Installation of OpenVPN Server using Docker
Pre-requisite: Docker
Steps:
OVPN_DATA="ovpn-data-vps1"
docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.domain.com
Other arguments that you can specify:
-u SERVER_PUBLIC_URL
[-e EXTRA_SERVER_CONFIG ]
[-E EXTRA_CLIENT_CONFIG ]
[-f FRAGMENT ]
[-n DNS_SERVER ...]
[-p PUSH ...]
[-r ROUTE ...]
[-s SERVER_SUBNET]
optional arguments:
-2 Enable two factor authentication using Google Authenticator.
-a Authenticate packets with HMAC using the given message digest algorithm (auth).
-b Disable 'push block-outside-dns'
-c Enable client-to-client option
-C A list of allowable TLS ciphers delimited by a colon (cipher).
-d Disable default route
-D Do not push dns servers
-k Set keepalive. Default: '10 60'
-m Set client MTU
-N Configure NAT to access external server network
-t Use TAP device (instead of TUN device)
-T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
-z Enable comp-lzo compression.
By default the DNS Servers would be Google’s 8.8.8.8 and 8.8.4.4 which is bad for privacy.
I suggest reading this documentation for hardening the OpenVPN sServer: https://github.com/kylemanna/docker-openvpn/blob/master/docs/paranoid.md
Sample output:
$ docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.domain.com
Unable to find image 'kylemanna/openvpn:latest' locally
latest: Pulling from kylemanna/openvpn
188c0c94c7c5: Pull complete
e470f824352c: Pull complete
d6ed0c7c142e: Pull complete
74586f3c5cd4: Pull complete
cb26244a2b2a: Pull complete
Digest: sha256:643531abb010a088f1e23a1c99d44f0bd417a3dbb483f809caf4396b5c9829a0
Status: Downloaded newer image for kylemanna/openvpn:latest
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
Sample output:
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
.........+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:domain.com
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ....
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
..........................................................................................................+++++
...+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-73.GekIcP/tmp.PnoJfg'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-73.GekIcP/tmp.HCKHkc
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'vpn.domain.com'
Certificate is to be certified until Dec 4 09:13:32 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-148.dhIlCI/tmp.BjCEAG
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
Since, I forgot to specify my custom DNS Servers. I need to edit it manually on the docker volume:
$ sudo nano /var/lib/docker/volumes/$OVPN_DATA/_data/openvpn.conf
Sample config of the OpenVPN Server
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/vpn.domain.com.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/vpn.domain.com.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
Change the 8.8.8.8 and 8.8.4.4 to your desired DNS servers.
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
Replace CLIENTNAME with your desired client name (eg. Laptop).
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
Sample client config:
client
nobind
dev tun
remote-cert-tls server
remote vpn.domain.conm 1194 udp
...
Alternatively, you can use WireGuard which is much faster than OpenVPN and is easier to set up.
References:
https://hub.docker.com/r/kylemanna/openvpn/
https://github.com/kylemanna/docker-openvpn/blob/master/docs/backup.md