OpenVPN for Docker
Setup a tiny(12MB), but full featured and secure OpenVPN server without effort using Docker.
Quick Start
Create the
volume containerexport OVPN_DATA=openvpn_data docker volume create --name $OVPN_DATA
Initialize the
container that will hold the configuration files and certificatesdocker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn initopenvpn -u udp://VPN.SERVERNAME.COM docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn initpki
Start OpenVPN server process
docker run --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn
Generate a client certificate
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME
Or without a passphrase (only do this for testing purposes)
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn easyrsa build-client-full CLIENTNAME nopass
Retrieve the client configuration with embedded certificates
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient CLIENTNAME > CLIENTNAME.ovpn
Or retrieve the client configuration with mssfix set to a lower value (yay Ziggo WifiSpots)
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn getclient -M 1312 CLIENTNAME > CLIENTNAME.ovpn
Revoke a client certificate
If you need to remove access for a client then you can revoke the client certificate by running
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn revokeclient CLIENTNAME
List all generated certificate names (includes the server certificate name)
docker run -v $OVPN_DATA:/etc/openvpn --rm martin/openvpn listcerts
Renew the CRL
docker run -v $OVPN_DATA:/etc/openvpn --rm -it martin/openvpn renewcrl
To enable (bash) debug output set an environment variable with the name DEBUG and value of 1 (using "docker -e") for example
docker run -e DEBUG=1 --name openvpn -v $OVPN_DATA:/etc/openvpn -v /etc/localtime:/etc/localtime:ro -d -p 1194:1194/udp --cap-add=NET_ADMIN martin/openvpn
To view the log output run
docker logs openvpn
, to view it realtime rundocker logs -f openvpn
Settings and features
OpenVPN 2.6.1
Easy-RSA v3.0.1+
mode because it works on the widest range of devices.tap
mode, for instance, does not work on Android, except if the device is rooted. -
The UDP server uses
for clients. -
TLS 1.2 minimum
TLS auth key for HMAC security
Diffie-Hellman parameters for perfect forward secrecy
Verification of the server certificate subject
Extended Key usage check of both client and server certificates
2048 bits key size
Client certificate revocation functionality
SHA256 signature hash
AES-256-CBC cipher
Compression enabled and set to adaptive
Floating client ip's enabled
Tweaks for Windows clients
topology because it works on the widest range of OS's.p2p
, for instance, does not work on Windows. -
Google DNS ( and
The configuration is located in
Certificates are generated in
Tested On
- Clients
- Android, OpenVPN Connect 1.1.14 (built 56)
- Android, OpenVPN for Android 0.6.50
- Windows 10 64 bit using openvpn-2.4.0
Based on kylemanna/docker-openvpn.