Last active
April 17, 2017 08:33
-
-
Save kylemanna/f5a859e540a92aa5b66c to your computer and use it in GitHub Desktop.
Revisions
-
kylemanna revised this gist
Jan 8, 2015 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -195,15 +195,21 @@ Optional: configure systemd to start `/etc/openvpn/<^>CLIENTNAME<^>.conf` at boo ### MacOS X via TunnelBlick Download and install [TunnelBlick](https://code.google.com/p/tunnelblick/). Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Mac. Import the configuration by double clicking the `*.ovpn` file copied earlier. TunnelBlick will be invoked and the import the configuration. Open TunnelBlick, select the configuration, select **connect**. ### Android via OpenVPN Connect Install the [OpenVPN Connect App](https://play.google.com/store/apps/details?id=net.openvpn.openvpn) from the Google Play store. Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it. Import the configuration: **Menu** -> **Import** -> **Import Profile from SD card** Select **connect**. ## Step 6 — Verifying Operation -
Jan 8, 2015 . 1 changed file with 31 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -208,7 +208,37 @@ Select **connect**. ## Step 6 — Verifying Operation There are a few ways to verify that traffic is being routed through the VPN. ### Web Browser Visit a website to determine the external IP address. The external IP address should be that of the OpenVPN server. Try [Google "what is my ip"](http://goo.gl/OWYTAK) or [icanhazip.com](https://icanhazip.com). ### Command Line If running on a server from the command line, `wget` or `curl` come in handy. Example with `curl`: curl icanhazip.com Example with `wget`: wget -qO - icanhazip.com The expected response should be the IP address of the OpenVPN server. Another option is to do a special DNS look-up to a specially configured DNS server just for this purpose using `host` or `dig`. Example using `host`: host -t A myip.opendns.com resolver1.opendns.com Example with `dig`: dig +short myip.opendns.com @resolver1.opendns.com The expected response should be the IP address of the OpenVPN server. ### Extra Things to Check Review your network interface configuration. On Unix based operating systems this is as simple as running `ifconfig` in a terminal, look for OpenVPN's `tunX` interface when it's connected. -
Jan 8, 2015 . 1 changed file with 7 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -134,7 +134,7 @@ Verify that the container started and didn't immediately crash by looking at the c3ca41324e1d kylemanna/openvpn:latest "ovpn_run" 2 seconds ago Up 2 seconds 0.0.0.0:1194->1194/udp focused_mestorf ## Step 4 — Generate Client Certificates and Config Files Create a client certificate using the PKI CA setup above for each client, replace `<^>CLIENTNAME<^>` as appropriate (this doesn't have to be a FQDN). Client name is used to identify the machine it's running on (i.e. "home-laptop", "work-laptop", "nexus5", etc). The `easyrsa` tool will prompt for the CA password (set above during the `ovpn_initpki` command) so that it can sign the client certificate: @@ -150,6 +150,10 @@ The resulting `<^>CLIENTNAME<^>.ovpn` file contains the private keys and certifi Recommend methods of transfer are ssh/scp, https, USB, and microSD card where available. ## Step 5 — Setup OpenVPN Clients The following are commands or operations run on the clients that will connect to the OpenVPN server configured above. ### Ubuntu and Debian Distributions via native OpenVPN On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): @@ -202,15 +206,15 @@ Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Android device in a secure m Import the configuration: **Menu** -> **Import** -> **Import Profile from SD card** Select **connect**. ## Step 6 — Verifying Operation If routing all the traffic to the web via the OpenVPN, check a website and the IP address of the OpenVPN server. Try [Google](http://goo.gl/OWYTAK) or [ifconfig.me](https://ifconfig.me). Review your network interface configuration. On Unix based operating systems this is as simple as running `ifconfig` in a terminal, look for OpenVPN's `tunX` interface when it's connected. Review logs. On Unix systems check `/var/log` on old distributions or `journalctl` on systemd distributions. ## Step 7 — Advanced Topics The Docker image built to run this is open source and capable of much more then described here. -
Jan 8, 2015 . 1 changed file with 5 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -109,17 +109,19 @@ See **Advanced Topics** below for more details on how to backup the certificate ## Step 3 — Launch the OpenVPN Server To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integration for more](https://docs.docker.com/articles/host_integration/)) create an *upstart* init file using `nano` or `vim`: sudo vim /etc/init/docker-openvpn.conf Contents to place in `/etc/init/docker-openvpn.conf`: description "Docker container for OpenVPN server" start on filesystem and started docker stop on runlevel [!2345] respawn script exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script Start the process using *upstart* init mechanism: -
Jan 8, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -134,7 +134,7 @@ Verify that the container started and didn't immediately crash by looking at the ## Step 4 — Setup OpenVPN Clients Create a client certificate using the PKI CA setup above for each client, replace `<^>CLIENTNAME<^>` as appropriate (this doesn't have to be a FQDN). Client name is used to identify the machine it's running on (i.e. "home-laptop", "work-laptop", "nexus5", etc). The `easyrsa` tool will prompt for the CA password (set above during the `ovpn_initpki` command) so that it can sign the client certificate: docker run --volumes-from <^>$OVPN_DATA<^> --rm -it kylemanna/openvpn easyrsa build-client-full <^>CLIENTNAME<^> nopass -
Jan 8, 2015 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ This tutorial will explain how to setup and run an [OpenVPN](http://openvpn.net/ OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks can also be used to securely connect devices to each other over the Internet. Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The Docker OpenVPN *image* is prebuilt and includes all of the necessary dependencies to run the server in a sane and stable environment. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker *volume container* is used to hold the configuration and EasyRSA PKI certificate data as well. [Docker Registry](https://registry.hub.docker.com/) is a central repository for both official and user developed Docker images. The image used in this tutorial is a user contributed image available at [kylemanna/openvpn](https://registry.hub.docker.com/u/kylemanna/openvpn). The image is assembled on Docker Registry's cloud build servers using the source from the [Github project](https://github.com/kylemanna/docker-openvpn) repository. The cloud server build linked to Github adds the ability to audit the Docker image so that users can review the source Dockerfile and related code, this is called a [Trusted Build](http://blog.docker.com/2013/11/introducing-trusted-builds/). When the code is updated in the Github repository, a new Docker image is built and published on the Docker Registry. @@ -26,7 +26,7 @@ Docker provides a way to encapsulate the OpenVPN server process and configuratio * Handle starting the Docker container on boot. * Introduce advanced topics. ### Pre-Requisites * Linux shell knowledge. This guide largely assumes that the user is capable of