Public | Automated Build

Last pushed: a year ago
Short Description
Recipe to build an OpenVPN image for Docker
Full Description

OpenVPN for Docker

This is a fork of jpetazzo/dockvpn that
removes the serveconfig http server and adds the option to upload the client
config file to an S3 Bucket.

Quick instructions:

# Just runs the OpenVPN server
docker run -d --name ovpn-server --privileged -p 1194:1194/udp -p 443:443/tcp potz/dockvpn

# Runs the OpenVPN server and uploads the client config file to S3
docker run -d --name ovpn-server --privileged -p 1194:1194/udp -p 443:443/tcp \
  -e AWS_ACCESS_KEY_ID=my_access_key \
  -e AWS_SECRET_ACCESS_KEY=my_secret \
  -e S3_BUCKET=my_bucket \
  -e S3_KEY=clientconfig.ovpn \

Now download the file from your Amazon S3 Bucket.

The file can be used immediately as an OpenVPN profile. It embeds all the
required configuration and credentials. It has been tested successfully on
Linux, Windows, and Android clients. If you can test it on OS X and iPhone,
let me know!

If you reboot the server (or stop the container) and you docker run
again, you will create a new service (with a new configuration) and
you will have to re-download the configuration file. However, you can
use docker start to restart the service without touching the configuration.

How does it work?

When the potz/dockvpn image is started, it generates:

  • Diffie-Hellman parameters,
  • a private key,
  • a self-certificate matching the private key,
  • two OpenVPN server configurations (for UDP and TCP),
  • an OpenVPN client profile.

Then, it starts two OpenVPN server processes (one on 1194/udp, another
on 443/tcp).

OpenVPN details

We use tun mode, because it works on the widest range of devices.
tap mode, for instance, does not work on Android, except if the device
is rooted.

The topology used is net30, because it works on the widest range of OS.
p2p, for instance, does not work on Windows.

The TCP server uses and the UDP server uses

The client profile specifies redirect-gateway def1, meaning that after
establishing the VPN connection, all traffic will go through the VPN.
This might cause problems if you use local DNS recursors which are not
directly reachable, since you will try to reach them through the VPN
and they might not answer to you. If that happens, use public DNS
resolvers like those of Google ( and or OpenDNS
( and

Security discussion

For simplicity, the client and the server use the same private key and
certificate. This is certainly a terrible idea. If someone can get their
hands on the configuration on one of your clients, they will be able to
connect to your VPN, and you will have to generate new keys. Which is,
by the way, extremely easy, since each time you docker run the OpenVPN
image, a new key is created. If someone steals your configuration file
(and key), they will also be able to impersonate the VPN server (if they
can also somehow hijack your connection).

It would probably be a good idea to generate two sets of keys.

It would probably be even better to generate the server key when
running the container for the first time (as it is done now), but
generate a new client key each time the serveconfig command is
called. The command could even take the client CN as argument, and
another revoke command could be used to revoke previously issued

Verified to work with ...

People have successfully used this VPN server with clients such as:

  • OpenVPN on Linux,
  • Viscosity on OSX (#25),
  • Tunnelblick on OSX,
  • (some VPN client on Android but I can't remember which).

Other related/interesting projects

  • @jpetazzo/dockvpn, the original
    image from which this one was forked.

  • @besn0847/alpinevpn, a smaller
    image based on the Alpine distribution

Docker Pull Command
Source Repository