{"id":19336716,"url":"https://github.com/samrocketman/docker-openvpn","last_synced_at":"2026-01-03T13:05:56.979Z","repository":{"id":245156716,"uuid":"817128122","full_name":"samrocketman/docker-openvpn","owner":"samrocketman","description":"My take on a minimal openvpn service","archived":false,"fork":false,"pushed_at":"2024-06-30T18:45:17.000Z","size":36,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-16T10:51:16.508Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samrocketman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-19T04:50:35.000Z","updated_at":"2024-06-30T18:45:20.000Z","dependencies_parsed_at":"2024-06-20T06:04:41.283Z","dependency_job_id":"5e8ff098-179a-4324-ab6f-cdb752152c66","html_url":"https://github.com/samrocketman/docker-openvpn","commit_stats":null,"previous_names":["samrocketman/docker-openvpn"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-openvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-openvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-openvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fdocker-openvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samrocketman","download_url":"https://codeload.github.com/samrocketman/docker-openvpn/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250352184,"owners_count":21416454,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T03:12:10.993Z","updated_at":"2026-01-03T13:05:56.909Z","avatar_url":"https://github.com/samrocketman.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# This is a personal VPN service\n\nFor raspberry pi, see [Using minimal Dockerfile](#using-minimal-dockerfile).\nYou should manage certificates from a Desktop computer and copy over the\n`openvpn.conf` to the raspi.\n\n\u003e **Pro tip:** It is better to manage your certificate authority from a\n\u003e different computer than your VPN host.  In case of compromise, you can\n\u003e regenerate your server configuration (revoke and re-issue) rotating the key\n\u003e and diffie-hellman parameters without needing to re-issue certificates to all\n\u003e of your clients.  On a raspberry pi, generating diffie-hellman parameters can\n\u003e take tens of minutes so doing it this way enables it to be pre-computed.\n\nA multiarch minimal distroless openvpn is provided in [Dockerfile](Dockerfile).\n\n# Requirements\n\n* Linux\n* awk (GNU only)\n* openssl\n* sed (GNU coreutils only)\n\nNot really requirements:\n\n- docker: you don't need to use the Dockerfile to manage OpenVPN.  You can use\n  this repository to generate your OpenVPN server and client configurations.\n  Then, use it elsewhere without Docker.\n\nRouter port forwarding: on your raspberry pi the openvpn server will listen on\nport 1194/TCP.  If possible, I suggest port forwarding 1194 -\u003e 443.  By hosting\nyour VPN on port 443 you will always be able to connect through even the most\naggressive firewalls because it is disguised as an authenticated web server.\n\n# Using minimal Dockerfile\n\nClone [my internal ca][my_internal_ca] and configure it.  Note: client certs\nmust start with `openvpn-` otherwise the server will reject certs.  This\ncertificate authority is designed for a managing multiple security chains; not\njust openvpn.\n\n```bash\ngit clone https://github.com/samrocketman/my_internal_ca\npushd ../my_internal_ca\n./setup_ca.sh -subj '/C=US/ST=Some state/L=Some City/O=Some org/OU=Some department/CN=My Root CA'\n./server_cert.sh --auth openvpn\n./client_cert.sh openvpn-your-device\n```\n\nGenerate server config.\n\n    ./gen-conf.sh\n\nStart the VPN service:\n\n    ./ovpn.sh start\n\nStop the VPN service:\n\n    ./ovpn.sh stop\n\nVerifying your traffic routing with traceroute.  The first hop should be\n`10.9.8.1`.\n\n    sudo traceroute -T -p 80 example.com\n\n# Environment variables\n\nTo minimize the amount of options you need to pass you can create a `.env` file\nspecifying default options for scripts.\n\n`ovmn.sh` options in `.env`.\n\n| Env var | Purpose |\n| --- | --- |\n| `strict_firewall` | Sets `ports_map` to `443:1194` to expose VPN on 443. |\n| `ports_map` | Fully the docker ports mapping.  Default: `1194:1194` |\n| `network_args` | A bash array for Docker networking arguments |\n\n`gen-conf.sh` options in `.env`.\n\n| Env var | Purpose |\n| --- | --- |\n| myCA | Location to CA generated by `my_internal_ca`. |\n| `config_type` | Set to `server` (`-s`) or `client` (`-c`) |\n| `client_remote` | Set remote VPN host or IP (`-r`) |\n| `client_port` | Set remote VPN port (`-p`) |\n\nOnce you have your certificate authority setup, the following `.env`\nconfiguration will make it a lot easier to setup new clients.\n\n# `.env` recommendations\n\n### Easier client config generation\n\n```bash\nconfig_type=client\nclient_remote=\u003cremote vpn server IP or host\u003e\nclient_port=\u003cremote vpn server port\u003e\n```\n\nWith the above `.env` you can issue new client certificates and generate options\nwith minimal argumements.\n\n    cd ../my_internal_ca/\n    ./client_cert.sh openvpn-another-device\n    cd -\n    ./gen-conf.sh openvpn-another-device\n    # find configuration in openvpn/openvpn-another-device.ovpn\n\n### Connecting to docker compose HA consul and vault\n\nIf experimenting with\n[docker-compose-ha-consul-vault-ui][docker-compose-ha-consul-vault-ui], then\nyou'll want the following `.env` config for `./ovpn.sh [start|stop|remove]`.\n\n```bash\n# ./ovpn.sh options\nnetwork_args=(\n  --network docker-compose-ha-consul-vault-ui_internal\n  --dns 172.16.238.251\n  --ip 172.16.238.254\n)\nstrict_firewall=true\n\n# ./gen-conf.sh options\ncustom_dns=( 172.16.238.251 172.16.238.252 )\n```\n\nIf experimenting with\n\n# Password protect openvpn configurations\n\nBefore running `client_cert.sh` you can choose to set the `client_password`\nenvironment variable or add the `-p` or `--password-prompt` option.\n\n    ./client_cert.sh -p openvpn-another-device\n\n[docker-compose-ha-consul-vault-ui]: https://github.com/samrocketman/docker-compose-ha-consul-vault-ui\n[my_internal_ca]: https://github.com/samrocketman/my_internal_ca\n[upstream]: https://github.com/kylemanna/docker-openvpn\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamrocketman%2Fdocker-openvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamrocketman%2Fdocker-openvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamrocketman%2Fdocker-openvpn/lists"}