slocomptech/docker-openvpn

Features:

• OpenVPN running as non-root user (limited permission)
• Containerized (Isolated environment)
• Easy managed (Helper scripts).
• Easy start (Simple first-start guide).
• Easly modified to your needs (see docs).
• Easy scripting (python3 installed).

Usage

Here are some example snippets to help you get started creating a container.

docker

# Normal start command (but you need to setup config first)
docker run \
  --name=ovpn \
  --cap-add NET_ADMIN \
  -e PUID=1000 \
  -e PGID=1000 \
  -p 1194:1194/udp \
  -v </path/o/config>:/config \
  --restart=unless-stopped \
  --network host \
  slocomptech/openvpn:latest

# First config command
docker run \
  --rm -it \
  --cap-add NET_ADMIN \
  -e PUID=1000 \
  -e PGID=1000 \
  -e SKIP_APP=true \
  -v $(pwd)/data:/config
  slocomptech/openvpn:latest bash

docker-compose

version: '2.2'
services:
  ovpn:
    image: slocomptech/openvpn
    container_name: ovpn
    hostname: ovpn
    cap_add:
      - NET_ADMIN
    ports:
      - "1194:1194/udp"
    volumes:
      - ./data:/config
    environment:
      - PUID=1000
      - PGID=1000
    restart: on-failure
    # If you want to build from source add build:
    build:
      context: .
    sysctls: # For IPv6
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.default.forwarding=1
      - net.ipv6.conf.all.forwarding=1
    network_mode: host

Parameters

Parameter	Function
-e CONFIG=test.conf	Config file name
-e FAIL_MODE=hard	Restart whole container on error
-e NO_CRL_UPDATE=true	Disable auto CRL update (used when CA is password protected)
-e NO_CRON=true	Disable Cron for CRL update ...
-e PERSIST_INTERFACE=true	Persist tunnel interface
-e PUID=1000	for UserID - see below for explanation
-e PGID=1000	for GroupID - see below for explanation
-e SKIP_APP=true	Skip app startup
-v /config	All the config files including OpenVPNs reside here
-v /log	Directory for log files (if configured)

See also: EasyRSA
See upstream image

User / Group Identifiers

When using volumes (-v flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user PUID and group PGID.

Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.

In this instance PUID=1000 and PGID=1000, to find yours use id user as below:

id username
# uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)

Configuration

• OpenVPN configuration is in /config/openvpn. Config file is openvpn.conf or <anyfilename>.ovpn.

• Client template configuration is openvpn-client.conf.

• At the top of config file you MUST include:

  dev tun0 # You MUST set interface with name (with number !!)
  config include.conf # Includes general config
  config include-server.conf # Includes additional server config (only for server)
  config unprivileged.conf # Sets OpenVPN to run unprivileged
  

Server

If you are new to containers please see rather Detailed first setup guide, because it includes more detailed description.

1. Init configuration directory with initial config files:

docker run -it --rm --cap-add NET_ADMIN -e SKIP_APP=true -v </path/to/config>:/config slocomptech/openvpn:latest bash

2. Edit vars file. (See docs)
3. At this point you will have bash shell which runs in container. Now run following commands to setup your PKI:

ovpn pki init [nopass] # Inits PKI

4. Setup OpenVPN config based on example basic with configuration wizard or put your config in /config/openvpn/openvpn.conf:

ovpn example basic
#Out interface [eth0]: <interface connected to the Internet>
#Protocol udp, tcp, udp6, tcp6 [udp]:
#VPN network [10.0.0.0]:
#Port [1194]:
#Public IP or domain of server: <YOUR PUBLIC IP>
#DNS1 [8.8.8.8]:
#DNS2 [8.8.4.4]:

5. Generate server certificate ovpn subject add server server [nopass].
6. Enable port forwarding on your router so OpenVPN server will be accessible from the internet.
7. Add clients

# Generates client certificates (put in client-confs directory)
ovpn subject add <name> [nopass]
# Generate .ovpn manually (generated in client-configs)
ovpn subject gen-ovpn <name>

8. Exit container with exit, then it will destroy itself.
9. Start container using command specified in Usage section.

For more infromation see:

• Detailed first setup guide
• docs (for detailed command usage)
• configuration example directory (for more info about example)
• Contributing (for explanation how container works, how to write an example config ...)

Note: OpenVPN documentation is located at /usr/share/doc/openvpn.

Client

1. Run container to get config structure docker run -it --rm -v PATH:/config slocomptech/openvpn.
2. Make sure you don't have following options specified in your config file
   • user
   • group
3. Put config file in /config/openvpn.

Troubleshooting

• OpenVPN troubleshoot guide

Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1)

Just manualy remove tun0 manually openvpn --rmtun --dev tun0.

Contribute

Feel free to contribute new features to this container, but first see Contribute Guide.

TODO

Licenses

• This project
• OpenVPN
• Base image
• s6 Layer

Versions

See CHANGELOG

External documentation

• EasyRSA
• EasyRSA vars
• EasyRSA password scripting
• OpenVPN
• OpenVPN getting started
• OpenVPN how to
• s6