Public | Automated Build

Last pushed: 2 years ago
Short Description
OpenVPN Server container supporting arbitrary OpenVPN server configuration
Full Description

OpenVPN Gateway

This docker image configures a container to act as a VPN endpoint, using the
OpenVPN protocol. The OpenVPN certificates and configuration are specified as
a volume to be mounted within the container, thus allowing for arbitrary
OpenVPN configuration to be performed.

Getting Started

You will need:

  • Diffie-Hellman key exchange parameters (dhXXXX)
  • Your CA certificate (ca.crt)
  • Your server certificate and private key (server.crt and server.key)
  • Your server configuration file (server.conf)

The CA should be generated from a separate host and key pairs
for the server generated there. The only private key that should be stored on
the VPN server itself should be the one for the VPN server.

An easy way to generate these is to use the easy-rsa scripts.

The OpenVPN configuration file may be taken from the examples given in the
OpenVPN distribution.

Generating the certificates and related files.

Make sure you have git, openssh and (if TLS authentication is to be used)
openvpn installed. It is recommended you do this from a local machine, then
transfer the generated files to the host running the container, as this will
prevent your CA private key from being disclosed in the event of a server

You will want to keep a back-up of the easy-rsa directory created below for
future reference.

  1. Grab a copy of easy-rsa:

    $ git clone
    $ cd easy-rsa/easyrsa3

  2. Create vars with appropriate settings for your VPN. Things to change:

    • Adjust the organisational fields to taste.
    • Set EASYRSA_KEY_SIZE to either 2048 or 4096.
      1024-bit RSA is not recommended.
    • Adjust EASYRSA_CA_EXPIRE and EASYRSA_CERT_EXPIRE to requirements.

    $ cp vars.example vars
    $ ${EDITOR} vars

  3. Initialise the PKI infrastructure.

    $ ./easyrsa init-pki

  4. Build your CA key and certificate.

    $ ./easyrsa build-ca

  5. Build your server key and certificate.

    $ ./easyrsa build-server-full server nopass

  6. Generate Diffie-Hellman parameters (this bit takes a while)

    $ ./easyrsa gen-dh

  7. Generate a certificate for each client. Substitute ${clientname} for the
    name of each client.

    $ ./easyrsa build-client-full ${clientname} nopass

    The name you give here is the "common name" for each client.

OpenVPN configuration

A good example configuration for the server would be the one OpenVPN ship
in their archives which can be found online here:

Some things you'll want to adjust:

  • Tunnel device: For most applications you will probably want dev tun.
    If you want layer 2 bridging, then use dev tap instead. Alternatively,
    you can give a specific device name here (e.g. dev myvpn), then add a line
    below either dev-type tun or dev-type tap, that will create a device with
    a specific name.
  • Diffie Hellman parameters: this will be a file named dh.pem, so change the
    name here accordingly.
  • Topology: If you have Windows-based clients, uncomment this line and change
    it from subnet to net30.
  • VPN Subnet. The exact settings here depend on your choice of tunnel device:
    • tun devices: Choose an IPv4 subnet for your VPN and configure it on the
      line starting with the keyword server.
    • tap devices:
      • Firstly, comment out the line beginning with server, as that's for
        tun devices
      • You can either use a built-in DHCP server, have the clients pick their
        own addresses, or use a DHCP server that is listening on the tap device
        (or indirectly via bridges).
      • To use the built-in DHCP server: uncomment the first server-bridge line
        you see and adjust the default gateway, netmask and pool address ranges
      • To let clients figure out their own address or to use an external DHCP
        server, scroll further down and uncomment the line that just says
        server-bridge (with no arguments).
  • Client Configuration Directory: If you want specific settings to be pushed
    out to certain named clients, uncomment the line client-config-dir ccd.
  • Client subnets: To expose subnets that are behind VPN clients to the host,
    add in the appropriate route ${IP} ${SUBNET} lines. You'll want the
    Client Configuration Directory enabled above, and for each client, you'll
    need to list the subnets it is responsible for as iroute lines.
  • If you want clients to talk to each-other, uncomment client-to-client.
  • TLS Authentication: if you leave this uncommented, remember to generate the
    ta.key mentioned.
  • Cryptographic Cipher: The default is blowfish, but you might want something
    stronger. AES-256-CBC or AES-128-CBC are recommended.
  • Compression: If you want, leave it uncommented, or comment it out here to
    disable it.

Generating the TLS authentication key (ta.key)

This is needed if you left TLS authentication enabled. As per the comments in
the configuration file, run:

$ openvpn --genkey --secret ta.key

Putting it all together

Assemble your OpenVPN server configuration directory. Create a directory on
your workstation where you've been building the keys. (You did do it on a
separate box didn't you?!)

In that directory, place:

  • From your current working directory: ta.key
  • From the pki subdirectory: ca.crt and dh.pem
  • From the pki/private subdirectory: server.key
  • From the pki/issued subdirectory: server.crt
  • Your updated server configuration file: server.conf

Securely transfer this entire directory to a directory of your choosing on the
Docker host.


docker run vrtsystems/openvpn [ ... args ... ] \
-p 1194:1194/udp \
-v /path/on/host:/var/local \
--privileged --net=host

TODO: figure out how to avoid --net=host.

You may use a different port number if desired.


… TODO …




We use SemVer for versioning. For the versions available, see the tags on this repository.


Docker Pull Command
Source Repository