Tiny (12MB) full featured OpenVPN server with CA, CRL and secure default settings.
100K+
Setup a tiny(12MB), but full featured and secure OpenVPN server without effort using Docker.
Create the $OVPN_DATA volume container
export OVPN_DATA=openvpn_data
docker volume create --name $OVPN_DATA
Initialize the $OVPN_DATA container that will hold the configuration files and certificates
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn initopenvpn -u udp://VPN.SERVERNAME.COM
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn initpki
Start OpenVPN server process
docker run --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn
Generate a client certificate
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME
Or without a passphrase (only do this for testing purposes)
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME nopass
Retrieve the client configuration with embedded certificates
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient CLIENTNAME > CLIENTNAME.ovpn
Or retrieve the client configuration with mssfix set to a lower value (yay Ziggo WifiSpots)
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient -M 1312 CLIENTNAME > CLIENTNAME.ovpn
Revoke a client certificate
If you need to remove access for a client then you can revoke the client certificate by running
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn revokeclient CLIENTNAME
List all generated certificate names (includes the server certificate name)
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn listcerts
Renew the CRL
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn renewcrl
To enable (bash) debug output set an environment variable with the name DEBUG and value of 1 (using "docker -e")
for example docker run -e DEBUG=1 --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn
To view the log output run docker logs openvpn, to view it realtime run docker logs -f openvpn
OpenVPN 2.5.3
Easy-RSA v3.0.1+
tun mode because it works on the widest range of devices. tap mode, for instance, does not work on Android, except if the device is rooted.
The UDP server uses192.168.255.0/24 for clients.
TLS 1.2 minimum
TLS auth key for HMAC security
Diffie-Hellman parameters for perfect forward secrecy
Verification of the server certificate subject
Extended Key usage check of both client and server certificates
2048 bits key size
Client certificate revocation functionality
SHA256 signature hash
AES-256-CBC cipher
TLS cipher limited to TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 or TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
Compression enabled and set to adaptive
Floating client ip's enabled
Tweaks for Windows clients
net30 topology because it works on the widest range of OS's. p2p, for instance, does not work on Windows.
Google DNS (8.8.4.4 and 8.8.8.8)
The configuration is located in /etc/openvpn
Certificates are generated in /etc/openvpn/pki.
Based on kylemanna/docker-openvpn.
Content type
Image
Digest
sha256:669dcaf79…
Size
8.1 MB
Last updated
over 1 year ago
docker pull martin/openvpn:2.6.12-r1