/antizapret-vpn-docker

Docker container with antizapret-vpn for selfhosting.

Primary LanguageShellMIT LicenseMIT

AntiZapret VPN in Docker

Easy-to-use Docker image based upon original AntiZapret LXD image for self-hosting.

Improvements

Installation

  1. Install Docker Engine: 
    curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
  2. Clone repository and start container: 
    git clone https://github.com/xtrime-ru/antizapret-vpn-docker.git antizapret
cd antizapret
docker compose pull
docker compose up -d
  3. Download keys
    After start of the container folders ./keys/client and ./configs will be created. Download .ovpn configs from ./keys/client directory and use to setup your clients. There will be UDP and TCP configurations. Use UDP for better performance. Use TCP in unstable conditions.

Wireguard server

  1. Generate password for wireguard admin panel 
    docker run --rm ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD' | sed "s/'//g" | sed -r 's/\$/\$\$/g' | tee ./wireguard/wireguard.env
  2. Start container 
    docker compose -f docker-compose.wireguard.yml pull
docker compose -f docker-compose.wireguard.yml up -d
  3. Open http://YOUR_SERVER_IP:51821 and create new client

IPsec/XAuth (Cisco IPsec) server

Important notice: not all clients support tunnel-split (send only part of traffic via VPN). For example Apple devices will not be able to connect to this server.

Its recomended to use OpenVPN or Wireguard instead.

  1. Create settings file: 
    cp ipsec/ipsec.env.example ipsec/ipsec.env
  2. Fill your creditentials in ipsec/ipsec.env
  3. Start 
    docker compose down
docker compose -f docker-compose.ipsec.yml up -d
  4. Setup your clients: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md

Adguard

Antizapret-VPN can use external DNS resolvers. To start your own adguard docker container and use it as backend for antizapret:

docker compose down
docker compose -f docker-compose.adguard.yml up -d

Go to http://YOUR_SERVER_IP:3000 and setup adguard. You can leave all values default. Except port for adguard. Change it from 80 to 3000

Customize containers

Its recommended not to change docker-compose files, because it can break ability to git pull updates.

The correct way - is to create docker-compose.override.yml.

For example you want all transports and adguard, and modify env variables of antizapret-vpn:

services:
  antizapret-vpn:
    environment:
      - DNS=adguardhome
      - ADGUARD=1
      - OPENVPN_OPTIMIZATIONS=1
      - OPENVPN_TLS_CRYPT=1
    depends_on:
      - adguardhome
  adguardhome:
    extends:
      file: docker-compose.adguard.yml
      service: adguardhome
  ipsec:
    extends:
      file: docker-compose.ipsec.yml
      service: ipsec
  amnezia-wg-easy:
    extends:
      file: docker-compose.wireguard-amnezia.yml
      service: amnezia-wg-easy

docker compose will merge docker-compose.yml and your custom docker-compose.override.yml.

Start all containers from docker-compose.override.yml:

docker compose down && docker compose pull && docker compose up -d

Update:

git pull
docker compose pull
docker compose down && docker compose up -d

Documentation

Adding Domains/IPs

Any domains or IPs can be added or excluded from routing with config files from ./config directory. These lists are added/excluded to/from automatically generated lists of domains and IP's. Reboot container and wait few minutes for applying changes.

Its recommended to use *-regex-custom.txt files. You can debug your regular expressions online: https://regex101.com Here is few regex example:

  1. Exact match: 
    ^2ip\.ru$
  2. Subdomains only: 
    \.microsoft\.com$
    Will match any subdomain from microsoft.com. Both regular works same way.
  3. List of first level domains: 
    microsoft\.[^.]*$
microsoft\.(ru|com|com\.de)

Keys/Configs Persistence

Client and server keys are stored in ./keys. They are persistent between container and host restarts.

