Tutorial
How To Run OpenVPN in a Docker Container on Ubuntu 14.04
Introduction
This tutorial will explain how to set up and run an OpenVPN container with the help of Docker.
OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks can also be used to securely connect devices to each other over the Internet.
Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The Docker OpenVPN image is prebuilt and includes all of the necessary dependencies to run the server in a sane and stable environment. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker volume container is used to hold the configuration and EasyRSA PKI certificate data as well.
Docker Registry is a central repository for both official and user developed Docker images. The image used in this tutorial is a user contributed image available at kylemanna/openvpn. The image is assembled on Docker Registry’s cloud build servers using the source from the GitHub project repository. The cloud server build linked to Github adds the ability to audit the Docker image so that users can review the source Dockerfile and related code, called a Trusted Build. When the code is updated in the GitHub repository, a new Docker image is built and published on the Docker Registry.
Example Use Cases
- Securely route to the Internet when on an untrusted public (WiFi) networks
- Private network to connect a mobile laptop, office computer, home PC, or mobile phone
- Private network for secure services behind NAT routers that don’t have NAT traversal capabilities
Goals
- Set up the Docker daemon on Ubuntu 14.04 LTS
- Set up a Docker volume container to hold the configuration data
- Generate a EasyRSA PKI certificate authority (CA)
- Extract auto-generated client configuration files
- Configure a select number of OpenVPN clients
- Handle starting the Docker container on boot
- Introduce advanced topics
Prerequisites
- Linux shell knowledge. This guide largely assumes that the user is capable of setting up and running Linux daemons in the traditional sense
- Root access on a remote server
- A DigitalOcean 1 CPU / 512 MB RAM Droplet running Ubuntu 14.04 is assumed for this tutorial. Docker makes running the image on any host Linux distribution easy
- Any virtual host will work as long as the host is running QEMU/KVM or Xen virtualization technology; OpenVZ will not work
- You will need root access on the server. This guide assumes the user is running as an unprivileged user with sudo enabled. Review the Digital Ocean tutorial about user management on Ubuntu 14.04 if needed
- A local client device such as an Android phone, laptop, or PC. Almost all operating systems are supported via various OpenVPN clients
Step 1 — Set Up and Test Docker
Docker is moving fast and Ubuntu’s long term support (LTS) policy doesn’t keep up. To work around this we’ll install a PPA that will get us the latest version of Docker.
Add the upstream Docker repository package signing key. The apt-key command uses elevated privileges via sudo, so a password prompt for the user’s password may appear:
curl -L https://get.docker.com/gpg | sudo apt-key add -
Note: Enter your sudo password at the blinking cursor if necessary.
Add the upstream Docker repository to the system list:
echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list
Update the package list and install the Docker package:
sudo apt-get update && sudo apt-get install -y lxc-docker
Add your user to the docker group to enable communication with the Docker daemon as a normal user, where sammy is your username. Exit and log in again for the new group to take effect:
sudo usermod -aG docker sammy
After re-logging in verify the group membership using the id command. The expected response should include docker like the following example:
uid=1001(test0) gid=1001(test0) groups=1001(test0),27(sudo),999(docker)
Optional: Run bash in a simple Debian Docker image (--rm to clean up container after exit and -it for interactive) to verify Docker operation on host:
docker run --rm -it debian:jessie bash -l
Expected response from docker as it pulls in the images and sets up the container:
Unable to find image 'debian:jessie' locally
debian:jessie: The image you are pulling has been verified
511136ea3c5a: Pull complete
36fd425d7d8a: Pull complete
aaabd2b41e22: Pull complete
Status: Downloaded newer image for debian:jessie
root@de8ffd8f82f6:/#
Once inside the container you’ll see the root@<container id>:/# prompt signifying that the current shell is in a Docker container. To confirm that it’s different from the host, check the version of Debian running in the container:
cat /etc/issue.net
Expected response for the OpenVPN container at the time of writing:
Debian GNU/Linux jessie/sid
If you see a different version of Debian, that’s fine.