setting up and running Linux daemons in the traditional sense. * Root access on a remote server. @@ -95,7 +95,7 @@ Create an empty Docker volume container using busybox as a minimal Docker image: docker run --name <^>$OVPN_DATA<^> -v /etc/openvpn busybox Initialize the `<^>$OVPN_DATA<^>` container that will hold the configuration files and certificates, replace `<^>VPN.SERVERNAME.COM<^>` with your FQDN. The `<^>VPN.SERVERNAME.COM<^>` value should be the FQDN (i.e. vpn.mydomain.com) you use to communicate with the server, this assumes the [DNS settings](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-host-name-with-digitalocean) are already configured. Alternatively, it's possible to use just the IP address of the server, but this is not recommended. docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_genconfig -u udp://<^>VPN.SERVERNAME.COM<^>:1194 @@ -144,7 +144,7 @@ The clients need the certificates and a configuration file to connect. The embe docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_getclient <^>CLIENTNAME<^> > <^>CLIENTNAME<^>.ovpn The resulting `<^>CLIENTNAME<^>.ovpn` file contains the private keys and certificates necessary to connect to the VPN. **Keep these files secure and not lying around**. You'll need to securely transport the `*.ovpn` files to the clients that will use them. Avoid using public services like e-mail or cloud storage if possible when transferring the files due to security concerns. Recommend methods of transfer are ssh/scp, https, USB, and microSD card where available. @@ -190,7 +190,7 @@ Optional: configure systemd to start `/etc/openvpn/<^>CLIENTNAME<^>.conf` at boo Download and install [TunnelBlick](https://code.google.com/p/tunnelblick/). Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Mac. Import the configuration by double clicking the `*.ovpn` file copied earlier. TunnelBlick will be invoked and the import the configuration. Open TunnelBlick, select the configuration, select **connect**. ### Android via OpenVPN Connect -
Jan 8, 2015 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,9 @@ This tutorial will explain how to setup and run an [OpenVPN](http://openvpn.net/ OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks can also be used to securely connect devices to each other over the Internet. Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The Docker OpenVPN *image* is prebuilt and includes all of the necessary dependencies to run the server in a sane and stable environement. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker *volume container* is used to hold the configuration and EasyRSA PKI certificate data as well. [Docker Registry](https://registry.hub.docker.com/) is a central repository for both official and user developed Docker images. The image used in this tutorial is a user contributed image available at [kylemanna/openvpn](https://registry.hub.docker.com/u/kylemanna/openvpn). The image is assembled on Docker Registry's cloud build servers using the source from the [Github project](https://github.com/kylemanna/docker-openvpn) repository. The cloud server build linked to Github adds the ability to audit the Docker image so that users can review the source Dockerfile and related code, this is called a [Trusted Build](http://blog.docker.com/2013/11/introducing-trusted-builds/). When the code is updated in the Github repository, a new Docker image is built and published on the Docker Registry. ### Example Use Cases -
Jan 8, 2015 . 1 changed file with 45 additions and 45 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -39,67 +39,67 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u Add the upstream Docker repository package signing key. The `apt-key` command uses elevated privileges via `sudo`, so a password prompt for the user's password may appear: curl https://get.docker.io/gpg | sudo apt-key add - Add the upstream Docker repository to system list: echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list Update the package list and install the Docker package: sudo apt-get update && sudo apt-get install -y lxc-docker Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where <^>$USER<^> is your username. **Re-login for the new group to take affect**: sudo usermod -aG docker <^>$USER<^> After **re-logging in** verify the group membership the `id` command, expected response should include `docker` like the following example: uid=1001(test0) gid=1001(test0) groups=1001(test0),27(sudo),999(docker) Optional: Run `bash` in a simple Debian Docker image (`--rm` to cleanup container after exit and `-it` for interactive) to verify Docker operation on host: docker run --rm -it debian:jessie bash -l Expected response from docker as it pulls in the images and sets up the container: Unable to find image 'debian:jessie' locally debian:jessie: The image you are pulling has been verified 511136ea3c5a: Pull complete 36fd425d7d8a: Pull complete aaabd2b41e22: Pull complete Status: Downloaded newer image for debian:jessie root@de8ffd8f82f6:/# Once inside the container you'll see the `root@<^><container id><^>:/#` prompt signifying that the current shell is in a Docker container. To confirm that it's different then the host, check the version of Debian running in the container: cat /etc/issue.net Expected response for the openvpn container at the time of writing: Debian GNU/Linux jessie/sid Exit the container by typing `logout` and the host's prompt should appear again. ## Step 2 — Setup the EasyRSA PKI Certificate Store This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us. Create a volume container, this tutorial will use `<^>$OVPN_DATA<^>` environmental variable to make it copy-paste friendly. Set as appropriate to anything you like. The default `ovpn-data` value is recommended for single OpenVPN docker container servers. Setting the variable in the shell leverages string substitution to save the user from manually replacing it for each step in the tutorial: <^>OVPN_DATA<^>="ovpn-data" Create an empty Docker volume container using busybox as a minimal Docker image: docker run --name <^>$OVPN_DATA<^> -v /etc/openvpn busybox Initalize the `<^>$OVPN_DATA<^>` container that will hold the configuration files and certificates, replace `<^>VPN.SERVERNAME.COM<^>` with your FQDN. The `<^>VPN.SERVERNAME.COM<^>` value should be the FQDN (i.e. vpn.mydomain.com) you use to communicate with the server, this assumes the [DNS settings](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-host-name-with-digitalocean) are already configured. Alternatively, it's possible to use just the IP address of the server, but this is not recommended. docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_genconfig -u udp://<^>VPN.SERVERNAME.COM<^>:1194 Generate the EasyRSA PKI certificate authority, you will be prompted for a passphrase for the CA private key. Pick a good one and remember it, without the passphrase it will be impossible to issue and sign client certificates: docker run --volumes-from <^>$OVPN_DATA<^> --rm -it kylemanna/openvpn ovpn_initpki **Note, the security of the `<^>$OVPN_DATA<^>` container is important.