VPN Server using Docker
A Project by Captain Mich, Dadigno, Heyo & Fra
This is an OpenVPN server in a Docker container complete with an EasyRSA PKI CA which will not use pre-built image and make our own image from a Dockerfile and other scripts written by kylemanna and licensed under MIT.
Introduction
In this post, we will examine a method for creating your own OpenVPN server with Docker. Our OpenVPN server will also be capable of handling multiple user accounts and different port options thanks to Docker’s easy port exporting options. We will start with UDP 3000 port which is different than its default port (UDP 1194).
Coding
First start with cloning the git repository into our server:
git clone https://github.com/kylemanna/docker-openvpn.git
Change current directory to our cloned repository:
cd docker-openvpn/
Build a new Docker image from these files. We will name it myownvpn in this example:
docker build -t myownvpn .
Afterwards, we need a volume or directory to store our config files and keys. This is a very significant step due to our keys will be put in that directory. As a result, I suggest you to keep that directory safe.
cd ..
mkdir vpn-data && touch vpn-data/vars
Finally, we can start with generating OpenVPN config file:
docker run -v $PWD/vpn-data:/etc/openvpn --rm myownvpn ovpn_genconfig -u udp://IP_ADDRESS:3000
Be sure that your IP address is written in the command above. You can change your port on that stage. In this example, we used UDP 3000.
We should init our PKI. This covers generating our CA certificate and we will have a private key belong to the PKI. We will be asked a password for protecting the private key. The command and truncated output will look like this:
docker run -v $PWD/vpn-data:/etc/openvpn --rm -it myownvpn ovpn_initpki
Finally, we can run the VPN server based on that config:
docker run -v $PWD/vpn-data:/etc/openvpn -d -p 3000:1194/udp --cap-add=NET_ADMIN myownvpn
We did not create any users yet. In order to connect to this OpenVPN server, we can create a user per connection with this command:
docker run -v $PWD/vpn-data:/etc/openvpn --rm -it myownvpn easyrsa build-client-full user1 nopass
Note that we added a user with username user1 and we passed the nopass option. With that option, the user can connect directly with configuration file. This also means that if somebody gets the config file which we will generate in seconds, he or she can connect to our VPN server without need of anything else. You will also be asked about certificate authority password during the user creation.
At the last step, we will generate a configuration file which will be sent to the user. In order to generate that file, we can run that command:
docker run -v $PWD/vpn-data:/etc/openvpn --rm myownvpn ovpn_getclient user1 > user1.ovpn
You can copy user1.ovpn file with SCP, SFTP, or any method you want. Users can connect to your server with that file
sudo openvpn --config user1.ovpn
In order to navigate in internet you need to modify the last line of user1.ovpn just created as follow:
#redirect-gateway def1
route 192.168.0.0/24 255.255.0.0
then inside /etc/sysctl.conf
net.ipv4.ip_forward = 1
and finally run:
iptables -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
Cheatsheet
#Copy file from a remote host to local host SCP example
scp username@from_host:file.txt /local/directory/
#Copy file from local host to a remote host SCP example:
scp file.txt username@to_host:/remote/directory/
#Copy directory from a remote host to local host SCP example
scp -r username@from_host:/remote/directory/ /local/directory/
#Copy directory from local host to a remote host SCP example:
scp -r /local/directory/ username@to_host:/remote/directory/
#Copy file from remote host to remote host SCP example
scp username@from_host:/remote/directory/file.txt username@to_host:/remote/directory/