OpenVPN server in a Docker container complete with an EasyRSA PKI CA
Auto install/config, users auto creation, send configs/backup by email or Telegram.
- Docker Registry @ gruz123/ovpn
- GitHub @ gruz123/docker-ovpn
- GitHub @ kylemanna/docker-openvpn
- Auto users creation (adduser)
- Send users configurations by email or telegram (send)
- Auto generated passphrase (openvpn-data/conf/psk)
- Backup and auto backup by mail or telegram, adanced security futures:
- based on this document and this this document (work in progress)
version: '2'
services:
openvpn:
cap_add:
- NET_ADMIN
image: gruz123/ovpn
container_name: openvpn
ports:
- "1194:1194/udp"
restart: always
volumes:
- ./openvpn-data/conf:/etc/openvpn
environment:
- "EmailUN=gruz123@gmailcom"
- "EmailPW=16"
- "SMTP=smtp.gmail.com:587"
- "Encryption=STARTTLS"
- "chat_id=-1001111111125"
- "botToken=1111222244:AAaaAAaaAaAAaaAAAaaAAaaaaaAaA21AAAA"Usual gmail pwd ain't' gonna work https://myaccount.google.com/apppasswords
docker-compose run --rm openvpn quickstart-
Automatically:
- Set external ip
- Build server with passphrase
- Generate clients certificates without a passphrase
- Retrieve the clients configuration with embedded certificates
-
User input
- prefix (username) and quantity.
- As an example:
- set Prefix:
Halifax - set quantity: 12
- it creates:
Halifax1.ovpn,Halifax2.ovpn...Halifax12.ovpn
docker-compose run --rm openvpn adduserdocker-compose run --rm openvpn sendsudo chown -R $(whoami): ./openvpn-datadocker-compose up -d openvpndocker-compose logs -fdocker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker-compose run --rm openvpn ovpn_initpki-
More options.
-u SERVER_PUBLIC_URL [-e EXTRA_SERVER_CONFIG ] [-E EXTRA_CLIENT_CONFIG ] [-f FRAGMENT ] [-n DNS_SERVER ...] [-p PUSH ...] [-r ROUTE ...] [-s SERVER_SUBNET] optional arguments: -2 Enable two factor authentication using Google Authenticator. -a Authenticate packets with HMAC using the given message digest algorithm (auth). -b Disable 'push block-outside-dns' -c Enable client-to-client option -C A list of allowable TLS ciphers delimited by a colon (cipher). -d Disable default route -D Do not push dns servers -k Set keepalive. Default: '10 60' -m Set client MTU -N Configure NAT to access external server network -t Use TAP device (instead of TUN device) -T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher). -z Enable comp-lzo compression. -
ip/fqdn, port number and protocol (UDP to TCP) can be changed here (on host):
openvpn-data/conf/env.sh- for switching UDP to TCP needed to be changed here also, for client configuration files. (don't need to change port number here):
openvpn-data/conf/openvpn.confadvanced configurations are available in this docs page.
- Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
docker-compose run -e DEBUG=1 -p 1194:1194/udp openvpn- Revoke a client certificate
# Keep the corresponding crt, key and req files.
docker-compose run --rm openvpn revokeclient $CLIENTNAME
# Remove the corresponding crt, key and req files.
docker-compose run --rm openvpn revokeclient $CLIENTNAME removeMiscellaneous write-ups for advanced configurations are available in the docs folder.