This tutorial will explain how to set up and run an OpenVPN container with the help of Docker.
OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks can also be used to securely connect devices to each other over the Internet.
Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The Docker OpenVPN image is prebuilt and includes all of the necessary dependencies to run the server in a sane and stable environment. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker volume container is used to hold the configuration and EasyRSA PKI certificate data as well.
Docker Registry is a central repository for both official and user developed Docker images. The image used in this tutorial is a user contributed image available at kylemanna/openvpn. The image is assembled on Docker Registry’s cloud build servers using the source from the GitHub project repository. The cloud server build linked to Github adds the ability to audit the Docker image so that users can review the source Dockerfile and related code, called a Trusted Build. When the code is updated in the GitHub repository, a new Docker image is built and published on the Docker Registry.
Docker is moving fast and Ubuntu’s long term support (LTS) policy doesn’t keep up. To work around this we’ll install a PPA that will get us the latest version of Docker.
Add the upstream Docker repository package signing key. The apt-key
command uses elevated privileges via sudo
, so a password prompt for the user’s password may appear:
curl -L https://get.docker.com/gpg | sudo apt-key add -
Note: Enter your sudo password at the blinking cursor if necessary.
Add the upstream Docker repository to the system list:
echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list
Update the package list and install the Docker package:
sudo apt-get update && sudo apt-get install -y lxc-docker
Add your user to the docker
group to enable communication with the Docker daemon as a normal user, where sammy
is your username. Exit and log in again for the new group to take effect:
sudo usermod -aG docker sammy
After re-logging in verify the group membership using the id
command. The expected response should include docker
like the following example:
uid=1001(test0) gid=1001(test0) groups=1001(test0),27(sudo),999(docker)
Optional: Run bash
in a simple Debian Docker image (--rm
to clean up container after exit and -it
for interactive) to verify Docker operation on host:
docker run --rm -it debian:jessie bash -l
Expected response from docker as it pulls in the images and sets up the container:
Unable to find image 'debian:jessie' locally
debian:jessie: The image you are pulling has been verified
511136ea3c5a: Pull complete
36fd425d7d8a: Pull complete
aaabd2b41e22: Pull complete
Status: Downloaded newer image for debian:jessie
root@de8ffd8f82f6:/#
Once inside the container you’ll see the root@<container id>:/#
prompt signifying that the current shell is in a Docker container. To confirm that it’s different from the host, check the version of Debian running in the container:
cat /etc/issue.net
Expected response for the OpenVPN container at the time of writing:
Debian GNU/Linux jessie/sid
If you see a different version of Debian, that’s fine.
Exit the container by typing logout
, and the host’s prompt should appear again.
This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily, Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us.
Create a volume container. This tutorial will use the $OVPN_DATA
environmental variable to make it copy-paste friendly. Set this to anything you like. The default ovpn-data
value is recommended for single OpenVPN Docker container servers. Setting the variable in the shell leverages string substitution to save the user from manually replacing it for each step in the tutorial:
OVPN_DATA="ovpn-data"
Create an empty Docker volume container using busybox
as a minimal Docker image:
docker run --name $OVPN_DATA -v /etc/openvpn busybox
Initialize the $OVPN_DATA
container that will hold the configuration files and certificates, and replace vpn.example.com
with your FQDN. The vpn.example.com
value should be the fully-qualified domain name you use to communicate with the server. This assumes the DNS settings are already configured. Alternatively, it’s possible to use just the IP address of the server, but this is not recommended.
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com:1194
Generate the EasyRSA PKI certificate authority. You will be prompted for a passphrase for the CA private key. Pick a good one and remember it; without the passphrase it will be impossible to issue and sign client certificates:
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki
Note, the security of the $OVPN_DATA
container is important. It contains all the private keys to impersonate the server and all the client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevent issuing bogus certificates.
See the Conclusion below for more details on how to back up the certificate store.
To autostart the Docker container that runs the OpenVPN server process (see Docker Host Integration for more) create an Upstart init file using nano
or vim
:
sudo vim /etc/init/docker-openvpn.conf
Contents to place in /etc/init/docker-openvpn.conf
:
description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script
Start the process using the Upstart init mechanism:
sudo start docker-openvpn
Verify that the container started and didn’t immediately crash by looking at the STATUS
column:
test0@tutorial0:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c3ca41324e1d kylemanna/openvpn:latest "ovpn_run" 2 seconds ago Up 2 seconds 0.0.0.0:1194->1194/udp focused_mestorf
In this section we’ll create a client certificate using the PKI CA we created in the last step.
Be sure to replace CLIENTNAME
as appropriate (this doesn’t have to be a FQDN). The client name is used to identify the machine the OpenVPN client is running on (e.g., “home-laptop”, “work-laptop”, “nexus5”, etc.).