To regenerating the keys use the following commands:

docker compose down
rm -rf keys/{client,server}/keys/*.{crt,key}
docker compose up -d

Environment Variables

You can define these variables in docker-compose.yml file for your needs:

  • SKIP_UPDATE_FROM_ZAPRET=true - do not download and use list of all blocked domains from internet. Will reduce RAM consumption. Need to manually fill domains in *-custom.txt files.
  • UPDATE_TIMER=1d - blocked domains update interval
  • OPENVPN_HOST=example.com — will be used as a server address in .ovpn profiles upon keys generation (default: your server's IP)
  • OPENVPN_PORT=1194 — will be used as a server port in .ovpn profiles upon keys generation. (default: 1194) Also port need to be changed manually in docker-compose.yml. Replace %EXTERNAL_PORT% with port number, and dont change internal port, because this variable do not override openvpn server configs: 
    ports:
    - %EXTERNAL_PORT%:1194/tcp
    - %EXTERNAL_PORT%:1194/udp
  • OPENVPN_MTU=1420 - Set tun-mtu option with fixed value. (default: auto)
  • OPENVPN_OPTIMIZATIONS=1 - Enable tcp-nodelay, fast-io options and invrease sndbuf and rcvbuf. (default: 0)
  • OPENVPN_CBC_CIPHERS=1 - Enable support of legacy clients. WIll disable DCO
  • OPENVPN_SCRAMBLE=1 - Enable additional obfuscation XOR Tunneblick patch
  • OPENVPN_TLS_CRYPT=1 - Enable additional TLS encryption in OpenVPN. May help with connection obfuscation.
  • DNS=1.1.1.1 — DNS server to resolve domains (default: host DNS server)
  • DNS_RU=77.88.8.8 — Russian DNS server; used to fix issues with geo zones mismatch for domains like apple.com (default: 77.88.8.8)
  • LOG_DNS=1 - Log all DNS requests and responses (default: 0)
  • ADGUARD=1 - Resolve .ru, .рф and .su via DNS. By default, this zones resolved through DNS_RU. (default: 0)

Environment Variables for Wireguard and Wireguard Amnesia:

  • FORCE_FORWARD_DNS=true - Redirects UDP traffic on port 53 to AntiZapret DNS (default: false)
  • FORCE_FORWARD_DNS_PORTS="53 5353" - Parameter can be used to change port 53 for FORCE_FORWARD_DNS to one or more, separated by a space (default: 53)
  • For other environment variables, see the original manual Wireguard Amnesia or Wireguard.

Extra information

Enable OpenVPN Data Channel Offload (DCO)

OpenVPN Data Channel Offload (DCO) provides performance improvements by moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading. tl;dr it increases speed and reduces CPU usage on a server.

Kernel extensions can be installed only on a host machine, not in a container.

Ubuntu 24.04

sudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
sudo apt install -y efivar
sudo apt install -y openvpn-dco-dkms

Ubuntu 20.04, 22.04

sudo apt update
sudo apt upgrade 
echo "#### Please reboot your system after upgrade ###" && sleep 100
deb=openvpn-dco-dkms_0.0+git20231103-1_all.deb
sudo apt install -y efivar dkms linux-headers-$(uname -r)
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openvpn-dco-dkms/$deb
sudo dpkg -i $deb

Legacy clients support

If your clients do not have GCM ciphers support you can use legacy CBC ciphers. DCO is incompatible with legacy ciphers and will be disabled. This is also increase CPU load.

  1. Set ENV variable CBC_CIPHERS=1 in docker-compose.yml.
  2. Restart container.
  3. Download and apply updated .ovpn files from keys/client/ folder.

Test speed with iperf3

iperf3 server is included in antizapret-vpn container.

  1. Connect to VPN
  2. Use iperf3 client on your phone or computer to check upload/download speed. Example 10 threads for 10 seconds and report result every second: 
    iperf3 -c 10.224.0.1 -i1 -t10 -P10
iperf3 -c 10.224.0.1 -i1 -t10 -P10 -R

Credits