** It contains all the private keys to impersonate the server and ability to steal client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevents issuing bogus certificates. @@ -109,25 +109,25 @@ See **Advanced Topics** below for more details on how to backup the certificate To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integration for more](https://docs.docker.com/articles/host_integration/)) create an *upstart* init file: cat <<EOF | sudo tee /etc/init/docker-openvpn.conf description "Docker container for OpenVPN server" start on filesystem and started docker stop on runlevel [!2345] respawn script exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script EOF Start the process using *upstart* init mechanism: sudo start docker-openvpn Verify that the container started and didn't immediately crash by looking at the `STATUS` column: test0@tutorial0:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c3ca41324e1d kylemanna/openvpn:latest "ovpn_run" 2 seconds ago Up 2 seconds 0.0.0.0:1194->1194/udp focused_mestorf ## Step 4 — Setup OpenVPN Clients @@ -152,37 +152,37 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): Install OpenVPN: sudo apt-get install openvpn Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 <^>CLIENTNAME<^>.ovpn /etc/openvpn/<^>CLIENTNAME<^>.conf Configure the init scripts to autostart all configurations matching `/etc/openvpn/*.conf`: echo AUTOSTART=all | sudo tee -a /etc/default/openvpn Restart the OpenVPN client's server process: sudo /etc/init.d/openvpn restart ### Arch Linux via native OpenVPN Install OpenVPN: pacman -Sy openvpn Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 <^>CLIENTNAME<^>.ovpn /etc/openvpn/<^>CLIENTNAME<^>.conf Start OpenVPN client's server process: systemctl start openvpn@<^>CLIENTNAME<^> Optional: configure systemd to start `/etc/openvpn/<^>CLIENTNAME<^>.conf` at boot: systemctl enable openvpn@<^>CLIENTNAME<^> ### MacOS X via TunnelBlick -
Jan 8, 2015 . 1 changed file with 28 additions and 28 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,27 +37,27 @@ Docker provides a way to encapsulate the OpenVPN server process and configuratio Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. Add the upstream Docker repository package signing key. The `apt-key` command uses elevated privileges via `sudo`, so a password prompt for the user's password may appear: curl https://get.docker.io/gpg | sudo apt-key add - Add the upstream Docker repository to system list: echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list Update the package list and install the Docker package: sudo apt-get update && sudo apt-get install -y lxc-docker Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where <^>$USER<^> is your username. **Re-login for the new group to take affect**: sudo usermod -aG docker <^>$USER<^> After **re-logging in** verify the group membership the `id` command, expected response should include `docker` like the following example: uid=1001(test0) gid=1001(test0) groups=1001(test0),27(sudo),999(docker) Optional: Run `bash` in a simple Debian Docker image (`--rm` to cleanup container after exit and `-it` for interactive) to verify Docker operation on host: docker run --rm -it debian:jessie bash -l @@ -85,19 +85,19 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us. Create a volume container, this tutorial will use `<^>$OVPN_DATA<^>` environmental variable to make it copy-paste friendly. Set as appropriate to anything you like. The default `ovpn-data` value is recommended for single OpenVPN docker container servers. Setting the variable in the shell leverages string substitution to save the user from manually replacing it for each step in the tutorial: <^>OVPN_DATA<^>="ovpn-data" Create an empty Docker volume container using busybox as a minimal Docker image: docker run --name <^>$OVPN_DATA<^> -v /etc/openvpn busybox Initalize the `<^>$OVPN_DATA<^>` container that will hold the configuration files and certificates, replace `<^>VPN.SERVERNAME.COM<^>` with your FQDN. The `<^>VPN.SERVERNAME.COM<^>` value should be the FQDN (i.e. vpn.mydomain.com) you use to communicate with the server, this assumes the [DNS settings](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-host-name-with-digitalocean) are already configured. Alternatively, it's possible to use just the IP address of the server, but this is not recommended. docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_genconfig -u udp://<^>VPN.SERVERNAME.COM<^>:1194 Generate the EasyRSA PKI certificate authority, you will be prompted for a passphrase for the CA private key. Pick a good one and remember it, without the passphrase it will be impossible to issue and sign client certificates: docker run --volumes-from <^>$OVPN_DATA<^> --rm -it kylemanna/openvpn ovpn_initpki @@ -107,7 +107,7 @@ See **Advanced Topics** below for more details on how to backup the certificate ## Step 3 — Launch the OpenVPN Server To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integration for more](https://docs.docker.com/articles/host_integration/)) create an *upstart* init file: cat <<EOF | sudo tee /etc/init/docker-openvpn.conf description "Docker container for OpenVPN server" @@ -119,11 +119,11 @@ See **Advanced Topics** below for more details on how to backup the certificate end script EOF Start the process using *upstart* init mechanism: sudo start docker-openvpn Verify that the container started and didn't immediately crash by looking at the `STATUS` column: test0@tutorial0:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -150,53 +150,53 @@ Recommend methods of transfer are ssh/scp, https, USB, and microSD card where av On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): Install OpenVPN: sudo apt-get install openvpn Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 <^>CLIENTNAME<^>.ovpn /etc/openvpn/<^>CLIENTNAME<^>.conf Configure the init scripts to autostart all configurations matching `/etc/openvpn/*.conf`: echo AUTOSTART=all | sudo tee -a /etc/default/openvpn Restart the OpenVPN client's server process: sudo /etc/init.d/openvpn restart ### Arch Linux via native OpenVPN Install OpenVPN: pacman -Sy openvpn Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 <^>CLIENTNAME<^>.ovpn /etc/openvpn/<^>CLIENTNAME<^>.conf Start OpenVPN client's server process: systemctl start openvpn@<^>CLIENTNAME<^> Optional: configure systemd to start `/etc/openvpn/<^>CLIENTNAME<^>.conf` at boot: systemctl enable openvpn@<^>CLIENTNAME<^> ### MacOS X via TunnelBlick Download and install [TunnelBlick](https://code.google.com/p/tunnelblick/). Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Mac. Import the configuration by double clicking the `*.ovpn` file copied earlier. TunnelBlick will be invoked and the import the configruation. Open TunnelBlick, select the configuration, select **connect**. ### Android via OpenVPN Connect Install the [OpenVPN Connect App](https://play.google.com/store/apps/details?id=net.openvpn.openvpn) from the Google Play store. Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it. Import the configuration: **Menu** -> **Import** -> **Import Profile from SD card** Select **connect**. ## Step 5 — Verifying Operation -
Jan 8, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -85,7 +85,7 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us. 1. Create a volume container, this tutorial will use `<^>$OVPN_DATA<^>` environmental variable to make it copy-paste friendly. Set as appropriate to anything you like. The default `ovpn-data` value is recommended for single OpenVPN docker container servers. Setting the variable in the shell leverages string substitution to save the user from manually replacing it for each step in the tutorial: <^>OVPN_DATA<^>="ovpn-data" -