Exit the container by typing logout, and the host’s prompt should appear again.
Step 2 — Set Up the EasyRSA PKI Certificate Store
This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily, Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us.
Create a volume container. This tutorial will use the $OVPN_DATA environmental variable to make it copy-paste friendly. Set this to anything you like. The default ovpn-data value is recommended for single OpenVPN Docker container servers. Setting the variable in the shell leverages string substitution to save the user from manually replacing it for each step in the tutorial:
OVPN_DATA="ovpn-data"
Create an empty Docker volume container using busybox as a minimal Docker image:
docker run --name $OVPN_DATA -v /etc/openvpn busybox
Initialize the $OVPN_DATA container that will hold the configuration files and certificates, and replace vpn.example.com with your FQDN. The vpn.example.com value should be the fully-qualified domain name you use to communicate with the server. This assumes the DNS settings are already configured. Alternatively, it’s possible to use just the IP address of the server, but this is not recommended.
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com:1194
Generate the EasyRSA PKI certificate authority. You will be prompted for a passphrase for the CA private key. Pick a good one and remember it; without the passphrase it will be impossible to issue and sign client certificates:
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki
Note, the security of the $OVPN_DATA container is important. It contains all the private keys to impersonate the server and all the client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevent issuing bogus certificates.
See the Conclusion below for more details on how to back up the certificate store.
Step 3 — Launch the OpenVPN Server
To autostart the Docker container that runs the OpenVPN server process (see Docker Host Integration for more) create an Upstart init file using nano or vim:
sudo vim /etc/init/docker-openvpn.conf
Contents to place in /etc/init/docker-openvpn.conf:
description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script
Start the process using the Upstart init mechanism:
sudo start docker-openvpn
Verify that the container started and didn’t immediately crash by looking at the STATUS column:
test0@tutorial0:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c3ca41324e1d kylemanna/openvpn:latest "ovpn_run" 2 seconds ago Up 2 seconds 0.0.0.0:1194->1194/udp focused_mestorf
Step 4 — Generate Client Certificates and Config Files
In this section we’ll create a client certificate using the PKI CA we created in the last step.
Be sure to replace CLIENTNAME as appropriate (this doesn’t have to be a FQDN). The client name is used to identify the machine the OpenVPN client is running on (e.g., “home-laptop”, “work-laptop”, “nexus5”, etc.).
The easyrsa tool will prompt for the CA password. This is the password we set above during the ovpn_initpki command. Create the client certificate:
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
After each client is created, the server is ready to accept connections.
The clients need the certificates and a configuration file to connect. The embedded scripts automate this task and enable the user to write out a configuration to a single file that can then be transfered to the client. Again, replace CLIENTNAME as appropriate:
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
The resulting CLIENTNAME.ovpn file contains the private keys and certificates necessary to connect to the VPN. Keep these files secure and not lying around. You’ll need to securely transport the *.ovpn files to the clients that will use them. Avoid using public services like email or cloud storage if possible when transferring the files due to security concerns.
Recommend methods of transfer are ssh/scp, HTTPS, USB, and microSD cards where available.
Step 5 — Set Up OpenVPN Clients
The following are commands or operations run on the clients that will connect to the OpenVPN server configured above.
Ubuntu and Debian Distributions via Native OpenVPN
On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar):
Install OpenVPN:
sudo apt-get install openvpn
Copy the client configuration file from the server and set secure permissions:
sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf
Configure the init scripts to autostart all configurations matching /etc/openvpn/*.conf:
echo AUTOSTART=all | sudo tee -a /etc/default/openvpn
Restart the OpenVPN client’s server process:
sudo /etc/init.d/openvpn restart
Arch Linux via Native OpenVPN
Install OpenVPN:
pacman -Sy openvpn
Copy the client configuration file from the server and set secure permissions:
sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf
Start OpenVPN client’s server process:
systemctl start openvpn@CLIENTNAME
Optional: configure systemd to start /etc/openvpn/CLIENTNAME.conf at boot:
systemctl enable openvpn@CLIENTNAME
MacOS X via TunnelBlick
Download and install TunnelBlick.
