I'm building a micro-service system based on Docker Swarm. Some of these services must be accessible for company's internal use only, like administrative dashboards, DBs, etc. Services are interconnected by Docker's overlay networks, and only public ports are published to Internet.
What I want to do is to create a simple admin
backend overlay network, where any administrative service is connected, and to add an ingress VPN gateway on it, where any authorized client from Internet can connect and access private internal services, like if the client was directly connected on the same overlay network.
What I thought was about to install an OpenVPN server with a container on the net, I've read a bit around but I wasn't able to find clear information on this way. I've found people talking about issues configuring the routing tables, and configuring the DNS for use the docker's one, for be able to resolve services' names instead of machines IPs.
I'm still learning Docker, and I'm asking what is best pattern in these cases. How can I restrict access to an overlay network to only authorized external clients, and make them able to access services on the same net?