Jan 8, 2015 . 1 changed file with 11 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,18 +61,25 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u docker run --rm -it debian:jessie bash -l Expected response from docker as it pulls in the images and sets up the container: Unable to find image 'debian:jessie' locally debian:jessie: The image you are pulling has been verified 511136ea3c5a: Pull complete 36fd425d7d8a: Pull complete aaabd2b41e22: Pull complete Status: Downloaded newer image for debian:jessie root@de8ffd8f82f6:/# Once inside the container you'll see the `root@<^><container id><^>:/#` prompt signifying that the current shell is in a Docker container. To confirm that it's different then the host, check the version of Debian running in the container: cat /etc/issue.net Expected response for the openvpn container at the time of writing: Debian GNU/Linux jessie/sid Exit the container by typing `logout` and the host's prompt should appear again. ## Step 2 — Setup the EasyRSA PKI Certificate Store -
Jan 8, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -86,7 +86,7 @@ This step is usually a headache for those familiar with OpenVPN or any services docker run --name <^>$OVPN_DATA<^> -v /etc/openvpn busybox 3. Initalize the `<^>$OVPN_DATA<^>` container that will hold the configuration files and certificates, replace `<^>VPN.SERVERNAME.COM<^>` with your FQDN. The `<^>VPN.SERVERNAME.COM<^>` value should be the FQDN (i.e. vpn.mydomain.com) you use to communicate with the server, this assumes the [DNS settings](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-host-name-with-digitalocean) are already configured. Alternatively, it's possible to use just the IP address of the server, but this is not recommended. docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_genconfig -u udp://<^>VPN.SERVERNAME.COM<^>:1194 -
Jan 8, 2015 . 1 changed file with 21 additions and 21 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -49,9 +49,9 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u sudo apt-get update && sudo apt-get install -y lxc-docker 4. Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where <^>$USER<^> is your username. **Re-login for the new group to take affect**: sudo usermod -aG docker <^>$USER<^> After **re-logging in** verify the group membership the `id` command, expected response should include `docker` like the following example: @@ -78,23 +78,23 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us. 1. Create a volume container, this tutorial will use `<^>$OVPN_DATA<^>` environmental variable to make it copy-paste friendly. Set as appropriate to anything you like. The default `ovpn-data` value is recommended for single OpenVPN docker container servers: <^>OVPN_DATA<^>="ovpn-data" 2. Create an empty Docker volume container using busybox as a minimal Docker image: docker run --name <^>$OVPN_DATA<^> -v /etc/openvpn busybox 3. Initalize the `<^>$OVPN_DATA<^>` container that will hold the configuration files and certificates, replace `VPN.SERVERNAME.COM` with your FQDN: docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_genconfig -u udp://<^>VPN.SERVERNAME.COM<^>:1194 4. Generate the EasyRSA PKI certificate authority, you will be prompted for a passphrase for the CA private key. Pick a good one and remember it, without the passphrase it will be impossible to issue and sign client certificates: docker run --volumes-from <^>$OVPN_DATA<^> --rm -it kylemanna/openvpn ovpn_initpki **Note, the security of the `<^>$OVPN_DATA<^>` container is important.** It contains all the private keys to impersonate the server and ability to steal client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevents issuing bogus certificates. See **Advanced Topics** below for more details on how to backup the certificate store. @@ -125,17 +125,17 @@ See **Advanced Topics** below for more details on how to backup the certificate ## Step 4 — Setup OpenVPN Clients Create a client certificate using the PKI CA setup above for each client, replace `<^>CLIENTNAME<^>` as appropriate (this doesn't have to be a FQDN). Client name is used to identify the machine it's running on (i.e. "home-laptop", "work-laptop", "nexus5", etc): docker run --volumes-from <^>$OVPN_DATA<^> --rm -it kylemanna/openvpn easyrsa build-client-full <^>CLIENTNAME<^> nopass After each client is created the server is ready to accept connections. The clients need the certificates and a configuration file to connect. The embedded scripts automate this task and enable the user to write out a configuration to a single file that can then be transfered to the client, again replace `<^>CLIENTNAME<^>` as appropriate: docker run --volumes-from <^>$OVPN_DATA<^> --rm kylemanna/openvpn ovpn_getclient <^>CLIENTNAME<^> > <^>CLIENTNAME<^>.ovpn The resulting `<^>CLIENTNAME<^>.ovpn` file contains the private keys and certificates necessary to connect to the VPN. **Keep these files secure and not lying around**. You'll need to securely transport the `*.ovpn` files to the clients that will use them. Avoid using public services like e-mail or cloud storage if possible when transfering the files due to security concerns. Recommend methods of transfer are ssh/scp, https, USB, and microSD card where available. @@ -149,7 +149,7 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): 2. Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 <^>CLIENTNAME<^>.ovpn /etc/openvpn/<^>CLIENTNAME<^>.conf 3. Configure the init scripts to autostart all configurations matching `/etc/openvpn/*.conf`: @@ -167,27 +167,27 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): 2. Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 <^>CLIENTNAME<^>.ovpn /etc/openvpn/<^>CLIENTNAME<^>.conf 3. Start OpenVPN client's server process: systemctl start openvpn@<^>CLIENTNAME<^> 4. Optional: configure systemd to start `/etc/openvpn/<^>CLIENTNAME<^>.conf` at boot: systemctl enable openvpn@<^>CLIENTNAME<^> ### MacOS X via TunnelBlick 1. Download and install [TunnelBlick](https://code.google.com/p/tunnelblick/). 2. Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Mac. 3. Import the configuration by double clicking the `*.ovpn` file copied earlier. TunnelBlick will be invoked and the import the configruation. 4. Open TunnelBlick, select the configuration, select **connect**. ### Android via OpenVPN Connect 1. Install the [OpenVPN Connect App](https://play.google.com/store/apps/details?id=net.openvpn.openvpn) from the Google Play store. 2. Copy `<^>CLIENTNAME<^>.ovpn` from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it. 3. Import the configuration: **Menu** -> **Import** -> **Import Profile from SD card** 4. Select **connect**. -
Jan 8, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,7 +37,7 @@ Docker provides a way to encapsulate the OpenVPN server process and configuratio Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. 1. Add the upstream Docker repository package signing key. The `apt-key` command uses elevated privileges via `sudo`, so a password prompt for the user's password may appear: curl https://get.docker.io/gpg | sudo apt-key add - -
