As a DigitalOcean partner and Marketplace vendor, we offer Konnect™ access server as a pre-built cloud image for the DigitalOcean cloud. The Konnect™ server image can be deployed directly from the Marketplace listing.
Our DigitalOcean 1-click image is available in the following data-center regions:
After deploying your Konnect™ 1-click instance, connect to the Droplet via SSH and start the application stack:
ssh root@your_droplet_public_ipv4 cd /opt/konnect docker compose up -d
When the container stack finishes deploying, the Configuration Wizard will be available at https://yourdropletpublic_ipv4 to guide you through the first-time setup.
Important: This initial setup is secured with a setup token. To obtain the setup token for your instance you can either grab it from the console logs with
docker compose logs | grep "setup token"or from your running instance with
docker exec -it konnect_web_1 /app/bin/rails runner "puts SETUP_TOKEN".
The DigitalOcean 1-click application comes pre-configured with a Universal Firewall (UFW) that only allows access to the following ports:
If you changed your VPN service port during installation, you will need to update the UFW firewall rules accordingly.
The DigitalOcean 1-click application comes pre-configured with a self-signed certificate for the Droplet's public IP address. For production deployments, we highly recommend to assign a DNS name to your instance and assign an SSL/TLS certificate to enable access to the portal via HTTPS. If you do not have a purchased certificate, you can automatically generate a new certificate for your deployment using the Let's Encrypt service (see below).
The application stack's ingress router supports automatic generation and renewal of SSL/TLS certificates using the Let's Encrypt certificate service out-of-the-box.
After assigning a DNS hostname to your Droplet via your DigitalOcean management console, connect to your Konnect™ server via SSH. Then, edit
/opt/konnect/docker-compose.yml and uncomment the sections marked with "Let's Encrypt". In particular, make sure you correctly fill out the 'Host' and 'Email' sections as they are required by Let's Encrypt to correctly issue your certificate.
In particular, the labels section of the
web service definition should look like:
services: web: # ... labels: - "traefik.enable=true" - "traefik.docker.network=wg_internal" - "traefik.http.services.web.loadbalancer.server.port=5000" - "traefik.http.routers.web.rule=Host(`DNS_NAME`)" - "traefik.http.routers.web.tls=true" - "traefik.http.routers.web.tls.certresolver=le"
and the command section of the
traefik service definition should look like:
services: # ... traefik: # ... command: - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web.http.redirections.entryPoint.to=websecure" - "--entrypoints.web.http.redirections.entryPoint.scheme=https" - "--entrypoints.web.http.redirections.entrypoint.permanent=true" - "--entryPoints.web.address=:80" - "--entryPoints.websecure.address=:443" - "--certificatesResolvers.le.acme.email=YOUR_EMAIL" - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" - "--certificatesResolvers.le.acme.tlsChallenge=true" - "--certificatesResolvers.le.acme.httpChallenge=true" - "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
The DigitalOcean 1-click application automatically generates a strong password for the database included with the application stack on first-time deployment. If you change your database password, don't forget to update the stack configuration file
The DigitalOcean 1-click application automatically generates a strong session secret for the portal included with the application stack on first-time deployment. To invalidate all existing session cookies, you can change the
SECRET_KEY_BASE variable in the stack configuration file
/opt/konnect/docker-compose.yml and restart the application stack.