2013-09-03 00:42:05 +00:00
|
|
|
# OpenVPN for Docker
|
|
|
|
|
|
2015-09-22 21:36:19 +00:00
|
|
|
[](https://travis-ci.org/kylemanna/docker-openvpn)
|
2015-12-21 21:15:55 +00:00
|
|
|
[](https://hub.docker.com/r/kylemanna/openvpn/)
|
|
|
|
|
[](https://hub.docker.com/r/kylemanna/openvpn/)
|
2016-08-03 22:32:59 +00:00
|
|
|
[](https://microbadger.com/#/images/kylemanna/openvpn)
|
2016-07-07 19:42:22 +00:00
|
|
|
|
2015-09-22 21:36:19 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
OpenVPN server in a Docker container complete with an EasyRSA PKI CA.
|
2014-06-04 22:41:24 +00:00
|
|
|
|
2015-02-07 22:50:39 +00:00
|
|
|
Extensively tested on [Digital Ocean $5/mo node](http://bit.ly/1C7cKr3) and has
|
|
|
|
|
a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq).
|
2014-10-29 15:05:40 +00:00
|
|
|
|
2015-06-22 05:26:46 +00:00
|
|
|
#### Upstream Links
|
2015-02-10 16:48:28 +00:00
|
|
|
|
2015-12-21 21:15:55 +00:00
|
|
|
* Docker Registry @ [kylemanna/openvpn](https://hub.docker.com/r/kylemanna/openvpn/)
|
2015-02-07 22:57:18 +00:00
|
|
|
* GitHub @ [kylemanna/docker-openvpn](https://github.com/kylemanna/docker-openvpn)
|
|
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
## Quick Start
|
2014-06-04 22:41:24 +00:00
|
|
|
|
2016-09-03 23:08:49 +00:00
|
|
|
* Pick a name for the `$OVPN_DATA` data volume container, it will be created automatically.
|
2014-06-04 22:41:24 +00:00
|
|
|
|
2016-09-03 23:08:49 +00:00
|
|
|
OVPN_DATA="ovpn-data"
|
2014-07-06 06:35:19 +00:00
|
|
|
|
2015-01-02 06:41:02 +00:00
|
|
|
* Initialize the `$OVPN_DATA` container that will hold the configuration files and certificates
|
2014-07-06 06:35:19 +00:00
|
|
|
|
2016-11-21 18:02:10 +00:00
|
|
|
docker volume create --name $OVPN_DATA
|
2016-09-03 23:08:49 +00:00
|
|
|
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
|
|
|
|
|
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
|
2014-06-04 22:41:24 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
* Start OpenVPN server process
|
2014-06-04 22:41:24 +00:00
|
|
|
|
2016-09-03 23:08:49 +00:00
|
|
|
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
|
2014-06-04 22:41:24 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
* Generate a client certificate without a passphrase
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2016-09-03 23:08:49 +00:00
|
|
|
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
* Retrieve the client configuration with embedded certificates
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2016-09-03 23:08:49 +00:00
|
|
|
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2016-04-23 17:48:34 +00:00
|
|
|
## Debugging Tips
|
|
|
|
|
|
2015-02-28 10:45:31 +00:00
|
|
|
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
|
|
|
|
|
|
2016-09-03 23:08:49 +00:00
|
|
|
docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
|
2016-04-23 17:48:34 +00:00
|
|
|
|
|
|
|
|
* Test using a client that has openvpn installed correctly
|
|
|
|
|
|
|
|
|
|
$ openvpn --config CLIENTNAME.ovpn
|
|
|
|
|
|
|
|
|
|
* Run through a barrage of debugging checks on the client if things don't just work
|
|
|
|
|
|
|
|
|
|
$ ping 8.8.8.8 # checks connectivity without touching name resolution
|
|
|
|
|
$ dig google.com # won't use the search directives in resolv.conf
|
|
|
|
|
$ nslookup google.com # will use search
|
2013-09-04 21:22:24 +00:00
|
|
|
|
2017-01-16 21:59:49 +00:00
|
|
|
* Consider setting up a [systemd service](/docs/systemd.md) for automatic
|
|
|
|
|
start-up at boot time and restart in the event the OpenVPN daemon or Docker
|
|
|
|
|
crashes.
