomment the sections marked with "Let's Encrypt". In particular, make sure you correctly fill out the 'Host' and 'Email' sections as they are required by Let's Encrypt to correctly issue your certificate.
In particular, the labels section of the web service definition should look like:
services:
web:
# ...
labels:
- "traefik.enable=true"
- "traefik.docker.network=wg_internal"
- "traefik.http.services.web.loadbalancer.server.port=5000"
- "traefik.http.routers.web.rule=Host(`DNS_NAME`)"
- "traefik.http.routers.web.tls=true"
- "traefik.http.routers.web.tls.certresolver=le"
and the command section of the traefik service definition should look like:
services:
# ...
traefik:
# ...
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--certificatesResolvers.le.acme.email=YOUR_EMAIL"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesResolvers.le.acme.tlsChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
Database
The DigitalOcean 1-click application automatically generates a strong password for the database included with the application stack on first-time deployment. If you change your database password, don't forget to update the stack configuration file /opt/konnect/docker-compose.yml.
Web Application
The DigitalOcean 1-click application automatically generates a strong session secret for the portal included with the application stack on first-time deployment. To invalidate all existing session cookies, you can change the SECRET_KEY_BASE variable in the stack configuration file /opt/konnect/docker-compose.yml and restart the application stack.