Jan 8, 2015 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,7 +33,7 @@ Docker provides a way to encapsulate the OpenVPN server process and configuratio * You will need root access on the server. This guide assumes the user is running as an unprivileged user with sudo enabled. Review the [Digital Ocean tutorial about user management on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-add-and-delete-users-on-an-ubuntu-14-04-vps) if needed. * A local client such as an Android phone, laptop or PC. Almost all operating systems are supported via various OpenVPN clients. ## Step 1 — Setup and Test Docker Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. @@ -74,7 +74,7 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u Debian GNU/Linux jessie/sid root@de8ffd8f82f6:/# logout ## Step 2 — Setup the EasyRSA PKI Certificate Store This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us. @@ -98,7 +98,7 @@ This step is usually a headache for those familiar with OpenVPN or any services See **Advanced Topics** below for more details on how to backup the certificate store. ## Step 3 — Launch the OpenVPN Server 1. To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integration for more](https://docs.docker.com/articles/host_integration/)) create an *upstart* init file: @@ -123,7 +123,7 @@ See **Advanced Topics** below for more details on how to backup the certificate c3ca41324e1d kylemanna/openvpn:latest "ovpn_run" 2 seconds ago Up 2 seconds 0.0.0.0:1194->1194/udp focused_mestorf ## Step 4 — Setup OpenVPN Clients Create a client certificate using the PKI CA setup above for each client, replace `CLIENTNAME` as appropriate (this doesn't have to be a FQDN): @@ -191,15 +191,15 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): 3. Import the configuration: **Menu** -> **Import** -> **Import Profile from SD card** 4. Select **connect**. ## Step 5 — Verifying Operation If routing all the traffic to the web via the OpenVPN, check a website and the IP address of the OpenVPN server. Try [Google](http://goo.gl/OWYTAK) or [ifconfig.me](https://ifconfig.me). Review your network interface configuration. On Unix based operating systems this is as simple as running `ifconfig` in a terminal, look for OpenVPN's `tunX` interface when it's connected. Review logs. On Unix systems check `/var/log` on old distributions or `journalctl` on systemd distributions. ## Step 6 — Advanced Topics The Docker image built to run this is open source and capable of much more then described here. -
Jan 8, 2015 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,7 +27,10 @@ Docker provides a way to encapsulate the OpenVPN server process and configuratio ### Pre-Requisties * Linux shell knowledge. This guide largely assumes that the user is capable of setting up and running Linux daemons in the traditional sense. * Root access on a remote server. * A [DigitalOcean 1 CPU / 512 MB RAM droplet](https://www.digitalocean.com/?refcode=d19f7fe88c94) running Ubuntu 14.04 is assumed for this tutorial. Docker makes running the image on any host Linux distribution easy. * Any virtual host will work as long as the host is running QEMU/KVM or Xen virtualization technology, **OpenVZ will not work**. * You will need root access on the server. This guide assumes the user is running as an unprivileged user with sudo enabled. Review the [Digital Ocean tutorial about user management on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-add-and-delete-users-on-an-ubuntu-14-04-vps) if needed. * A local client such as an Android phone, laptop or PC. Almost all operating systems are supported via various OpenVPN clients. ## Setup and Test Docker -
Jan 8, 2015 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -50,6 +50,10 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u sudo usermod -aG docker $USER After **re-logging in** verify the group membership the `id` command, expected response should include `docker` like the following example: uid=1001(test0) gid=1001(test0) groups=1001(test0),27(sudo),999(docker) 6. Optional: Run `bash` in a simple Debian Docker image (`--rm` to cleanup container after exit and `-it` for interactive) to verify Docker operation on host: docker run --rm -it debian:jessie bash -l -
Dec 16, 2014 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -65,7 +65,7 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u Status: Downloaded newer image for debian:jessie root@de8ffd8f82f6:/# cat /etc/issue.net Debian GNU/Linux jessie/sid root@de8ffd8f82f6:/# logout ## Setup the EasyRSA PKI Certificate Store -
Dec 16, 2014 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -85,7 +85,7 @@ This step is usually a headache for those familiar with OpenVPN or any services 4. Generate the EasyRSA PKI certificate authority, you will be prompted for a passphrase for the CA private key. Pick a good one and remember it, without the passphrase it will be impossible to issue and sign client certificates: docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki **Note, the security of the `$OVPN_DATA` container is important.** It contains all the private keys to impersonate the server and ability to steal client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevents issuing bogus certificates. -
Dec 15, 2014 . 1 changed file with 35 additions and 35 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,35 +36,35 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u 1. Add the upstream Docker repository package signing key: curl https://get.docker.io/gpg | sudo apt-key add - 2. Add the upstream Docker repository to system list: echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list 3. Update the package list and install the Docker package: sudo apt-get update && sudo apt-get install -y lxc-docker 4. Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where $USER is your username. **Re-login for the new group to take affect**: sudo usermod -aG docker $USER 6. Optional: Run `bash` in a simple Debian Docker image (`--rm` to cleanup container after exit and `-it` for interactive) to verify Docker operation on host: docker run --rm -it debian:jessie bash -l Expected response with additional check of Debian version: test0@tutorial0:~$ docker run --rm -it debian:jessie bash -l Unable to find image 'debian:jessie' locally debian:jessie: The image you are pulling has been verified 511136ea3c5a: Pull complete 36fd425d7d8a: Pull complete aaabd2b41e22: Pull complete Status: Downloaded newer image for debian:jessie root@de8ffd8f82f6:/# cat /etc/issue.net Debian GNU/Linux jessie/sid root@de8ffd8f82f6:/# logout ## Setup the EasyRSA PKI Certificate Store @@ -73,15 +73,15 @@ This step is usually a headache for those familiar with OpenVPN or any services 1. Create a volume container, this tutorial will use `$OVPN_DATA` environmental variable to make it copy-paste friendly. Set as appropriate: OVPN_DATA="ovpn-data" 2. Create an empty Docker volume container using busybox as a minimal Docker image: docker run --name $OVPN_DATA -v /etc/openvpn busybox 3. Initalize the `$OVPN_DATA` container that will hold the configuration files and certificates, replace `VPN.SERVERNAME.COM` with your FQDN: docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 4. Generate the EasyRSA PKI certificate authority, you will be prompted for a passphrase for the CA private key. Pick a good one and remember it, without the passphrase it will be impossible to issue and sign client certificates: @@ -95,19 +95,19 @@ See **Advanced Topics** below for more details on how to backup the certificate 1. To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integration for more](https://docs.docker.com/articles/host_integration/)) create an *upstart* init file: cat <<EOF | sudo tee /etc/init/docker-openvpn.conf description "Docker container for OpenVPN server" start on filesystem and started docker stop on runlevel [!2345] respawn script exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script EOF 2. Start the process using *upstart* init mechanism: sudo start docker-openvpn 3. Verify that the container started and didn't immediately crash by looking at the `STATUS` column: @@ -138,37 +138,37 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): 1. Install OpenVPN: sudo apt-get install openvpn 2. Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf 3. Configure the init scripts to autostart all configurations matching `/etc/openvpn/*.conf`: echo AUTOSTART=all | sudo tee -a /etc/default/openvpn 4. Restart the OpenVPN client's server process: sudo /etc/init.d/openvpn restart ### Arch Linux via native OpenVPN 1. Install OpenVPN: pacman -Sy openvpn 2. Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf 3. Start OpenVPN client's server process: systemctl start openvpn@CLIENTNAME 4. Optional: configure systemd to start `/etc/openvpn/CLIENTNAME.conf` at boot: systemctl enable openvpn@CLIENTNAME ### MacOS X via TunnelBlick -