|
|
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
## How Does It Work?
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
Initialize the volume container using the `kylemanna/openvpn` image with the
|
2014-07-06 07:24:54 +00:00
|
|
|
included scripts to automatically generate:
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
- Diffie-Hellman parameters
|
|
|
|
|
- a private key
|
|
|
|
|
- a self-certificate matching the private key for the OpenVPN server
|
|
|
|
|
- an EasyRSA CA key and certificate
|
|
|
|
|
- a TLS auth key from HMAC security
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
The OpenVPN server is started with the default run cmd of `ovpn_run`
|
2013-09-03 00:42:05 +00:00
|
|
|
|
|
|
|
|
The configuration is located in `/etc/openvpn`, and the Dockerfile
|
|
|
|
|
declares that directory as a volume. It means that you can start another
|
2016-09-03 23:08:49 +00:00
|
|
|
container with the `-v` argument, and access the configuration.
|
2014-06-05 15:52:51 +00:00
|
|
|
The volume also holds the PKI keys and certs so that it could be backed up.
|
|
|
|
|
|
|
|
|
|
To generate a client certificate, `kylemanna/openvpn` uses EasyRSA via the
|
|
|
|
|
`easyrsa` command in the container's path. The `EASYRSA_*` environmental
|
2016-05-25 18:44:12 +00:00
|
|
|
variables place the PKI CA under `/etc/openvpn/pki`.
|
2014-06-05 15:52:51 +00:00
|
|
|
|
|
|
|
|
Conveniently, `kylemanna/openvpn` comes with a script called `ovpn_getclient`,
|
|
|
|
|
which dumps an inline OpenVPN client configuration file. This single file can
|
|
|
|
|
then be given to a client for access to the VPN.
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2016-02-07 13:28:45 +00:00
|
|
|
To enable Two Factor Authentication for clients (a.k.a. OTP) see [this document](/docs/otp.md).
|
2013-09-03 00:42:05 +00:00
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
## OpenVPN Details
|
2013-09-03 00:42:05 +00:00
|
|
|
|
|
|
|
|
We use `tun` mode, because it works on the widest range of devices.
|
|
|
|
|
`tap` mode, for instance, does not work on Android, except if the device
|
|
|
|
|
is rooted.
|
|
|
|
|
|
|
|
|
|
The topology used is `net30`, because it works on the widest range of OS.
|
|
|
|
|
`p2p`, for instance, does not work on Windows.
|
|
|
|
|
|
2014-07-01 06:45:36 +00:00
|
|
|
The UDP server uses`192.168.255.0/24` for dynamic clients by default.
|
2013-09-03 00:42:05 +00:00
|
|
|
|
|
|
|
|
The client profile specifies `redirect-gateway def1`, meaning that after
|
|
|
|
|
establishing the VPN connection, all traffic will go through the VPN.
|
|
|
|
|
This might cause problems if you use local DNS recursors which are not
|
|
|
|
|
directly reachable, since you will try to reach them through the VPN
|
|
|
|
|
and they might not answer to you. If that happens, use public DNS
|
|
|
|
|
resolvers like those of Google (8.8.4.4 and 8.8.8.8) or OpenDNS
|
|
|
|
|
(208.67.222.222 and 208.67.220.220).
|
|
|
|
|
|
|
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
## Security Discussion
|
|
|
|
|
|
|
|
|
|
The Docker container runs its own EasyRSA PKI Certificate Authority. This was
|
|
|
|
|
chosen as a good way to compromise on security and convenience. The container
|
|
|
|
|
runs under the assumption that the OpenVPN container is running on a secure
|
|
|
|
|
host, that is to say that an adversary does not have access to the PKI files
|
|
|
|
|
under `/etc/openvpn/pki`. This is a fairly reasonable compromise because if an
|
|
|
|
|
adversary had access to these files, the adversary could manipulate the
|
|
|
|
|
function of the OpenVPN server itself (sniff packets, create a new PKI CA, MITM
|
|
|
|
|
packets, etc).
|
|
|
|
|
|
|
|
|
|
* The certificate authority key is kept in the container by default for
|
|
|
|
|
simplicity. It's highly recommended to secure the CA key with some
|
|
|
|
|
passphrase to protect against a filesystem compromise. A more secure system
|
|
|
|
|
would put the EasyRSA PKI CA on an offline system (can use the same Docker
|
2015-08-25 10:40:02 +00:00
|
|
|
image and the script [`ovpn_copy_server_files`](/docs/paranoid.md) to accomplish this).
