Public | Automated Build

Last pushed: 2 months ago
Short Description
Tiny (12MB) full featured OpenVPN server with CA, CRL and secure default settings.
Full Description

OpenVPN for Docker

Setup a tiny(12MB), but full featured and secure OpenVPN server without effort using Docker.

Quick Start

  1. Create the $OVPN_DATA volume container

     export OVPN_DATA=openvpn_data
     docker volume create --name $OVPN_DATA
  2. Initialize the $OVPN_DATA container that will hold the configuration files and certificates

     docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn initopenvpn -u udp://VPN.SERVERNAME.COM
     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn initpki
  3. Start OpenVPN server process

     docker run --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn
  4. Generate a client certificate

     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME
    • Or without a passphrase (only do this for testing purposes)

        docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME nopass
  5. Retrieve the client configuration with embedded certificates

     docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient CLIENTNAME > CLIENTNAME.ovpn
    • Or retrieve the client configuration with mssfix set to a lower value (yay Ziggo WifiSpots)

        docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient -M 1312 CLIENTNAME > CLIENTNAME.ovpn
  6. Revoke a client certificate

    If you need to remove access for a client then you can revoke the client certificate by running

     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn revokeclient CLIENTNAME
  7. List all generated certificate names (includes the server certificate name)

     docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn listcerts
  8. Renew the CRL

     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn renewcrl
  • To enable (bash) debug output set an environment variable with the name DEBUG and value of 1 (using "docker -e")

      for example `docker run -e DEBUG=1 --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn`
  • To view the log output run docker logs openvpn, to view it realtime run docker logs -f openvpn

Settings and features

  • OpenVPN 2.4.6
  • Easy-RSA v3.0.1+
  • tun mode because it works on the widest range of devices. tap mode, for instance, does not work on Android, except if the device is rooted.
  • The UDP server uses192.168.255.0/24 for clients.
  • TLS 1.2 minimum
  • TLS auth key for HMAC security
  • Diffie-Hellman parameters for perfect forward secrecy
  • Verification of the server certificate subject
  • Extended Key usage check of both client and server certificates
  • 2048 bits key size
  • Client certificate revocation functionality
  • SHA256 signature hash
  • AES-256-CBC cipher
  • Compression enabled and set to adaptive
  • Floating client ip's enabled
  • Tweaks for Windows clients
  • net30 topology because it works on the widest range of OS's. p2p, for instance, does not work on Windows.
  • Google DNS ( and

  • The configuration is located in /etc/openvpn

  • Certificates are generated in /etc/openvpn/pki.

Tested On

  • Clients
    • Android, OpenVPN Connect 1.1.14 (built 56)
    • Android, OpenVPN for Android 0.6.50
    • Windows 10 64 bit using openvpn-2.4.0

Based on kylemanna/docker-openvpn.

Docker Pull Command
Source Repository