Back to Dashboard

openvpn

v2.7.5-alpine

OpenVPN server image with sane defaults and signed verifiable supply chain. Multi-arch, lightweight.

Trust posture

๐Ÿ“‹ SBOM ATTESTED๐Ÿ›ก TRIVY: 1 HIGH (advisory) ยท SCANNED 2026-07-10๐Ÿ— AMD64 + ARM64 ๐Ÿ”— 2/2 deps tracked daily ๐Ÿ” REPRODUCE THESE CHECKS LOCALLY
PULLS 4.4K
STARS 1

VERIFIABLE TRUST ARTIFACTS

Provenance

Build commit
ed67d41
Build digest
sha256:ff9cc868760f091a092749b08bbc53dc7a40648b8c32cc97bf6c8106eb91622b
Index digest
sha256:1ba3aff2e0423ac8e58aaf2fb92e8b6b350d48a745b5db83807234a829f8b5c3
Manifest digest (amd64)
sha256:303c9c271831738e1f4cac70df32dc39afb19adb9f0d73eca0fe8a6e7e678add
Manifest digest (arm64)
sha256:d08d51a014bb9521cbefccd804ec704cf1c7829841d83092b97a589087c1ec1d
SBOM attestation
34817650โ€ฆ
Trivy last scan
2026-07-10 20:41 UTC
Base image
Verify
gh attestation verify oci://ghcr.io/oorabona/openvpn:v2.7.5-alpine --owner oorabona guide โ†’

Security scan results

Trivy ยท last scan 2026-07-10

Last scan: (advisory mode โ€” Trivy runs continue-on-error in CI; we surface findings, we do not block builds on them).

0Critical
1High
0Medium
0Low
0Info

Top advisories (upstream, advisory)

  • CVE-2026-33630 (ERROR) โ€” openvpn โ€” c-ares: c-ares: Use-after-free / double-free in query-completion handling

โ†’ Full report via gh api โ€” see Verify Images.

Explore

Build lineagesha256:
Build Lineage
Build Digest sha256:ff9cc868760f091a092749b08bbc53dc7a40648b8c32cc97bf6c8106eb91622b
Base Image
OS_VERSION latest
PKCS11_HELPER_VERSION 1.31.0
EASYRSA_VERSION 3.2.6
Package summary n/a โ€” runtime parsed
Recent changes n/a โ€” runtime parsed
Build history n/a โ€” runtime fetched
Dependency health all up to date

Dependency Health

all up to date
2/2 dependencies monitored
Up-to-date dependencies
PKCS11_HELPER_VERSION 1.31.0 EASYRSA_VERSION 3.2.6

Documentation

README

๐Ÿ” OpenVPN Docker Container built from sources with advanced security features

Docker Image Version (latest semver) Docker Pulls Docker Stars GHCR

This is a simple Alpine based container with OpenVPN built from sources.

Platforms

  • amd64 Docker Image Size AMD64
  • arm64 Docker Image Size ARM64

Features

  • ๐Ÿ” Built from sources
  • Dependant library pkcs11-helper built from sources
  • Embed Google Authenticator support

Verify this image

Every build ships a Sigstore-signed SBOM and a full Trivy scan โ€” verify them yourself, no login required:

gh attestation verify oci://ghcr.io/oorabona/openvpn:latest --owner oorabona

Full walkthrough (SBOM payload, Trivy findings, multi-arch manifest inspection, upstream dependency tracking) โ†’ https://oorabona.github.io/docker-containers/verify-images/

Usage

Docker

docker run -d --name openvpn \
    -p 1194:1194/udp \
    -v /path/to/config:/etc/openvpn \
    --cap-add=NET_ADMIN \
    --cap-add=NET_RAW \
    --device=/dev/net/tun \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --sysctl net.ipv6.conf.all.forwarding=1 \
    --sysctl net.ipv4.ip_forward=1 \
    --sysctl net.ipv4.conf.all.forwarding=1 \
    -e AUTO_INSTALL=y \
    -e AUTO_START=y \
    oorabona/openvpn