|
2014-06-05 15:52:51 +00:00
|
|
|
* It would be impossible for an adversary to sign bad or forged certificates
|
|
|
|
|
without first cracking the key's passphase should the adversary have root
|
|
|
|
|
access to the filesystem.
|
|
|
|
|
* The EasyRSA `build-client-full` command will generate and leave keys on the
|
|
|
|
|
server, again possible to compromise and steal the keys. The keys generated
|
2015-08-25 10:40:02 +00:00
|
|
|
need to be signed by the CA which the user hopefully configured with a passphrase
|
2014-06-05 15:52:51 +00:00
|
|
|
as described above.
|
|
|
|
|
* Assuming the rest of the Docker container's filesystem is secure, TLS + PKI
|
|
|
|
|
security should prevent any malicious host from using the VPN.
|
|
|
|
|
|
|
|
|
|
|
2015-02-07 22:53:53 +00:00
|
|
|
## Benefits of Running Inside a Docker Container
|
|
|
|
|
|
|
|
|
|
### The Entire Daemon and Dependencies are in the Docker Image
|
|
|
|
|
|
|
|
|
|
This means that it will function correctly (after Docker itself is setup) on
|
|
|
|
|
all distributions Linux distributions such as: Ubuntu, Arch, Debian, Fedora,
|
|
|
|
|
etc. Furthermore, an old stable server can run a bleeding edge OpenVPN server
|
|
|
|
|
without having to install/muck with library dependencies (i.e. run latest
|
|
|
|
|
OpenVPN with latest OpenSSL on Ubuntu 12.04 LTS).
|
|
|
|
|
|
|
|
|
|
### It Doesn't Stomp All Over the Server's Filesystem
|
|
|
|
|
|
|
|
|
|
Everything for the Docker container is contained in two images: the ephemeral
|
2016-09-03 23:08:49 +00:00
|
|
|
run time image (kylemanna/openvpn) and the `$OVPN_DATA` data volume. To remove
|
|
|
|
|
it, remove the corresponding containers, `$OVPN_DATA` data volume and Docker
|
|
|
|
|
image and it's completely removed. This also makes it easier to run multiple
|
|
|
|
|
servers since each lives in the bubble of the container (of course multiple IPs
|
|
|
|
|
or separate ports are needed to communicate with the world).
|
2015-02-07 22:53:53 +00:00
|
|
|
|
|
|
|
|
### Some (arguable) Security Benefits
|
|
|
|
|
|
|
|
|
|
At the simplest level compromising the container may prevent additional
|
|
|
|
|
compromise of the server. There are many arguments surrounding this, but the
|
|
|
|
|
take away is that it certainly makes it more difficult to break out of the
|
|
|
|
|
container. People are actively working on Linux containers to make this more
|
|
|
|
|
of a guarantee in the future.
|
|
|
|
|
|
2014-06-05 15:52:51 +00:00
|
|
|
## Differences from jpetazzo/dockvpn
|
|
|
|
|
|
|
|
|
|
* No longer uses serveconfig to distribute the configuration via https
|
|
|
|
|
* Proper PKI support integrated into image
|
|
|
|
|
* OpenVPN config files, PKI keys and certs are stored on a storage
|
|
|
|
|
volume for re-use across containers
|
|
|
|
|
* Addition of tls-auth for HMAC security
|
|
|
|
|
|
2017-01-16 21:56:42 +00:00
|
|
|
## Originally Tested On
|
2014-06-05 15:52:51 +00:00
|
|
|
|
|
|
|
|
* Docker hosts:
|
2014-10-29 15:05:40 +00:00
|
|
|
* server a [Digital Ocean](https://www.digitalocean.com/?refcode=d19f7fe88c94) Droplet with 512 MB RAM running Ubuntu 14.04
|
2014-06-05 15:52:51 +00:00
|
|
|
* Clients
|
|
|
|
|
* Android App OpenVPN Connect 1.1.14 (built 56)
|
|
|
|
|
* OpenVPN core 3.0 android armv7a thumb2 32-bit
|
|
|
|
|
* OS X Mavericks with Tunnelblick 3.4beta26 (build 3828) using openvpn-2.3.4
|
|
|
|
|
* ArchLinux OpenVPN pkg 2.3.4-1
|