Copy CLIENTNAME.ovpn from the server to the Mac.
Import the configuration by double clicking the *.ovpn file copied earlier. TunnelBlick will be invoked and the import the configuration.
Open TunnelBlick, select the configuration, and then select connect.
Android via OpenVPN Connect
Install the OpenVPN Connect App from the Google Play store.
Copy CLIENTNAME.ovpn from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it.
Import the configuration: Menu -> Import -> Import Profile from SD card
Select connect.
Step 6 — Verify Operation
There are a few ways to verify that traffic is being routed through the VPN.
Web Browser
Visit a website to determine the external IP address. The external IP address should be that of the OpenVPN server.
Try Google “what is my ip” or icanhazip.com.
Command Line
From the command line, wget or curl come in handy. Example with curl:
curl icanhazip.com
Example with wget:
wget -qO - icanhazip.com
The expected response should be the IP address of the OpenVPN server.
Another option is to do a special DNS lookup to a specially configured DNS server just for this purpose using host or dig. Example using host:
host -t A myip.opendns.com resolver1.opendns.com
Example with dig:
dig +short myip.opendns.com @resolver1.opendns.com
The expected response should be the IP address of the OpenVPN server.
Extra Things to Check
Review your network interface configuration. On Unix-based operating systems, this is as simple as running ifconfig in a terminal, and looking for OpenVPN’s tunX interface when it’s connected.
Review logs. On Unix systems check /var/log on old distributions or journalctl on systemd distributions.
Conclusion
The Docker image built to run this is open source and capable of much more than described here.
The docker-openvpn source repository is available for review of the code as well as forking for modifications. Pull requests for general features or bug fixes are welcome.
Advanced topics such as backup and static client IPs are discussed under the docker-openvpn/docs folder.
Report bugs to the docker-openvpn issue tracker.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Than you for your sharing. Did you ever try openvpn on iOS devices ?
I have not tested iOS, but I assume the iOS OpenVPN Connect app is similar to the Android version which I do use.
Thanks for sharing this.
What’s are the advantage of using a docker container for openvpn, versus making the entire server an openvpn server?
There are a few benefits and they are generalized to almost all Docker containers:
The entire daemon as well as all dependencies live in the Docker image. This means that it will function correctly (after Docker itself is setup) on all distributions like Ubuntu, Arch, Debian, Fedora, etc. Furthermore, you can run an old stable server image but run a bleeding edge OpenVPN server without having to install/muck with library dependencies (i.e. run latest OpenVPN with latest OpenSSL on Ubuntu 12.04 LTS).
It doesn’t stomp all over the server’s filesystem. Everything for the Docker container is contained in two images: the ephemeral run time image (kylemanna/openvpn) and the data image (using busybox as a base). If you want to remove it, remove the two Docker images and corresponding containers and it’s all gone. This also makes it easier to run multiple servers since each lives in the bubble of the container (you will of course need multiple IPs or separate ports to communicate with the world).
Some (arguable) security benefits. At the simplest level compromising the container may prevent additional compromise of the server. There are many arguments surrounding this, but the take away is that it certainly makes it more difficult to break out of the container. People are actively working on Linux containers to make this more of a guarantee in the future.
Excellent summary! Thank you!
Nice guide. It would be nice to clarify you need a 64 bits droplet for this :)
Thank you! Very helpful!
I get
FATA[0000] Error response from daemon: container --rm not found, impossible to mount its volumeswhen I try to create client certificates?I think your $OVPN_DATA variable is somehow empty, so you giving --rm as a container name to Docker. Try to replace $OVPN_DATA with ovpn-data (or your actual container name, if you used it instead of one proposed by author)
I’m having the same issue, I already tried $OVPN_DATA etc. can someone help?
