Back to Dashboard

openvpn

v2.7.0-alpine
Source GHCR Docker Hub
Status
Up to Date
Current Tag
v2.7.0-alpine
Docker Hub Pulls
1.1K
Stars
0
Size (amd64)
15.9MB
Size (arm64)
16.2MB
Build Lineage
Build Digest 1be17c7602f7
Base Image alpine:latest
PKCS11_HELPER_VERSION 1.31.0
EASYRSA_VERSION 3.2.5

Dependency Health

all up to date
2/2 dependencies monitored
Up-to-date dependencies
PKCS11_HELPER_VERSION 1.31.0 EASYRSA_VERSION 3.2.5
Upstream Monitor Workflow

Documentation

🔐 OpenVPN Docker Container built from sources with advanced security features

Docker Image Version (latest semver) Docker Pulls Docker Stars GHCR

This is a simple Alpine based container with OpenVPN built from sources.

Platforms

  • amd64

Docker Image Size AMD64 (latest semver)

  • arm64

Docker Image Size ARM64 (latest semver)

  • arm/v7

Docker Image Size ARM/v7 (latest semver)

Features

  • 🔐 Built from sources
  • Dependant library pkcs11-helper built from sources
  • Embed Google Authenticator support

Usage

Docker

docker run -d --name openvpn \
    -p 1194:1194/udp \
    -v /path/to/config:/etc/openvpn \
    --cap-add=NET_ADMIN \
    --cap-add=NET_RAW \
    --device=/dev/net/tun \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --sysctl net.ipv6.conf.all.forwarding=1 \
    --sysctl net.ipv4.ip_forward=1 \
    --sysctl net.ipv4.conf.all.forwarding=1 \
    -e AUTO_INSTALL=y \
    -e AUTO_START=y \
    oorabona/openvpn

Docker Compose

version: '3.7'

services:
  openvpn:
    image: oorabona/openvpn
    container_name: openvpn
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
        - /dev/net/tun
    sysctls:
        - net.ipv6.conf.all.disable_ipv6=0
        - net.ipv6.conf.all.forwarding=1
        - net.ipv4.ip_forward=1
        - net.ipv4.conf.all.forwarding=1
    ports:
      - 1194:1194/udp
    volumes:
      - /path/to/config:/etc/openvpn

Configuration

OpenVPN

The container is configured to use the server.conf file located in /etc/openvpn as default configuration file. This file is generated from the script setup.sh located in /usr/local/bin and is based on the following environment variables:

  • APPROVE_INSTALL
  • IPV4_SUPPORT
  • IPV6_SUPPORT
  • PORT_CHOICE
  • PROTOCOL_CHOICE
  • DNS
  • COMPRESSION_ENABLED
  • CUSTOMIZE_ENC
  • CLIENT
  • PASS
  • CONTINUE
  • CLIENT_TO_CLIENT
  • BLOCK_OUTSIDE_DNS
  • OTP
  • EASYRSA_CRL_DAYS
  • SUBNET_IPv4
  • SUBNET_IPv6
  • SUBNET_MASKv4
  • SUBNET_MASKv6
  • ENDPOIN

For details about the meaning of each variable, please refer to the documentation.

Google Authenticator

The container is configured to use the google-authenticator library to generate the OTP code. This library is based on the pkcs11-helper library which is built from sources. The generated QR code is stored in the container on a per user basis under the /etc/openvpn/otp directory. The QR code can be retrieved using the following command:

docker exec -it openvpn cat /etc/openvpn/otp/username.png

More information can be found on the wiki.

Build Arguments

The following build arguments can be passed to customize the container build:

Argument Default Description
VERSION latest OpenVPN version to build
UPSTREAM_VERSION (empty) Fallback upstream version if VERSION is not specified
OS_VERSION latest Alpine Linux version tag
PKCS11_HELPER_VERSION 1.31.0 pkcs11-helper library version
EASYRSA_VERSION 3.2.2 EasyRSA version for certificate management
NPROC 1 Number of parallel processes for compilation

Build options

OpenVPN is built from sources using the following options:

  • --enable-iproute2 option to use the ip command instead of ifconfig
  • --enable-pkcs11 option to enable the pkcs11-helper library and support of PKCS#11 tokens (e.g. Yubikey)
  • --enable-plugin-auth-pam option to enable the pam authentication plugin (e.g. Google Authenticator uses this)
  • --enable-async-push option to allow asynchronous push of configuration options to the client (and not wait for a remote authentification request to be completed)
  • --enable-plugin-down-root option to allow the down-root plugin to be used (e.g. to drop privileges after the connection is established). Although this option is enabled, the down-root plugin is not used by default.
  • --enable-selinux option to enable the selinux support
  • --disable-systemd option to disable the systemd support
  • --disable-debug option to make the binary smaller
  • --disable-lzo and --disable-lz4 options to disable the lzo and lz4 compression support (prone to side-channel attacks)
  • --enable-comp-stub option to disable all compression altogether (still allow limited interoperability with compression-enabled peers)

Security

SELinux

The container is configured to run with the spc_t SELinux context. This context is configured to allow the container to access the following resources:

  • /etc/openvpn directory
  • /etc/openvpn/otp directory
  • /etc/openvpn/otp/* files

Capabilities

The container is configured to run with the following capabilities:

  • NET_ADMIN
  • NET_RAW

Privileges

The container is configured to run as root user. No effort has been (yet) made to run the container as a non-root user.

Security options

The container is configured to run with the following security options:

  • no-new-privileges
  • seccomp=unconfined
  • apparmor=unconfined

Security labels

The container is configured to run with the following security labels:

  • label=disable
  • label=type:spc_t

Dependencies

The following third-party dependencies are pinned and monitored for updates:

Dependency Version Source Monitoring
pkcs11-helper 1.31.0 GitHub Release (opensc/pkcs11-helper) Enabled
EasyRSA 3.2.2 GitHub Release (OpenVPN/easy-rsa) Enabled

References

License

MIT

Other projects