Quick instructions:
./scripts/start
./scripts/new_client client_name
A client certificate (client_name.pem) and ovpn config file (client_name.ovpn) have been generated in /etc/openvpn. Transfer the config file to the client device over a secure channel, and it should be able to connect to the OpenVPN server.
The .ovpn file embeds all the required configuration and credentials. It has been tested successfully on Android clients. I should test it on Linux & Windows. If you can test it on OS X and iPhone, let me know!
If you reboot the server (or restart the container), the configuration stored in /etc/openvpn will be picked up, and clients should be able to reconnect with their existing config.
When the symmetric/dockvpn image is started, it generates:
- Diffie-Hellman parameters
- a CA private key
- a self-signed CA certificate
- a private key for the OpenVPN server, signed by the CA
- an OpenVPN server configuration for TCP
Then, it starts an OpenVPN server processes on 443/tcp.
The configuration is located in /etc/openvpn, and the Docker incantation
declares that directory as a host-mounted volume. It means that you can start another
container with the -v flag, and access the configuration. It also
means that the generated config will persist if the container is destroyed.
Client config is generated by the new_client script in the container.
The ./scripts/start script takes the following arguments:
-i <LOCAL_IP> The local IP address of the system, if it's not the same
as the external IP. If this argument is not passed, the
script will attempt to infer the system's IP using the
http://myip.enix.org/ service.
-p <LOCAL_PORT> The local port that the OpenVPN server should be run on.
Default is 443.
The ./scripts/new_client script takes the following arguments:
-i <EXT_IP> The external IP address of the system that the client
should use to connect to the VPN.
If this argument is not passed, the script will attempt
to infer the system's IP using the http://myip.enix.org/ service.
-p <EXT_PORT> The external port of the system, which may be different
if the server is NAT'ed.
If NAT is in use, set this to the WAN port that is being forwarded
to LOCAL_IP:LOCAL_PORT.
Default is 443.
We use tun mode, because it works on the widest range of devices.
tap mode, for instance, does not work on Android, except if the device
is rooted.
The topology used is net30, because it works on the widest range of OS.
p2p, for instance, does not work on Windows.
The TCP server uses 192.168.255.0/25.
The client profile specifies redirect-gateway def1, meaning that after
establishing the VPN connection, all traffic will go through the VPN.
This might cause problems if you use local DNS recursors which are not
directly reachable, since you will try to reach them through the VPN
and they might not answer to you. If that happens, use public DNS
resolvers like those of Google (8.8.4.4 and 8.8.8.8) or OpenDNS
(208.67.222.222 and 208.67.220.220).
A keypair and config file is generated for each client that is created. The config file should be distributed over a secure channel, since anyone with that file can access the VPN. If a client key is compromized, it can be revoked by deleting the client_name* files from the /etc/openvpn directory.
As it is not authenticated or encrypted, UDP is not permitted.