@SmallPangoline is right, the $OVPN_DATA variable must not be set. Double check the steps and try again, in particular the OVPN_DATA=“ovpn-data” step.
Very concise and easy to follow even for a newbie like me. However, when I attempt to connect my client, the connection fails and this is what is recorded in the client log:
Feb 25 21:07:00: Viscosity Mac 1.5.3 (1255) Feb 25 21:07:00: Viscosity OpenVPN Engine Started Feb 25 21:07:00: Running on Mac OS X 10.10.2 Feb 25 21:07:00: --------- Feb 25 21:07:00: Checking reachability status of connection… Feb 25 21:07:00: Connection is reachable. Starting connection attempt.
That’s it. Not very helpful output. Any idea what’s wrong? This is the output from ifconfig:
docker0 Link encap:Ethernet HWaddr aa:aa:aa:aa:aa:aa inet addr:172.xxx.xxx.xxx Bcast:0.0.0.0 Mask:255.xxx.xxx.xxx inet6 addr: xxxxxxxxxxxxxxxxxxxxxxxxxxx Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:536 (536.0 B) TX bytes:648 (648.0 B)
eth0 Link encap:Ethernet HWaddr aa:aa:aa:aa:aa:aa inet addr:178.xx.xxx.xxx Bcast:178.xxx.xxx.xxx Mask:255.xxx.xxx.xxx inet6 addr: xxxxxxxxxxxxxxxxxxxxxxxxxxx Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1308 errors:0 dropped:0 overruns:0 frame:0 TX packets:1262 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:106696 (106.6 KB) TX bytes:90915 (90.9 KB)
The latest attempt produced this:
Feb 25 21:52:04: Viscosity Mac 1.5.3 (1255) Feb 25 21:52:04: Viscosity OpenVPN Engine Started Feb 25 21:52:04: Running on Mac OS X 10.10.2 Feb 25 21:52:04: --------- Feb 25 21:52:04: Checking reachability status of connection… Feb 25 21:52:04: Connection is reachable. Starting connection attempt. Feb 25 21:52:05: Options error: --dh fails with ‘dh.key’: No such file or directory Feb 25 21:52:05: Options error: Please correct these errors.
Never used Viscosity on a OS X. I have tested and can confirm that TunnelBlick works flawlessly. You might want to give that a test first and then dig in deeper to Viscosity.
I was able to solve the problem. Viscosity automatically appends an extra OpenVPN command to the configuration file. If others have the problem the solution is to open the configuration, and under the Advanced Tab remove “dh dh.key” from the listing of automatically appended OpenVPN commands.
This comment has been deleted
Thank you for sharing this tutorial. Everything you mentioned worked fine for me. But while I am connected to my VPN via Tunnelblick and
curl icanhazip.comis returning the correct IP, I still get my personal IP when connected to my server through SSH. What am I missing here? How can I get the IP of the VPN?This is expected. If you review your routing table on your client (
ip routeon Linux,netstat -rnon OS X) you’ll see that the OpenVPN client added routes to connect directly to your server. That is to say traffic won’t be routed through the VPN unless you use the VPN IP explicitly. This is because the VPN client needs to be communicate with the server or the VPN won’t work at all. I’m sure some fancy iptables/netfilter rules might be able to re-write non-VPN packets to make this happen, but this is far beyond the scope of this tutorial.If you want to ssh to the VPN address of your machine, use the VPN IP address. Review your network config to find the VPN IP address. Typically it’s the IP address assigned to your VPN interface + 1 (i.e. if client is 192.168.254.1, then server is likely 192.168.254.2)
Hi Kyle, thanks for putting this guide together. I had the vpn running flawlessly after following your guide but after trying to reconnect a few hours later am getting stuck at “waiting for a server response” when trying to connect.