Dec 15, 2014 . 1 changed file with 0 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -201,14 +201,3 @@ The [docker-openvpn source repository](https://github.com/kylemanna/docker-openv Advanced topics such as **backup** and **static client IPs** are discussed under the [docker-openvpn/docs](https://github.com/kylemanna/docker-openvpn/tree/master/docs) folder. Report bugs to the [docker-openvpn issue tracker](https://github.com/kylemanna/docker-openvpn/issues). -
Dec 15, 2014 . 1 changed file with 17 additions and 16 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,9 +4,9 @@ This tutorial will explain how to setup and run an [OpenVPN](http://openvpn.net/index.php/open-source) container with the help of [Docker](https://docker.com). OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks can also be used to securely connect devices to each other over the Internet. Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The [Docker OpenVPN *image* is prebuilt](https://registry.hub.docker.com/u/kylemanna/openvpn) ([source is available](https://github.com/kylemanna/docker-openvpn)) and includes all of the necessary dependencies to run the server in a sane and stable environement. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker *volume container* is used to hold the configuration and EasyRSA PKI certificate data as well. ### Example Use Cases @@ -16,18 +16,18 @@ Docker provides a way to encapsulate the OpenVPN server process and configuratio ### Goals * Setup the Docker daemon on Ubuntu 14.04 LTS. * Setup a [Docker volume container](https://docs.docker.com/userguide/dockervolumes/#creating-and-mounting-a-data-volume-container) to hold the configuration data. * Generate a EasyRSA PKI certificate authority (CA). * Extract auto generated client configuration files. * Configure a select number of OpenVPN clients. * Handle starting the Docker container on boot. * Introduce advanced topics. ### Pre-Requisties * Linux shell knowledge. This guide largely assumes that the user is capable of setting up and running Linux daemons in the traditional sense. * Shell access on a remote server. A [DigitalOcean 1 CPU / 512 MB RAM droplet](https://www.digitalocean.com/?refcode=d19f7fe88c94) running Ubuntu 14.04 is assumed for this tutorial. Docker makes running the image on any host Linux distribution easy. Any virtual host will work as long as the host is running QEMU/KVM or Xen virtualization technology, **OpenVZ will not work**. * A local client such as an Android phone, laptop or PC. Almost all operating systems are supported via various OpenVPN clients. ## Setup and Test Docker @@ -38,7 +38,7 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u curl https://get.docker.io/gpg | sudo apt-key add - 2. Add the upstream Docker repository to system list: echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list @@ -170,18 +170,19 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): systemctl enable openvpn@CLIENTNAME ### MacOS X via TunnelBlick 1. Download and install [TunnelBlick](https://code.google.com/p/tunnelblick/). 2. Copy `CLIENTNAME.ovpn` from the server to the Mac. 3. Import the configuration by double clicking the `*.ovpn` file copied earlier. TunnelBlick will be invoked and the import the configruation. 4. Open TunnelBlick, select the configuration, select **connect**. ### Android via OpenVPN Connect 1. Install the [OpenVPN Connect App](https://play.google.com/store/apps/details?id=net.openvpn.openvpn) from the Google Play store. 2. Copy `CLIENTNAME.ovpn` from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it. 3. Import the configuration: **Menu** -> **Import** -> **Import Profile from SD card** 4. Select **connect**. ## Verifying Operation -
Dec 15, 2014 . 1 changed file with 42 additions and 26 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,24 +42,27 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list 3. Update the package list and install the Docker package: sudo apt-get update && sudo apt-get install -y lxc-docker 4. Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where $USER is your username. **Re-login for the new group to take affect**: sudo usermod -aG docker $USER 6. Optional: Run `bash` in a simple Debian Docker image (`--rm` to cleanup container after exit and `-it` for interactive) to verify Docker operation on host: docker run --rm -it debian:jessie bash -l Expected response with additional check of Debian version: test0@tutorial0:~$ docker run --rm -it debian:jessie bash -l Unable to find image 'debian:jessie' locally debian:jessie: The image you are pulling has been verified 511136ea3c5a: Pull complete 36fd425d7d8a: Pull complete aaabd2b41e22: Pull complete Status: Downloaded newer image for debian:jessie root@de8ffd8f82f6:/# cat /etc/issue.net Debian GNU/Linux jessie/sid root@de8ffd8f82f6:/# logout @@ -80,31 +83,38 @@ This step is usually a headache for those familiar with OpenVPN or any services docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 4. Generate the EasyRSA PKI certificate authority, you will be prompted for a passphrase for the CA private key. Pick a good one and remember it, without the passphrase it will be impossible to issue and sign client certificates: docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki **Note, the security of the `$OVPN_DATA` container is important.** It contains all the private keys to impersonate the server and ability to steal client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevents issuing bogus certificates. See **Advanced Topics** below for more details on how to backup the certificate store. ## Launch the OpenVPN Server 1. To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integration for more](https://docs.docker.com/articles/host_integration/)) create an *upstart* init file: cat <<EOF | sudo tee /etc/init/docker-openvpn.conf description "Docker container for OpenVPN server" start on filesystem and started docker stop on runlevel [!2345] respawn script exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script EOF 2. Start the process using *upstart* init mechanism: sudo start docker-openvpn 3. Verify that the container started and didn't immediately crash by looking at the `STATUS` column: test0@tutorial0:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c3ca41324e1d kylemanna/openvpn:latest "ovpn_run" 2 seconds ago Up 2 seconds 0.0.0.0:1194->1194/udp focused_mestorf ## Setup OpenVPN Clients @@ -118,6 +128,10 @@ The clients need the certificates and a configuration file to connect. The embe docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn The resulting `CLIENTNAME.ovpn` file contains the private keys and certificates necessary to connect to the VPN. **Keep these files secure and not lying around**. You'll need to securely transport the `*.ovpn` files to the clients that will use them. Avoid using public services like e-mail or cloud storage if possible when transfering the files due to security concerns. Recommend methods of transfer are ssh/scp, https, USB, and microSD card where available. ### Ubuntu and Debian Distributions via native OpenVPN On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): @@ -162,10 +176,12 @@ On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): 1. Copy `CLIENTNAME.ovpn` from the server to the Mac. 2. Import the configuration **TODO** ### Android via OpenVPN Connect 1. Install the [OpenVPN Connect App](https://play.google.com/store/apps/details?id=net.openvpn.openvpn) from the Google Play store. 2. Copy `CLIENTNAME.ovpn` from the server to the Android device in a secure manner. USB or microSD cards are safer. Place the file on your SD card to aid in opening it. 3. Import the configuration: *Menu* -> *Import* -> *Import Profile from SD card* 4. Click connect ## Verifying Operation -
