Skip to main content

OpenVPN Dockerized

706 words·
OpenVPN VPN Docker-Compose
Table of Contents

OpenVPN Dockerized
#

Prerequisites
#

In this tutorial I#M using AWS to host the OpenVPN Server on an EC2 instance. It is necessary to create a Inbound Rule for Port 1197 udp protocol.

Note: After OpenVPN is set up and running, you can delete the SSH Inbould Rule from the EC2 Security Group.

Use the Public IPv4 address from the EC2 Instance for the OpenVPN Server Configuration:


Docker Compose
# 

# Create directory for Docker Compose file
mkdir openvpn && cd openvpn

# Create Docker Compose file
vi docker-compose.yml

# docker-compose.yml
version: "3"
services:
  ovpn:
    image: kylemanna/openvpn:2.4
    restart: always
    volumes:
      - ./ovpn-data:/etc/openvpn:rw
    ports:
      - 1194:1194/udp
    cap_add:
      - NET_ADMIN

Initialize Configuration Files
#

init.sh

#!/bin/bash  -x
docker compose run --rm ovpn ovpn_genconfig -u udp://3.76.216.205 # Public IP
docker compose run --rm ovpn ovpn_initpki

Shell Output:

Enter New CA Key Passphrase: # Define ca.key pass phrase
Re-Enter New CA Key Passphrase: # Enter ca.key pass phrase

Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # Whatever

Enter pass phrase for /etc/openvpn/pki/private/ca.key: # Enter ca.key pass phrase
Enter pass phrase for /etc/openvpn/pki/private/ca.key: # Enter ca.key pass phrase

Client Certificate
#

Create Client Certificate with password:

#!/bin/bash -ex
docker compose run --rm ovpn easyrsa build-client-full $1
docker compose run --rm ovpn ovpn_getclient $1 > $1.ovpn

Shell Output:

Enter PEM pass phrase: # Define Certificate PW
Verifying - Enter PEM pass phrase: # Enter Certificate PW
Enter pass phrase for /etc/openvpn/pki/private/ca.key: # Enter ca.key pass phrase

Create Client Certificate without password:

#!/bin/bash -ex
docker compose run --rm ovpn easyrsa build-client-full $1 nopass
docker compose run --rm ovpn ovpn_getclient $1 > $1.ovpn

Shell Output:

Enter pass phrase for /etc/openvpn/pki/private/ca.key: # Enter ca.key pass phrase

Configuration Parameters
#

Routes
#

Use the ip Command to find the private IPv4 address from your OpenVPN Server, Shell Output:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:93:49:9b:1d:9a brd ff:ff:ff:ff:ff:ff
    inet 172.31.27.230/20 metric 100 brd 172.31.31.255 scope global dynamic eth0

To access the OpenVPN Server from the Client push the route either from the OpenVPN Server to the Client, with the following Command:

# Open OpenVPN Server Configuration
sudo vi ~/ovpn/ovpn-data/openvpn.conf

# Push Route to Client
push "route 172.31.27.230 255.255.255.255"

Or add the Route manually to the Client Configuration:

# Open user.ovpn File

# Route specific IP through VPN tunnel
route 172.31.27.230 255.255.255.255

Client Certificate Parameters
#

Edit the user.ovpn file that was created for the Client.

The following parameter must be added to the user.ovpn Client Certificate:
allow-compression yes

Per default the whole traffic is routed through the VPN tunnel. This should be deactivated / uncommented.

# Route whole traffic through VPN tunnel: Uncomment with: #
redirect-gateway def1

OpenVPN Server Parameters
# 

# Deactivate this Setting
push "block-outside-dns"

Start OpenVPN Container
# 

# Start Container
docker compose up -d

#Check Logs
docker-compose logs

Connect to Server
#

To connect to the OpenVPN Server via the VPN channel, connect to the private and not the public IP of the OpenVPN server!

Windows
#

Download OpenVPN Client for Windows: https://openvpn.net/community-downloads/

Linux (Ubuntu)
# 

# Update Package Manger
sudo apt update

# Install OpenVPN
sudo apt install openvpn

# Open Connection: Run in Backgroun (daemon)
sudo openvpn --config ./user2.ovpn --askpass --daemon

# Shell Output: Press Tabulatur / dont't save PW to history
Enter Private Key Password: (press TAB for no echo)

Test Connection
#

Test the VPN Connection and SSH into the OpenVPN Server, use the private IP from the Server:

# Open SSH Connection
ssh user@IP

# Following this example it's
ssh ubuntu@172.31.27.230

Client Certificate Example
# 

#Client Config .ovpn
client # Define Client configuration file
nobind # Use random port, don't bind to a particular local port
dev tun # Use TUN device / Layer 3 OSI model, create routed IP tunnel
remote-cert-tls server # Verify the servers certificate was signed with explicit nsCertType designation of "server"

remote 3.76.216.205 1194 udp # Public IP, Port, Protocol

# Route OpenVPN Server private IP through tunnel
route 172.31.27.230 255.255.255.255

allow-compression yes # Allow Compression, maste be same as Server Configuration

<key></key> <cert></cert> <ca></ca>
key-direction 1 #HMAC firewall protection; key is used for packets sent from client to server
<tls-auth></tls-auth>

# Don't redirect whole traffic through vpn tunnel
#redirect-gateway def1