Docker Compose

version: '3.7'

services:
  openvpn:
    image: oorabona/openvpn
    container_name: openvpn
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
        - /dev/net/tun
    sysctls:
        - net.ipv6.conf.all.disable_ipv6=0
        - net.ipv6.conf.all.forwarding=1
        - net.ipv4.ip_forward=1
        - net.ipv4.conf.all.forwarding=1
    ports:
      - 1194:1194/udp
    volumes:
      - /path/to/config:/etc/openvpn

Configuration

OpenVPN

The container is configured to use the server.conf file located in /etc/openvpn as default configuration file. This file is generated from the script setup.sh located in /usr/local/bin and is based on the following environment variables:

  • APPROVE_INSTALL
  • IPV4_SUPPORT
  • IPV6_SUPPORT
  • PORT_CHOICE
  • PROTOCOL_CHOICE
  • DNS
  • COMPRESSION_ENABLED
  • CUSTOMIZE_ENC
  • CLIENT
  • PASS
  • CONTINUE
  • CLIENT_TO_CLIENT
  • BLOCK_OUTSIDE_DNS
  • OTP
  • EASYRSA_CRL_DAYS
  • SUBNET_IPv4
  • SUBNET_IPv6
  • SUBNET_MASKv4
  • SUBNET_MASKv6
  • ENDPOIN

For details about the meaning of each variable, please refer to the documentation.

Google Authenticator

The container is configured to use the google-authenticator library to generate the OTP code. This library is based on the pkcs11-helper library which is built from sources. The generated QR code is stored in the container on a per user basis under the /etc/openvpn/otp directory. The QR code can be retrieved using the following command:

docker exec -it openvpn cat /etc/openvpn/otp/username.png

More information can be found on the wiki.

Build Arguments

The following build arguments can be passed to customize the container build:

Argument Default Description
VERSION latest OpenVPN version to build
UPSTREAM_VERSION (empty) Fallback upstream version if VERSION is not specified
OS_VERSION latest Alpine Linux version tag
PKCS11_HELPER_VERSION 1.31.0 pkcs11-helper library version
EASYRSA_VERSION 3.2.2 EasyRSA version for certificate management
NPROC 1 Number of parallel processes for compilation

Build options

OpenVPN is built from sources using the following options:

  • --enable-iproute2 option to use the ip command instead of ifconfig
  • --enable-pkcs11 option to enable the pkcs11-helper library and support of PKCS#11 tokens (e.g. Yubikey)
  • --enable-plugin-auth-pam option to enable the pam authentication plugin (e.g. Google Authenticator uses this)
  • --enable-async-push option to allow asynchronous push of configuration options to the client (and not wait for a remote authentification request to be completed)
  • --enable-plugin-down-root option to allow the down-root plugin to be used (e.g. to drop privileges after the connection is established). Although this option is enabled, the down-root plugin is not used by default.
  • --enable-selinux option to enable the selinux support
  • --disable-systemd option to disable the systemd support
  • --disable-debug option to make the binary smaller
  • --disable-lzo and --disable-lz4 options to disable the lzo and lz4 compression support (prone to side-channel attacks)
  • --enable-comp-stub option to disable all compression altogether (still allow limited interoperability with compression-enabled peers)

Security

SELinux

The container is configured to run with the spc_t SELinux context. This context is configured to allow the container to access the following resources:

  • /etc/openvpn directory
  • /etc/openvpn/otp directory
  • /etc/openvpn/otp/* files

Capabilities

The container is configured to run with the following capabilities:

  • NET_ADMIN
  • NET_RAW

Privileges

The container is configured to run as root user. No effort has been (yet) made to run the container as a non-root user.

Security options

The container is configured to run with the following security options:

  • no-new-privileges
  • seccomp=unconfined
  • apparmor=unconfined

Security labels

The container is configured to run with the following security labels:

  • label=disable
  • label=type:spc_t

Dependencies

The following third-party dependencies are pinned and monitored for updates:

Dependency Version Source Monitoring
pkcs11-helper 1.31.0 GitHub Release (opensc/pkcs11-helper) Enabled
EasyRSA 3.2.2 GitHub Release (OpenVPN/easy-rsa) Enabled

References

License

MIT

Other projects