docker-vpn is an alternative to installing VPN software on your host system and routing all your traffic through a VPN. This is useful if you want to have control over which traffic is sent through the VPN. Sending all your traffic through a VPN is a privacy concern and limits your internet connection to the speed of your VPN.
The ethack/vpn Docker image and accompanying shell script provide the following:
- OpenVPN client
- Cisco AnyConnect or Juniper Pulse client
- SSH server (default port 2222) with public key authentication enabled and configured
- SOCKS 5 server (default port 1080)
- SSH config file entry created for each VPN connection
- Install Docker using the instructions or use
curl -fsSL https://get.docker.com -o get-docker.sh | shif you have a supported linux distro and like to live dangerously. - Source
vpn.shin your.bashrcfile or current shell. E.g.source vpn.sh
# openvpn NAME [OpenVPN args...]
# e.g.
openvpn foo https://vpn.example.com
# openconnect NAME [OpenConnect args...]
# e.g.
openconnect bar https://vpn.example.com
The first argument is an arbitrary name that you give your VPN connection. This is used in the Docker container names and the SSH config file. The rest of the arguments are passed to the VPN client. Each example above will connect to a VPN located at vpn.example.com.
Once connected, you will see a message telling you which ports are available and the name of the ssh config profile.
============================================
SSH Port: 2222
SOCKS Proxy Port: 1080
Use: ssh foo
============================================
I recommend using a proxy switcher browser extension like one of the following. This allows you to quickly switch proxies on/off or tunnel certain websites through a proxy while letting all other traffic go through your default gateway.
openvpn foo
To connect to the foo VPN put your config file at ~/.vpn/foo.ovpn and then you can run openvpn foo to automatically use the corresponding config file.
You can optionally put your credentials in ~/.vpn/foo.creds. The username goes on the first line and the password on the second line. This gives up some security for the convenience of not having to enter your username and password. You will still be prompted for your 2FA code if your VPN endpoint requires it. You can run chmod 600 ~/.vpn/foo.creds to ensure only the file owner can read it.
You can customize options by setting the following environment variables. The defaults are shown below.
BIND_INTERFACE: 127.0.0.1SSH_PORT: 2222SOCKS_PORT: 1080AUTHORIZED_KEYS: Any keys allowed to SSH as the current user to the current machine, any keys configured inssh-agent, and any keys found in~/.ssh/*.pub.
docker-vpn provides all the power of an OpenSSH server. For example:
- Dynamic port forwarding (SOCKS proxy)
ssh -D 1080 foo- Starts a socks5 proxy on port 1080. Connections using this proxy will be tunneled through SSH into the container and then tunneled to thefoonetwork through the VPN client. - Local port forwarding
ssh -L 8080:private.foo.com:80 foo- Forwards port 80 on private.foo.com so that you can access it from localhost:8080. - Jump hosts
ssh -J foo user@private.foo.com- Allows connecting via SSH to a remote server private.foo.com that is not directly accessible but is accessible by using the docker-vpnfooas a jump host. (Requires OpenSSH 7.3) - TUN/TAP support - SSH has builtin tunneling support. This is similar to just connecting directly with OpenVPN or OpenConnect software, but gives you the power (and responsibility) to configure your own routing.
- If you have multiple VPNs you want to connect to at once, you have to choose ports that do not conflict.
- VPN configurations can be wildly different. I created these to make my specific use case easier. Other configurations may require passing in your own command line options and adding your own volume mounts.