Dec 14, 2014 . 1 changed file with 9 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,31 +2,31 @@ ### Introduction This tutorial will explain how to setup and run an [OpenVPN](http://openvpn.net/index.php/open-source) container with the help of [Docker](https://docker.com). OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks could also be created to securely connect devices to each other over the Internet. Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The [Docker OpenVPN image is prebuilt](https://registry.hub.docker.com/u/kylemanna/openvpn) ([source is available](https://github.com/kylemanna/docker-openvpn)) and includes all of the necessary dependencies to run the server in a sane and stable environement. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker volume container is used to hold the configuration and EasyRSA PKI certificate data as well. ### Example Use Cases * Securely route to the Internet when on untrusted public (WiFi) networks. * Private network to connect a mobile laptop, office computer, home PC, and mobile phone. * Private network for secure services behind NAT routers that don't have NAT traversal capabilities. ### Goals * Setup the Docker daemon on Ubuntu 14.04 LTS * Setup a [Docker volume container](https://docs.docker.com/userguide/dockervolumes/#creating-and-mounting-a-data-volume-container) to hold the configuration data * Generate a EasyRSA PKI certificate authority (CA) * Extract auto generated client configuration files * Configure a select number of OpenVPN clients * Handle starting the Docker container on boot * Introduce advanced topics ### Pre-Requisties * Linux shell knowledge. This guide largely assumes that the user is capable of setting up and running Linux daemons in the traditional sense. * Shell access on a remote server. A [DigitalOcean 1 CPU / 512 MB RAM droplet](https://www.digitalocean.com/?refcode=d19f7fe88c94) running Ubuntu 14.04 is assumed for this tutorial. Docker makes running the image on any host Linux distribution easy. Any virtual host will work as long as the host is running QEMU/KVM or Xen virtualization technology, *OpenVZ will not work*. * A local client such as an Android phone, laptop or PC. Almost all operating systems are supported via various OpenVPN clients. @@ -102,7 +102,7 @@ To autostart the Docker container that runs OpenVPN server process (see [Docker stop on runlevel [!2345] respawn script /usr/bin/docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script EOF -
Dec 14, 2014 . 1 changed file with 119 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,12 +8,19 @@ OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evol Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The Docker OpenVPN image is prebuilt (source is available) and includes all of the necessary dependencies to run the server in a sane and stable environement. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker volume container is used to hold the configuration and EasyRSA PKI certificate data as well. ### Example Use Cases * Private network to connecting a mobile laptop, office computer, home PC, and mobile phone. * Secure route to the Internet when on untrusted public (WiFi) networks. * Private network for secure services behind NAT routers that don't have NAT traversal capabilities. ### Goals (FIXME) * Setup the Docker daemon on Ubuntu 14.04 LTS * Setup a Docker volume container to hold the configuration data * Generate a EasyRSA PKI certificate authority (CA) * Extract auto generated client configuration files * Configure a select number of OpenVPN clients * Handle starting the Docker container on boot * Introduce advanced topic @@ -51,33 +58,138 @@ Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep u docker run --rm -it debian:jessie bash -l In the container run the following and then logout, note the container hash (also hostname) is unqiue and everything that happens in the container is lost after the container exits thanks to the `--rm` argument: root@de8ffd8f82f6:/# cat /etc/issue.net Debian GNU/Linux jessie/sid root@de8ffd8f82f6:/# logout ## Setup the EasyRSA PKI Certificate Store This step is usually a headache for those familiar with OpenVPN or any services utilizing PKI. Luckily Docker and the scripts in the Docker image simplify this step by generating configuration files and all the necessary certificate files for us. 1. Create a volume container, this tutorial will use `$OVPN_DATA` environmental variable to make it copy-paste friendly. Set as appropriate: OVPN_DATA="ovpn-data" 2. Create an empty Docker volume container using busybox as a minimal Docker image: docker run --name $OVPN_DATA -v /etc/openvpn busybox 3. Initalize the `$OVPN_DATA` container that will hold the configuration files and certificates, replace `VPN.SERVERNAME.COM` with your FQDN: docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 4. Generate the EasyRSA PKI certificate authority: docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki **Note, the security of the `$OVPN_DATA` container is important.** It contains all the private keys to impersonate the server and ability to steal client certificates. Keep this in mind and control access as appropriate. The default OpenVPN scripts use a passphrase for the CA key to increase security and prevents issuing bogus certificates. See advanced topics below for more details on how to backup the certificate store. ## Launch the OpenVPN Server Launch the OpenVPN server process in its Docker container: docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn To autostart the Docker container that runs OpenVPN server process (see [Docker Host Integratoin for more](https://docs.docker.com/articles/host_integration/)) create an upstart init file: cat <<EOF | sudo tee /etc/init.d/docker-openvpn.conf description "Docker container for OpenVPN server" start on filesystem and started docker stop on runlevel [!2345] respawn script /usr/bin/docker run --volumes-from ovpn-data -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script EOF ## Setup OpenVPN Clients Create a client certificate using the PKI CA setup above for each client, replace `CLIENTNAME` as appropriate (this doesn't have to be a FQDN): docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass After each client is created the server is ready to accept connections. The clients need the certificates and a configuration file to connect. The embedded scripts automate this task and enable the user to write out a configuration to a single file that can then be transfered to the client, again replace `CLIENTNAME` as appropriate: docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn ### Ubuntu and Debian Distributions via native OpenVPN On Ubuntu 12.04/14.04 and Debian wheezy/jessie clients (and similar): 1. Install OpenVPN: sudo apt-get install openvpn 2. Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf 3. Configure the init scripts to autostart all configurations matching `/etc/openvpn/*.conf`: echo AUTOSTART=all | sudo tee -a /etc/default/openvpn 4. Restart the OpenVPN client's server process: sudo /etc/init.d/openvpn restart ### Arch Linux via native OpenVPN 1. Install OpenVPN: pacman -Sy openvpn 2. Copy the client configuration file from the server and set secure permissions: sudo install -o root -m 400 CLIENTNAME.ovpn /etc/openvpn/CLIENTNAME.conf 3. Start OpenVPN client's server process: systemctl start openvpn@CLIENTNAME 4. Optional: configure systemd to start `/etc/openvpn/CLIENTNAME.conf` at boot: systemctl enable openvpn@CLIENTNAME ### MacOS X via TunnelBlick (FIXME) 1. Download and install [TunnelBlick](https://code.google.com/p/tunnelblick/). 1. Copy `CLIENTNAME.ovpn` from the server to the Mac. 2. Import the configuration **TODO** ### Android via OpenVPN Connect (FIXME) 1. Copy `CLIENTNAME.ovpn` from the server to the Android device in a secure manner. Avoid using cloud services like e-mail or cloud storage if possible due to security concerns. USB or microSD cards are safer. 2. Import the configuration. ## Verifying Operation If routing all the traffic to the web via the OpenVPN, check a website and the IP address of the OpenVPN server. Try [Google](http://goo.gl/OWYTAK) or [ifconfig.me](https://ifconfig.me). Review your network interface configuration. On Unix based operating systems this is as simple as running `ifconfig` in a terminal, look for OpenVPN's `tunX` interface when it's connected. Review logs. On Unix systems check `/var/log` on old distributions or `journalctl` on systemd distributions. ## Advanced Topics The Docker image built to run this is open source and capable of much more then described here. The [docker-openvpn source repository](https://github.com/kylemanna/docker-openvpn) is available for review of the code as well as forking for modifications. Pull requests for general features or bugfixes are welcome. Advanced topics such as **backup** and **static client IPs** are discussed under the [docker-openvpn/docs](https://github.com/kylemanna/docker-openvpn/tree/master/docs) folder. Report bugs to the [docker-openvpn issue tracker](https://github.com/kylemanna/docker-openvpn/issues). ## Notes, DO NOT PUBLISH -
Dec 14, 2014 . 1 changed file with 43 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,23 +4,59 @@ This tutorial will explain how to setup and run an OpenVPN container with the help of Docker. OpenVPN provides a way to create virtual private networks (VPNs) using TLS (evolution of SSL) encryption. OpenVPN protects the network traffic from eavesdropping and man-in-the-middle (MITM) attacks. The private network can be used to securely connect a device, such as a laptop or mobile phone running on an insecure WiFi network, to a remote server that then relays the traffic to the Internet. Private networks could also be created to securely connect devices to each other over the Internet. Docker provides a way to encapsulate the OpenVPN server process and configuration data so that it is more easily managed. The Docker OpenVPN image is prebuilt (source is available) and includes all of the necessary dependencies to run the server in a sane and stable environement. Scripts are included to significantly automate the standard use case, but still allow for full manual configuration if desired. A Docker volume container is used to hold the configuration and EasyRSA PKI certificate data as well. ### Goals (FIXME) * Setup the Docker daemon on Ubuntu 14.04 LTS * Fetch a prebuilt Docker image from Docker Hub * Setup a Docker volume container to hold the configuration data * Generate a EasyRSA PKI certificate authority (CA) * Handle starting the Docker container on boot * Introduce advanced topic ### Pre-Requisties * Basic Linux shell knowledge. This guide largely assumes that the user is capable of setting up and running Linux daemons in a traditional sense. * Shell access on a remote server. A [DigitalOcean 1 CPU / 512 MB RAM droplet](https://www.digitalocean.com/?refcode=d19f7fe88c94) running Ubuntu 14.04 is assumed for this tutorial. Docker makes running the image on any host Linux distribution easy. Any virtual host will work as long as the host is running QEMU/KVM or Xen virtualization technology, *OpenVZ will not work*. * A local client such as an Android phone, laptop or PC. Almost all operating systems are supported via various OpenVPN clients. ## Setup and Test Docker Docker is moving fast and Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. 1. Add the upstream Docker repository package signing key: curl https://get.docker.io/gpg | sudo apt-key add - 2. Add the upstream Docker repository to apt's repository source list: echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list 3. Update apt's packages and install the Docker package: sudo apt-get update && sudo apt-get install -y lxc-docker 4. Add your user to the `docker` group to enable communication with the Docker daemon as a normal user, where $USER is your username: usermod -aG docker $USER 5. Reconnect to the server after issuing this command and verify group membership: id 6. Optional: Run `bash` in a simple Debian Docker image (`--rm` to cleanup container after exit and `-it` for interactive): docker run --rm -it debian:jessie bash -l In the container run the following and then logout, note the container hash is unqiue: root@de8ffd8f82f6:/# cat /etc/issue.net Debian GNU/Linux jessie/sid root@de8ffd8f82f6:/# logout ## Setup the EasyRSA PKI Certificate Store ## Launch the OpenVPN Server -
Dec 14, 2014 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,49 @@ # How To Run OpenVPN in a Docker Container ### Introduction This tutorial will explain how to setup and run an OpenVPN container with the help of Docker. ### Goals * Setup Docker daemon on Ubuntu 14.04 LTS * Fetch a prebuilt Docker image from Docker Hub * Setup a Docker volume container to hold the configuration data and PKI certificates * Handle starting the Docker container on boot * Introduce advanced topic ### Pre-Requisties * Shell access on a remote DigitalOcean server. Ubuntu 14.04 is assumed, but Docker makes running the image on any host Linux distribution easy. Other virtual hosts will work as long as the host is running QEMU/KVM or Xen virtualization technology, *OpenVZ will not work*. * A local client such as an Android phone, laptop or PC. Almost all operating systems are supported via various clients. ### Motivation for Using Docker ## Setup and Test Docker ## Setup the EasyRSA PKI Certificate Store ## Launch the OpenVPN Server ## Setup OpenVPN Clients ### Ubuntu via native OpenVPN ### Arch Linux via native OpenVPN ### MacOS X via TunnelBlock ### Android via OpenVPN Connect ## Verifying Operation ## Advanced Topics ### Reporting Bugs ### Upstream Source Code ## Notes, DO NOT PUBLISH * [How To Write an Article for the DigitalOcean Community](https://www.digitalocean.com/community/tutorials/how-to-write-an-article-for-the-digitalocean-community) * [How To Format DigitalOcean Articles For Publication](https://www.digitalocean.com/community/tutorials/how-to-format-digitalocean-articles-for-publication)