/s6-openvpn

Minimal Alpine Linux based Docker container with OpenVPN and s6 as a process supervisor

Primary LanguageShellMIT LicenseMIT

Latest Tag Docker Build Docker Pulls

A minimal Alpine Linux based Docker container with OpenVPN and s6 as a process supervisor.

All traffic from within the container to the Internet is forced through a VPN tunnel by iptables rules and the container is configured to terminate in case the VPN connection drops.

Configuration

DNS servers

An alternative DNS server should be used to prevent DNS leaks. Use the DNS servers provided by the VPN provider or choose an alternative from the list that WikiLeaks has compiled.

OpenVPN

Two configuration files are required by OpenVPN. VPN providers usually have already made configuration files that can be used as is as the first file, named config.ovpn. The second file, named login.conf, is used as a value for auth-user-pass parameter and it must contain username on the first line and password on the second line. For more information on how to configure OpenVPN see the official documentation at the website.

Environment variables

NETMON_INTERVAL environment variable defines the interval in seconds between connection checks. If left undefined a default value of 60 seconds will be used. Environment variables can be passed using -e NETMON_INTERVAL=120 syntax.

Mount points

The container requires a couple of mount points to work, which are listed below. Host directories and files can be mounted using -v /host/path:/docker/path commandline argument.

Mandatory

The container requires that the following files are mounted from the host.

/mnt/
	openvpn/
		config.ovpn
		login.conf

Optional

OpenVPN process is configured to log its stdout and stderr into the files listed below. To persist logs mount a directory as /var/log/ or a file as a single log file.

/var/log/
	netmon/
		stdout.log
	openvpn/
		stderr.log
		stdout.log

SELinux

To use this container on a host that has SELinux enabled use the provided s6-openvpn.te policy module or create your own if it doesn't work. To compile and install the policy module run the following commands.

$ checkmodule -M -m s6-openvpn.te -o /tmp/s6-openvpn.mod
$ semodule_package -m /tmp/s6-openvpn.mod -o /tmp/s6-openvpn.pp
# semodule -i /tmp/s6-openvpn.pp

In addition to installing the module, the volumes must be mounted using the :Z mount option so that Docker will relabel the volumes with a correct security label.

Usage

To run the container interactively execute the following command. Modify the parameters to fit your environment.

# docker run -it --rm \
	--cap-add=NET_ADMIN --device=/dev/net/tun \
	--dns=8.8.8.8 --dns=8.8.4.4 \
	--volume ~/.config/openvpn:/mnt/openvpn:Z \
	scoobadog/s6-openvpn:latest

systemd service

A reliable way to start the container at boot time and restart it, if something goes wrong and the container shuts down, is to let systemd to manage the container. Use the following code snippet as a template, modify the parameters to fit your environment and save it as /usr/lib/systemd/system/s6-openvpn.service.

[Unit]
Description=s6-openvpn
After=docker.service
Requires=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker run \
	--cap-add=NET_ADMIN --device=/dev/net/tun \
	--dns=8.8.8.8 --dns=8.8.4.4 \
	--volume ~/.config/openvpn:/mnt/openvpn:Z \
	--name openvpn scoobadog/s6-openvpn:latest
ExecStop=/usr/bin/docker stop -t 10 openvpn
ExecStopPost=/usr/bin/docker rm -f openvpn

[Install]
WantedBy=multi-user.target

To enable and start the service run the following commands.

# systemctl enable s6-openvpn
# systemctl start s6-openvpn

License

This project is licensed under the MIT License.