Public | Automated Build

Last pushed: 3 months ago
Short Description
Tiny (12MB) full featured OpenVPN server with CA, CRL and secure default settings.
Full Description

OpenVPN for Docker



Setup a tiny(12MB), but full featured and secure OpenVPN server without effort using Docker.

Quick Start

  1. Create the $OVPN_DATA volume container

     export OVPN_DATA=openvpn_data
     docker volume create --name $OVPN_DATA
    
  2. Initialize the $OVPN_DATA container that will hold the configuration files and certificates

     docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn initopenvpn -u udp://VPN.SERVERNAME.COM
     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn initpki
    
  3. Start OpenVPN server process

     docker run --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn
    
  4. Generate a client certificate

     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME
    
    • Or without a passphrase (only do this for testing purposes)

        docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME nopass
      
  5. Retrieve the client configuration with embedded certificates

     docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient CLIENTNAME > CLIENTNAME.ovpn
    
    • Or retrieve the client configuration with mssfix set to a lower value (yay Ziggo WifiSpots)

        docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient -M 1312 CLIENTNAME > CLIENTNAME.ovpn
      
  6. Revoke a client certificate

    If you need to remove access for a client then you can revoke the client certificate by running

     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn revokeclient CLIENTNAME
    
  7. List all generated certificate names (includes the server certificate name)

     docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn listcerts
    
  8. Renew the CRL

     docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn renewcrl
    
  • To enable (bash) debug output set an environment variable with the name DEBUG and value of 1 (using "docker -e")

      for example `docker run -e DEBUG=1 --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn`
    
  • To view the log output run docker logs openvpn, to view it realtime run docker logs -f openvpn

Settings and features

  • OpenVPN 2.4.1
  • Easy-RSA v3.0.1+
  • tun mode because it works on the widest range of devices. tap mode, for instance, does not work on Android, except if the device is rooted.
  • The UDP server uses192.168.255.0/24 for clients.
  • TLS 1.2 minimum
  • TLS auth key for HMAC security
  • Diffie-Hellman parameters for perfect forward secrecy
  • Verification of the server certificate subject
  • Extended Key usage check of both client and server certificates
  • 2048 bits key size
  • Client certificate revocation functionality
  • SHA256 signature hash
  • AES-256-CBC cipher
  • TLS cipher limited to TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 or TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  • Compression enabled and set to adaptive
  • Floating client ip's enabled
  • Tweaks for Windows clients
  • net30 topology because it works on the widest range of OS's. p2p, for instance, does not work on Windows.
  • Google DNS (8.8.4.4 and 8.8.8.8)

  • The configuration is located in /etc/openvpn

  • Certificates are generated in /etc/openvpn/pki.

Tested On

  • Clients
    • Android, OpenVPN Connect 1.1.14 (built 56)
    • Android, OpenVPN for Android 0.6.50
    • Windows 10 64 bit using openvpn-2.4.0

Based on kylemanna/docker-openvpn.

Docker Pull Command
Owner
martin
Source Repository

Comments (4)
zrabadaber
7 months ago

thx! it is work!

peterbladen
2 years ago

Just tried this build and got the following error message and the daemon died :-

Mon Feb 22 15:10:21 2016 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

gyulaweber
2 years ago

For me, it works like charm, tested with ubuntu / android clients.

mrizvic
2 years ago

Hi Martin,

i have pulled latest busybox and martin/openvpn and it seems openssl is missing. Please take a look at output below:

<pre><code>
lab# date
Mon Jun 1 13:40:57 CEST 2015
lab# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
martin/openvpn latest 1b773532e34e 3 days ago 9.975 MB
busybox latest 8c2e06607696 6 weeks ago 2.433 MB
lab# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
lab# docker run --rm -ti martin/openvpn find / -type f -name 'openssl'
lab# docker run --rm -ti busybox find / -type f -name 'openssl'

lab# docker create --name ovpndata -v /etc/openvpn busybox
4cbd024ee720dae44ba59d04b282415371879a0e25bef45cf6c63f20680ff410
lab# docker run --volumes-from ovpndata --rm martin/openvpn initopenvpn -u udp://127.0.0.1 -D
Successfully generated config
lab# docker run --volumes-from ovpndata --rm martin/openvpn initpki
/usr/local/bin/easyrsa: line 1141: openssl: not found

Easy-RSA error:

Missing or invalid OpenSSL
Expected to find openssl command at: openssl

</code></pre>