I have restarted the machine, relaunched the process using
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com:1194(with my domain sub’d in), and have verified the process is running usingdocker ps.Edit: after checking
docker psagain, it appears the process dies out shortly after starting.Any suggestions? Thanks!
Very good tutorial!
Prior to Step #5: Securely copying the certificates via SSH/SCP
I’m new to docker; how would I copy the openvpn certificates generated on docker to another computer via SSH/SCP? Still not entirely sure how to interact with the docker shell. although I did find a variety of syntax answers atstack overflow… Anyone?
I using
to copy macbook.ovpn to my macbook.
I used this guide but windows clients couldn’t connect. There is a fork of ‘kylemanna/openvpn’ that works with Windows clients here: https://registry.hub.docker.com/u/nightling/openvpn/ (follow the steps after installing Docker).
Pull requests / patches are welcome if there is an issue with my repo.
of course :)
This comment has been deleted
Hmmm… How can I generate separate certifcate, keys and config for the client instead of combined in .ovpn file?
There is a separated option for
ovpn_getclient. Brief documentation @ https://github.com/kylemanna/docker-openvpn/blob/master/docs/clients.md .Basically, run something like
ovpn_getclient CLIENT_NAME separatedThanks for fast answer ;)
However, adding
separatedat end doesn’t seem to work - no file gets created.Hi,
Nice tutorial, works perfectly. However, I was wondering how one could manage client certificate ie: revocation with this container?
I have tried several ways, can’t get it to work.
This comment has been deleted
Just updated it to support this. Details at issue #38 and documentation.
You’ll need to do the following to update your docker image, OpenVPN config to support the feature:
Actual revocation:
Thanks a lot. Will try it asap.
I’m using a Windows machine to connect, but I receive the following error:
Is it because the opvn file has been combined with multiple keys and configs?
Thanks in advance.
I’m having a real strange issue. I set this up as instructed, connect fine using TunnelBlick, but if I reboot the droplet, the next I connect, I’m getting no connectivity to the internet. My IP isn’t changing, my traffic is stopping at the remote machine.
I’ve checked the logs, they don’t say anything to indicate why this may be.
Anyone got any ideas?
I’ve tried to recreate the entire thing from scratch but it still doesn’t work. I’ve even installed TunnelBlick on a fresh MacBook and used the same .ovpn file, and that can’t connect either.
Something weird is happening and I’m not sure where to look…
I figured out what the problem is. To lock down my containers, I put --iptables=false into DOCKER_OPTS, but obviously this container is relying on some sort of automatic iptables shindig.
Is there a way we can explicitly configure IP tables?
Hi, Awesome tutorial. I have a question:
Is there a way to configure the server to listen on port 443/tcp and 1194/udp as in jpetazzo/openvpn
Is there a similar set up in your in your image?
Thanks
Can you please let me know if there is a possibility to set static internal IP address for one of my devices connected to Docker OpenVPN?
Thanks in advance
Check out https://github.com/kylemanna/docker-openvpn/blob/master/docs/static-ips.md
Isn’t working. Works with -L though:
Thanks for the heads-up. I’ve update the docs on Github to reflect the redirected location.
I get
when trying to run
@Nickthegoatboy Docker moved their gpg key and curl doesn’t follow the redirect. Try:
FYI for future issues like this, there is a Docker configuration document on Github that will always be up to date.
I’ll try to get the tutorial updated!
I’m a total n00b, and I’m using a Ubuntu 15.04 droplet. In 15.04, Ubuntu moved away from Upstart to systemd. Consequently, the script in Step 3 may not be suitable for my OS.
If possible, could someone please point me in the right direction to auto-run the OpenVPN container with systemd. Thanks so much!!
Check out
docker-openvpn@.servicehttps://github.com/kylemanna/docker-openvpn/tree/master/initI have the systemd init file I’m using on a handful of servers.
Crash course:
systemctl enable docker-openvpn@data# Assuming data container is ovpn-datasystemctl start docker-openvpn@dataMost of the noise in the systemd service file is hacking around missing IPv6 support in docker.
