Original Credits: kylemanna/docker-openvpn

🐳 Multiplatform OpenVPN server in a Docker container complete with an EasyRSA PKI CA.

Please raise an issue 💬 if you are able to test an untested platform 🙏

• Multi-platform images
• Default DNS changed from Google to Cloudflare
• Wiki pages for documentation

• Add a new service in docker-compose.yml

version: '2'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: themardy/openvpn
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - ./openvpn-data/conf:/etc/openvpn

• Initialize the configuration files and certificates

docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker-compose run --rm openvpn ovpn_initpki

• Fix ownership (depending on how to handle your backups, this may not be needed)

sudo chown -R $(whoami): ./openvpn-data

• Start OpenVPN server process

docker-compose up -d openvpn

• You can access the container logs with

docker-compose logs -f

• Generate a client certificate

export CLIENTNAME="your_client_name"
# with a passphrase (recommended)
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
# without a passphrase (not recommended)
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass

• Retrieve the client configuration with embedded certificates

docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn

• Revoke a client certificate

# Keep the corresponding crt, key and req files.
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME
# Remove the corresponding crt, key and req files.
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove

• Pick a name for the $OVPN_DATA data volume container. It's recommended to use the ovpn-data- prefix to operate seamlessly with the reference systemd service. Users are encourage to replace example with a descriptive name of their choosing.

  OVPN_DATA="ovpn-data-example"
  

• Initialize the $OVPN_DATA container that will hold the configuration files and certificates. The container will prompt for a passphrase to protect the private key used by the newly generated certificate authority.

  docker volume create --name $OVPN_DATA
  docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm themardy/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
  docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it themardy/openvpn ovpn_initpki
  

• Start OpenVPN server process

  docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN themardy/openvpn
  

• Generate a client certificate without a passphrase

  docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it themardy/openvpn easyrsa build-client-full CLIENTNAME nopass
  

• Retrieve the client configuration with embedded certificates

  docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm themardy/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
  

Miscellaneous write-ups for advanced configurations are available on the Wiki.

A systemd init script is available to manage the OpenVPN container. It will start the container on system boot, restart the container if it exits unexpectedly, and pull updates from Docker Hub to keep itself up to date.

Please refer to the Wiki to learn more.

• Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").

    docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 themardy/openvpn
  

• Test using a client that has openvpn installed correctly

    $ openvpn --config CLIENTNAME.ovpn
  

• Run through a barrage of debugging checks on the client if things don't just work

    $ ping 8.8.8.8    # checks connectivity without touching name resolution
    $ dig google.com  # won't use the search directives in resolv.conf
    $ nslookup google.com # will use search
  

• Consider setting up a systemd service for automatic start-up at boot time and restart in the event the OpenVPN daemon or Docker crashes.