Manage a Docker based OpenVPN instance with ease.
easy_docker_vpn
is a script that manages an instance of OpenVPN running inside of a Docker container. The image that it uses is kylemanna/openvpn (source here). Here is what the VPN uses:
- ovpn-data - a volume for /etc/openvpn
- openvpn - the container that uses the ovpn-data volume and runs the actual VPN process
NOTE: previous versions of this application used an ovpn-data container instead of a volume. If a container is detected, it will continue to be used.
To migrate from the old container mode to the new volume mode is as simple as a backup and restore:
$ easy_docker_vpn backup > temp_backup.tgz
$ easy_docker_vpn destroy
$ easy_docker_vpn restore temp_backup.tgz
- Clone this repository. Be sure to clone with submodules (
git clone --recursive ...
). - Run the following:
eval "$(./easy-docker-vpn/bin/easy_docker_vpn init -)"
. Put this in your shell initialization for future use.
- Pull the image:
docker pull mediatemple/easy-docker-vpn
. - Extract the wrapper:
docker run --rm -i mediatemple/easy-docker-vpn cat /wrapper > easy_docker_vpn && chmod +x easy_docker_vpn
Default:
$ easy_docker_vpn create -u udp://vpn.domain.com
Push an extra route:
$ easy_docker_vpn create -u udp://vpn.domain.com -p 'route 172.17.0.0 255.255.255.0' -p "route 10.1.0.0 255.255.0.0"
Create a VPN that doesn't route all traffic by default:
$ easy_docker_vpn create -N -d -u udp://vpn.domain.com
All available options are found by running docker run --rm -it kylemanna/openvpn ovpn_genconfig -h
:
$ docker run --rm -it kylemanna/openvpn ovpn_genconfig -h
Invalid option: -h
usage: /usr/local/bin/ovpn_genconfig [-d]
-u SERVER_PUBLIC_URL
[-e EXTRA_SERVER_CONFIG ]
[-f FRAGMENT ]
[-n DNS_SERVER ...]
[-p PUSH ...]
[-r ROUTE ...]
[-s SERVER_SUBNET]
optional arguments:
-2 Enable two factor authentication using Google Authenticator.
-a Authenticate packets with HMAC using the given message digest algorithm (auth).
-c Enable client-to-client option
-C A list of allowable TLS ciphers delimited by a colon (cipher).
-d Disable NAT routing and default route
-D Do not push dns servers
-m Set client MTU
-N Configure NAT to access external server network
-t Use TAP device (instead of TUN device)
-T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
-z Enable comp-lzo compression.
To create a user and accompanying configuration file:
$ easy_docker_vpn issue bob
To create without a password:
$ easy_docker_vpn issue bob nopass
Each command has help text as well as examples. For instance, to see the help for easy_docker_vpn create
, run this command: easy_docker_vpn help create
.
Task | Command |
---|---|
Create VPN | easy_docker_vpn create ... |
Backup VPN Data | easy_docker_vpn backup ... |
Restore from Backup | easy_docker_vpn restore ... |
Destroy VPN | easy_docker_vpn destroy |
Restart VPN | easy_docker_vpn restart |
VPN Status | easy_docker_vpn status |
VPN Management Port | easy_docker_vpn management |
Task | Command |
---|---|
Issue User Certificate and Config | easy_docker_vpn issue ... |
List Users | easy_docker_vpn list |
Revoke User Access | easy_docker_vpn revoke ... |