Thanks so much for the reply and link to the service. I am going to go back to the basics and learn more of the underlying tech, rather than copy+paste+hope-it-works. Thanks again and especially for your tireless contribution to the community!!!
You might want to update your tutorial or make a new one for ubuntu 16
The server works great, thanks!
Anyone know how to get this working with the VPN configuration GUI in Ubuntu 14.04 LTS? I believe it is called “NetworkManager”. I tried several different ways to set it up, but my client refuses to connect.
I can connect using openvpn from the command line.
I can’t find the generated .ovpn files. Am I missing something? I even did a find / -iname ‘*.ovpn’
This is good, but typically you should use the same image for both the data container and the container hosting the processes. This saves disk space - no need to add a busybox image to your system - and allows you to properly set permissions and potentially seed the data container with files if you need to. I would suggest creating the data container like this:
A potential problem with using the kylemanna/openvpn image as the data image is that over time it could use more disk space then a 4MB busybox image. Eventually you will update kylemanna/openvpn by pulling an update and now you will store two copies of the image, the original and the new one.
Some time ago the original image was substantially bigger, almost 100MB when using Debian. Today’s image is approximately 4MB thanks to Alpine Linux.
Image sizes by tag are @ https://hub.docker.com/r/kylemanna/openvpn/tags/
Very useful!!! I installed OpenVPN according to the article and it worked properly.
Can the initial of the CA (ovpn_initpki) command run without the interaction to include the passphrase and common name. I believe the user will be prompted four times and run it excluding the -it parameter for non-interactive. Thanks.
You could disable the passphrase by passing
nopasstoovpn_initpki, but it’s not recommended because it’s very insecure.https://github.com/kylemanna/docker-openvpn/blob/e9d1022/bin/ovpn_initpki#L15-L16
As for automating it, it’s probably better to generate the private key outside the container and sign the certs outside of the container if you’re doing this at any real scale.
Sorry I’m new to this. How would I go about automate generating the priv key and signing the cert outside the container? and after that Do I need to put those files back in the container in etc/openvpn/pki/…/ path? Also, Would these steps bypass/skip the step “docker run --volumes-from $OVPN_DATA --rm -i kylemanna/openvpn ovpn_initpki”?
Can I use openssl to generate the private key & signing the certificates?
Thanks.
Can you help with this error? When I run the command to bind mount that will overlay config file from the docker host to /etc/openvpn/openvpn.conf in the container?
“sudo docker run --volumes-from ovpn-data -v /home/user/dev/server_config:/etc/openvpn --rm -p IP_Address:443:443 --cap-add=NET_ADMIN kylemanna/openvpn”
Error: iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. Enabling IPv6 Forwarding sysctl: error setting key ‘net.ipv6.conf.default.forwarding’: Read-only file system Failed to enable IPv6 Forwarding default sysctl: error setting key ‘net.ipv6.conf.all.forwarding’: Read-only file system Failed to enable IPv6 Forwarding
Thanks for your work. It works very well.
I followed exactly your tutorial, and it worked like a charm!
Do you know how I could disable route push? All my traffic is redirected through the openvpn server and I can’t find the config that causes it.
Thanks!
Thanks, great tutorial, however I can’t the .ovpn config file :D there is no directory when I run the command:
and when I run the command
there is no output. Any help would be great, Thanks EDIT: oh I almost forgot, I don’t have Fully Qualified Domain Name, so I put my IP address there. EDIT2: My bad, it was in the ~ directory, after I have successfully connected to the OpenVPN I have something interesting encountered, Using Docker Method, a connection will be much faster established than a Normal OpenVPN setup, I wonder why is that?! (even the logs on the OpenVPN client are much less than Normal OpenVPN logs!)
Thanks. I did this with 16.04 except to install docker I followed https://docs.docker.com/engine/quickstart/
It works. First time. Which is a minor miracle to me.