The easyrsa
tool will prompt for the CA password. This is the password we set above during the ovpn_initpki
command. Create the client certificate:
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
After each client is created, the server is ready to accept connections.
The clients need the certificates and a configuration file to connect. The embedded scripts automate this task and enable the user to write out a configuration to a single file that can then be transfered to the client. Again, replace CLIENTNAME
as appropriate:
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
The resulting CLIENTNAME.ovpn
file contains the private keys and certificates necessary to connect to the VPN. Keep these files secure and not lying around. You’ll need to securely transport the *.ovpn
files to the clients that will use them. Avoid using public services like email or cloud storage if possible when transferring the files due to security concerns.
Recommend methods of transfer are ssh/scp, HTTPS, USB, and microSD cards where available.
The following are commands or operations run on the clients that will connect to the OpenVPN server configured above.
On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar):
Install OpenVPN:
sudo apt-get install openvpn
Copy the client configuration file from the server and set secure permissions:
sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf
Configure the init scripts to autostart all configurations matching /etc/openvpn/*.conf
:
echo AUTOSTART=all | sudo tee -a /etc/default/openvpn
Restart the OpenVPN client’s server process:
sudo /etc/init.d/openvpn restart
Install OpenVPN:
pacman -Sy openvpn
Copy the client configuration file from the server and set secure permissions:
sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf
Start OpenVPN client’s server process:
systemctl start openvpn@CLIENTNAME
Optional: configure systemd to start /etc/openvpn/CLIENTNAME.conf
at boot:
systemctl enable openvpn@CLIENTNAME
Download and install TunnelBlick.
Copy CLIENTNAME.ovpn
from the server to the Mac.
Import the configuration by double clicking the *.ovpn
file copied earlier. TunnelBlick will be invoked and the import the configuration.
Open TunnelBlick, select the configuration, and then select connect.
Install the OpenVPN Connect App from the Google Play store.
Copy CLIENTNAME.ovpn
from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it.
Import the configuration: Menu -> Import -> Import Profile from SD card
Select connect.
There are a few ways to verify that traffic is being routed through the VPN.
Visit a website to determine the external IP address. The external IP address should be that of the OpenVPN server.
Try Google “what is my ip” or icanhazip.com.
From the command line, wget
or curl
come in handy. Example with curl
:
curl icanhazip.com
Example with wget
:
wget -qO - icanhazip.com
The expected response should be the IP address of the OpenVPN server.
Another option is to do a special DNS lookup to a specially configured DNS server just for this purpose using host
or dig
. Example using host
:
host -t A myip.opendns.com resolver1.opendns.com
Example with dig
:
dig +short myip.opendns.com @resolver1.opendns.com
The expected response should be the IP address of the OpenVPN server.
Review your network interface configuration. On Unix-based operating systems, this is as simple as running ifconfig
in a terminal, and looking for OpenVPN’s tunX
interface when it’s connected.
Review logs. On Unix systems check /var/log
on old distributions or journalctl
on systemd distributions.
The Docker image built to run this is open source and capable of much more than described here.
The docker-openvpn source repository is available for review of the code as well as forking for modifications. Pull requests for general features or bug fixes are welcome.
Advanced topics such as backup and static client IPs are discussed under the docker-openvpn/docs folder.
Report bugs to the docker-openvpn issue tracker.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
For anyone following this guide that is using systemd instead of upstart, here is the content of
/etc/systemd/system/docker-openvpn.service
dont forget chmod +x
I recently followed these instructions, and ran into trouble with the upstart section, since ubuntu now uses systemd by default. I hadn’t used systemd before, so I figured I would share what I did to use systemd instead. First, I created the file
/lib/systemd/system/docker-openvpn.service
with the following contents:Then I ran
sudo systemctl enable docker-openvpn.service
to enable the service at boot.Let me know if you have any trouble with this!
Thanks for the step-by-step. Works fine for Windows 10 Pro client.
Great article, very well done, clear and efficient!!! Really appreciate your work, thanks for sharing!
I get
when trying to run
Isn’t working. Works with -L though:
I get
FATA[0000] Error response from daemon: container --rm not found, impossible to mount its volumes
when I try to create client certificates?EDIT: just looked at the github repo, he is using named volumes now. Update the aricle DO, please, so people don’t lose their data.
Why not use named volumes instead of an anonymous container volume in a separate busybox container? Skip the busybox container step and run
etc…
This will create the named volume.
Anonymous volumes have the huge drawback that they are removed when their container is removed, unlike named volumes, which seems nonideal for important configuration data.
You can still mount named volumes in other service containers, say for backups, using
--volumes-from
on the service container.Used to be that named volumes weren’t available, so perhaps this was written from that perspective; I think it could use an update.
Nice article!
The command
causes
sudo: start: command not found
.I tried to run this:
and it didn’t work either -
Failed to start docker-openvpn.service: Unit docker-openvpn.service not found.
Am I doing something wrong?