If something goes wrong and you need to clean up files on the docker instance, you can connect with:
On 16.04 it seems that the script and tip to get it to start at machine boot don’t work (no more upstart, maybe?) How do you do that/.
Great article, very well done, clear and efficient!!! Really appreciate your work, thanks for sharing!
Thanks for the step-by-step. Works fine for Windows 10 Pro client.
Hi,
This is great, I am getting these issues trying to connect… To confirm do I need to set a port forward and IP address for the docker container ?
My connection just stays in a ‘connecting’ state. Error below.
Jul 09 20:48:45: Viscosity Mac 1.6.4 (1348) Jul 09 20:48:45: Viscosity OpenVPN Engine Started Jul 09 20:48:45: Running on Mac OS X 10.11.5 Jul 09 20:48:45: --------- Jul 09 20:48:45: Checking reachability status of connection… Jul 09 20:48:45: Connection is reachable. Starting connection attempt. Jul 09 20:48:46: OpenVPN 2.3.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 10 2016 Jul 09 20:48:46: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 Jul 09 20:48:47: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jul 09 20:48:47: Control Channel Authentication: using ‘/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.kLxxzU/ta.key’ as a OpenVPN static key file Jul 09 20:48:47: UDPv4 link local: [undef] Jul 09 20:48:47: UDPv4 link remote: [AF_INET]81.111.142.183:1194
Thanks,
Lee
Hi,
Great guide, however I am getting the below error :(
ul 11 17:03:49: Viscosity Mac 1.6.4 (1348) Jul 11 17:03:49: Viscosity OpenVPN Engine Started Jul 11 17:03:49: Running on Mac OS X 10.11.5 Jul 11 17:03:49: --------- Jul 11 17:03:49: Checking reachability status of connection… Jul 11 17:03:50: Connection is reachable. Starting connection attempt. Jul 11 17:03:50: OpenVPN 2.3.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 10 2016 Jul 11 17:03:50: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 Jul 11 17:03:51: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jul 11 17:03:51: Control Channel Authentication: using ‘/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.ryjFhD/ta.key’ as a OpenVPN static key file Jul 11 17:03:51: UDPv4 link local: [undef] Jul 11 17:03:51: UDPv4 link remote: [AF_INET]x.x.x.x:1194 Jul 11 17:04:51: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jul 11 17:04:51: TLS Error: TLS handshake failed Jul 11 17:04:51: SIGUSR1[soft,tls-error] received, process restarting Jul 11 17:04:51: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jul 11 17:04:51: Control Channel Authentication: using ‘/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.ryjFhD/ta.key’ as a OpenVPN static key file Jul 11 17:04:51: UDPv4 link local: [undef] Jul 11 17:04:51: UDPv4 link remote: [AF_INET]x.x.x.x:1194 Jul 11 17:05:21: SIGTERM[hard,] received, process exiting
Are there any instructions for getting ufw set up on the host system?
Many thanks for your instructions. I’m planning to do just this so I can use the VPN when I connect devices (Android phone, Chrome device, Linux laptop …) when using unsecured networks. I’ve been doing some stuff with Docker at work - nearly enough to be dangerous - so I should be able to follow your instructions. I do have one question though. Is it possible to build and test the Docker images on my home LAN and then copy them too a cloud server (using ‘docker save’/‘docker load’)
On my home LAN I have to generate new keys for SSH if I ever reinstall the OS (Linux) on one of my PCs. I would expect TLS to be just as sensitive but perhaps using a container shields me from that. I suppose at worse I need to regenerate keys once the move is complete.
Thanks!
I recently followed these instructions, and ran into trouble with the upstart section, since ubuntu now uses systemd by default. I hadn’t used systemd before, so I figured I would share what I did to use systemd instead. First, I created the file
/lib/systemd/system/docker-openvpn.servicewith the following contents:Then I ran
sudo systemctl enable docker-openvpn.serviceto enable the service at boot.Let me know if you have any trouble with this!